Appearance

Reverse Proxy

OpenTask runs on port 3000 by default. Set AUTH_URL to your public URL when running behind a reverse proxy:

yaml
# docker-compose.yml
environment:
  AUTH_URL: https://tasks.example.com

Caddy 

tasks.example.com {
    reverse_proxy localhost:3000
}

Caddy automatically handles SSE (Server-Sent Events) without additional configuration.

Nginx

nginx
server {
    server_name tasks.example.com;

    location / {
        proxy_pass http://localhost:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Required for Server-Sent Events (SSE)
        proxy_buffering off;
        proxy_cache off;
    }
}

INFO

OpenTask uses Server-Sent Events for real-time cross-device updates. Make sure your reverse proxy does not buffer responses — Caddy handles this automatically, but Nginx needs proxy_buffering off.

Reverse Proxy Header Auth

If you run an auth proxy like Authelia, Authentik, or Caddy's forward_auth, OpenTask can trust the authenticated username from a request header — no separate login required.

Set OPENTASK_PROXY_AUTH_HEADER to the header name your proxy uses:

yaml
# docker-compose.yml
environment:
  OPENTASK_PROXY_AUTH_HEADER: Remote-User  # or X-Forwarded-User, X-Auth-User, etc.

The header value must match an existing OpenTask username (case-insensitive). Users are not auto-created — create them first with scripts/create-user.ts.

DANGER

Your reverse proxy must strip this header from external requests before forwarding. If external clients can set this header directly, they can authenticate as any user.