search

Reverse proxies

Configure NGINX (and similar proxies) for CrossWatch with correct webhook and WebSocket settings.

Use a reverse proxy for TLS and clean URLs.

Keep CrossWatch on HTTP behind the proxy.

circle-exclamation

Do not expose CrossWatch directly to the public internet.

Use a VPN for remote access (WireGuard, Tailscale).

hashtag
Proxy requirements

CrossWatch runs on FastAPI + Uvicorn.

Your proxy must:

  • Forward client headers (X-Forwarded-*).

  • Support WebSocket upgrades.

  • Pass /webhook/* requests through unchanged.

  • Use longer timeouts for long-lived connections.

If you add proxy auth, keep /webhook/* reachable.

hashtag
NGINX example

Typical setup:

  • Public: https://crosswatch.example.com

  • Upstream: http://127.0.0.1:8787

circle-info

Use a subdomain.

Avoid hosting under a sub-path like /crosswatch/.

hashtag
If CrossWatch runs in Docker

Point proxy_pass to the container on a user-defined Docker network.

Example:

  • NGINX container: nginx

  • CrossWatch container: crosswatch

  • Network: proxy

Use:

  • proxy_pass http://crosswatch:8787;

hashtag
Webhooks and Watcher (important)

CrossWatch exposes inbound webhook endpoints.

See:

hashtag
Webhooks (inbound)

Your proxy must:

  • Allow POST to /webhook/*.

  • Not rewrite the path.

  • Not block unknown content types.

    • Plex can send form-style payloads.

    • Jellyfin/Emby plugins usually send JSON.

circle-exclamation

If you publish webhook endpoints as https://..., use a publicly trusted certificate.

Self-signed TLS certificates commonly break webhook delivery for Plex, Emby, and Jellyfin.

Use Let’s Encrypt (or similar) at the reverse proxy.

If you put CrossWatch behind login, do one of these:

  1. Exempt /webhook/* from auth.

  2. IP-allowlist your media server's IP for /webhook/*.

  3. Keep webhooks LAN-only. Do not proxy them.

circle-exclamation

Your media server must reach your public DNS name from inside your LAN.

If it cannot, webhooks will fail.

Fix hairpin NAT. Or use a LAN hostname/IP.

hashtag
Watcher (outbound)

Watcher mostly makes outbound calls to Plex/Jellyfin/Emby.

Reverse proxying CrossWatch is not required for Watcher itself.

One exception:

  • Plex "ratings" helper uses: POST /webhook/plexwatcher

If you enable Plex ratings, your proxy must allow that endpoint.

hashtag
Common proxy problems

hashtag
413 Request Entity Too Large

Increase client_max_body_size.

hashtag
502 / 504 / random disconnects

Increase timeouts:

  • NGINX: proxy_read_timeout / proxy_send_timeout

hashtag
WebSocket errors (UI features not updating)

Forward upgrade headers:

  • proxy_set_header Upgrade $http_upgrade;

  • proxy_set_header Connection "upgrade";

hashtag
Wrong scheme (HTTP/HTTPS) in callbacks or redirects

Send:

  • X-Forwarded-Proto $scheme

If you terminate TLS at the proxy, CrossWatch should still behave as HTTPS to clients.

hashtag
Related topics

  • HTTPS/TLS (TLS options and why the proxy approach is recommended)

  • Docker setup (ports, volumes, restart policy)

PreviousStandalone ScriptsNextTrackers vs. Media Servers

Last updated