Production Deployment

For production environments, it is highly recommended to run VideoCMS behind a reverse proxy to handle SSL termination, compression, and static file serving.

Reverse Proxy Options

Resumable Upload Proxy Requirements

VideoCMS implements tus uploads inside the Go API. Reverse proxies do not need custom upload routing, but they must pass the tus methods POST, HEAD, PATCH, DELETE, and OPTIONS to /api/uploads.

Set the proxy body limit for /api/uploads to at least MaxUploadChunkSize, not the full maximum file size. If uploads repeatedly fail with ERR_UNEXPECTED_EOF, the most common causes are a proxy closing the PATCH body early, browser/network interruption, or a chunk size larger than the proxy allows.

Set BaseUrl to the public URL users open in the browser, including https:// in production. The reverse proxy should pass the original Host and X-Forwarded-Proto headers as shown above. VideoCMS normalizes tus upload Location headers before returning them, but correct BaseUrl and proxy headers keep browser resume URLs and diagnostics consistent.

SSL Certificates

If you are not using Caddy (which handles SSL automatically) or Cloudflare, you must secure your instance with SSL.

Certbot: Use certbot on your host machine to generate certificates for your domains.
Mount Certificates: Mount the certificate files into your Nginx container and update the Nginx config to listen on port 443 and use the certificates.

Player embeds on other websites require HTTPS. Browsers only send cross-site player media cookies when they are marked SameSite=None; Secure, and the Secure attribute requires HTTPS.

Direct media file URLs are not standalone access links. Open or embed /v/:UUID first so VideoCMS can issue the short-lived media cookie for that video.

Mandatory Post-Deployment Security

Deploying the containers is only the first step. You must perform these actions immediately after your first login to ensure your server is not compromised.

1. Change Secret Keys

By default, the application might use insecure or placeholder keys for signing session tokens.

Navigate to Settings (/my/config).
Change JwtSecretKey and JwtMediaSecretKey to long, random strings.
Restart the containers after saving.

2. Trust Reverse Proxy (IP Identification)

To ensure VideoCMS correctly identifies the visitor's IP address (important for logs and rate-limiting), you must enable TrustLocalTraffic in the settings.

Navigate to Settings (/my/config).
Set TrustLocalTraffic to true.
Without this, all users will appear to have the internal IP of your Caddy/Nginx container.

3. Change Admin Password

The default admin credentials (admin / 12345678) are public knowledge. Change them immediately upon your first login.

For a comprehensive list of security measures, including firewall configuration and secret key management, please refer to the Post-Installation Security guide.

Production Deployment ​

Reverse Proxy Options ​

Resumable Upload Proxy Requirements ​

SSL Certificates ​

Mandatory Post-Deployment Security ​

1. Change Secret Keys ​

2. Trust Reverse Proxy (IP Identification) ​

3. Change Admin Password ​