HTTPS and networking
The normal layout is:
clients → HTTPS :443 → Caddy → HTTP 127.0.0.1:7770 → vsync-server
Create a DNS record such as builds.example.com pointing at the VPS. Allow
ports 80 and 443 through the firewall, but do not allow public access to port
7770.
Caddy configuration
builds.example.com {
reverse_proxy 127.0.0.1:7770
request_body {
max_size 256MB
}
}
Reload Caddy and verify the public endpoint:
sudo systemctl reload caddy
curl https://builds.example.com/healthz
Caddy obtains and renews the TLS certificate automatically when DNS and ports 80/443 are correct.
Private-network alternative
For a server that must not be reachable from the public internet, place the
server and every client on a private network such as Tailscale. Bind Vsync to
the private interface and use the private address as VSYNC_SERVER.
Tokens are still required. If you use plain HTTP on a trusted private network, remember that production desktop updater and browser security features may still require HTTPS for their own endpoints.
Webhooks
When webhook is configured, the server posts build publications and stream
moves to that incoming webhook. Treat the webhook URL like a credential: limit
who can read the server configuration and rotate the URL if it leaks.