nginx HTTPS reverse proxy for PicoClaw

When PicoClaw listens on HTTP locally, nginx is the usual way to add Let’s Encrypt certificates, sane timeouts, and basic protection before traffic hits your assistant or API.

1. Typical layout

nginx binds 443 on a public IP or LAN interface.
proxy_pass forwards to 127.0.0.1:PORT where PicoClaw runs.
Certbot (or acme.sh) renews certificates on a timer.

2. Hardening basics

Add rate limits for anonymous webhook paths, restrict admin routes by IP or mTLS if needed, and forward only the headers PicoClaw expects. See Security for workspace and sandbox notes.

3. Docker and homelab

If PicoClaw runs in Compose, put nginx in the same user-defined network and proxy to the service name. See Docker Compose and Docker homelab.

4. Related guides

Cloudflare Tunnel when you cannot open inbound ports
VPS headless agent for end-to-end VPS setup
systemd to keep PicoClaw running