Advanced

Self-host a proxy

Deploy your own nginx reverse proxy in front of Meridian for custom rate limiting, IP filtering, and traffic shaping — without touching the dashboard.

Why self-host a proxy?

Meridian already includes built-in rate limiting and abuse detection. A self-hosted proxy gives you an additional layer you fully control — useful when you need per-IP burst windows, custom deny lists, or geo-blocking that sits outside the application.

Reference nginx configuration

The config below assumes nginx ≥ 1.18 with thengx_http_limit_req_modulecompiled in (default on most distributions). ReplaceYOUR_DOMAINwith your actual Meridian hostname.

# /etc/nginx/sites-available/meridian-proxy

# Shared rate-limit zone — 10 req/s per IP with burst
limit_req_zone $binary_remote_addr
  zone=meridian_limit:10m rate=10r/s;

# Connection limit zone
limit_conn_zone $binary_remote_addr
  zone=meridian_conn:10m;

upstream meridian_backend {
  server YOUR_DOMAIN:443;
  keepalive 32;
}

server {
  listen 443 ssl http2;
  server_name proxy.yourdomain.com;

  ssl_certificate     /etc/ssl/certs/proxy.pem;
  ssl_certificate_key /etc/ssl/private/proxy.key;
  ssl_protocols       TLSv1.2 TLSv1.3;
  ssl_ciphers         HIGH:!aNULL:!MD5;

  # Global rate limit
  limit_req  zone=meridian_limit burst=20 nodelay;
  limit_conn meridian_conn 50;

  location / {
    proxy_pass https://meridian_backend;

    proxy_http_version 1.1;
    proxy_set_header Connection "";
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For
      $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    # Timeouts
    proxy_connect_timeout 10s;
    proxy_send_timeout    30s;
    proxy_read_timeout    30s;

    # Buffer responses
    proxy_buffering on;
    proxy_buffer_size  4k;
    proxy_buffers      8 16k;
  }

  # Health check endpoint
  location /health {
    access_log off;
    return 200 "ok\n";
    add_header Content-Type text/plain;
  }
}

Deploy & verify

  1. Copy the config to your server and run nginx -t to validate syntax.
  2. Reload with systemctl reload nginx.
  3. Point your DNS A/AAAA record for proxy.yourdomain.com to the proxy server.
  4. Send a burst of requests with wrk or hey — you should see 503 responses once the rate limit kicks in.

Note: This proxy sits in front of Meridian's own infrastructure. It does not replace Meridian's built-in protections — it adds a programmable layer you own. For advanced setups (WAF rules, JWT validation at the edge), see the advanced edge guide.