Set the public URL in .env so NextAuth knows what hostname to trust:
# .env
AUTH_URL=https://kerno.yourdomain.com
AUTH_TRUST_HOST=true
Then update the Google OAuth redirect URI to https://kerno.yourdomain.com/api/auth/callback/google in Google Cloud Console.
nginx
Kerno uses Server-Sent Events for live activity, dashboard streams, and notifications. The two SSE-relevant lines are proxy_buffering off and proxy_read_timeout 24h — without them, streams stall.
# /etc/nginx/sites-available/kerno
server {
listen 443 ssl http2;
server_name kerno.yourdomain.com;
ssl_certificate /etc/letsencrypt/live/kerno.yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/kerno.yourdomain.com/privkey.pem;
location / {
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# SSE endpoints — keep connections alive
proxy_buffering off;
proxy_read_timeout 24h;
}
}
Caddy
kerno.yourdomain.com {
reverse_proxy 127.0.0.1:3000 {
flush_interval -1
}
}
Cloudflare Tunnel
Run cloudflared tunnel on the host. In the tunnel config map kerno.yourdomain.com → http://localhost:3000. SSE works out of the box. Don't enable Cloudflare's caching for any path under the tunnel hostname.