Deploy the client proxy using a pre-built Docker image. Nginx is configured automatically from environment variables — no manual config editing required. For a manual nginx approach, see Manual Setup .
Prerequisites
Docker and Docker Compose installed
Network connectivity to the UAE KYC backend (via VPN/tunnel or public IP whitelisting)
Docker Compose File Obtain the custom nginx Docker image from the Nexus repository provided by the UAE KYC team.
Replace your-registry.com/uaekyc-nginx:latest in the file below with the actual Nexus registry URL provided by the UAE KYC team.
Create the following docker-compose.yml in your project directory:
services : nginx : # Pre-built image from your registry # Replace 'your-registry.com/uaekyc-nginx:latest' with actual image location image : your-registry.com/uaekyc-nginx:latest container_name : uaekyc-nginx restart : unless-stopped # Environment variables from .env file env_file : - .env # Ports ports : - "80:80" - "443:443" # Volume mounts volumes : # Logs (Required) # IMPORTANT: Create this directory before starting: mkdir -p logs && chmod 777 logs - ./logs:/var/log/nginx # Cache (Required) - ./cache:/cache # SSL Certificates (Required if ENABLE_SSL=true) # Mount exact files - replace with your actual domain names # Do not change the target paths, change only the source paths - ./ssl/api.crt:/etc/nginx/ssl/api.crt:ro - ./ssl/api.key:/etc/nginx/ssl/api.key:ro - ./ssl/dash.crt:/etc/nginx/ssl/dash.crt:ro - ./ssl/dash.key:/etc/nginx/ssl/dash.key:ro - ./ssl/sdk.crt:/etc/nginx/ssl/sdk.crt:ro - ./ssl/sdk.key:/etc/nginx/ssl/sdk.key:ro # Custom nginx configurations (Optional - for advanced customization) # Uncomment and create files to add custom nginx directives # - ./custom/http-custom.conf:/etc/nginx/custom/http-custom.conf:ro # HTTP-level config # - ./custom/api-custom.conf:/etc/nginx/custom/api-custom.conf:ro # API domain config # - ./custom/dash-custom.conf:/etc/nginx/custom/dash-custom.conf:ro # Dashboard domain config # - ./custom/sdk-custom.conf:/etc/nginx/custom/sdk-custom.conf:ro # SDK domain config # Health check healthcheck : test : [ "CMD" , "curl" , "-f" , "http://127.0.0.1/health" ] interval : 30s timeout : 3s retries : 3 start_period : 10s # Resource limits (adjust based on your needs) deploy : resources : limits : cpus : '2' memory : 512M reservations : cpus : '0.5' memory : 128M # Network configuration networks : - nginx-network # Logging configuration logging : driver : "json-file" options : max-size : "10m" max-file : "3" networks : nginx-network : driver : bridge
Quick Start
Create your .env file from the template and set the required variables:
# Your proxy domains API_DOMAIN = uaekyc-api.yourbank.ae DASH_DOMAIN = uaekyc-dash.yourbank.ae SDK_DOMAIN = uaekyc-sdk.yourbank.ae # Backend addresses (see Backend Connectivity below) BACKEND_API_ADDR = https://api.example.com BACKEND_DASH_ADDR = https://dash.example.com BACKEND_API_HOST = api.example.com BACKEND_DASH_HOST = dash.example.com
mkdir -p logs cache ssl && chmod 777 logs docker compose up -d docker compose ps curl -f http://127.0.0.1/health Environment Variables Copy .env.example to .env and customize. All variables are listed below.
Required Variable Description Example API_DOMAINYour public API domain uaekyc-api.yourbank.aeDASH_DOMAINYour dashboard domain uaekyc-dash.yourbank.aeSDK_DOMAINYour SDK domain uaekyc-sdk.yourbank.aeBACKEND_API_ADDRBackend API address (IP or URL) https://api.example.comBACKEND_DASH_ADDRBackend dashboard address (IP or URL) https://dash.example.comBACKEND_API_HOSTHost header for API backend api.example.comBACKEND_DASH_HOSTHost header for dashboard backend dash.example.com
Optional Variable Default Description ENABLE_SSLfalseEnable HTTPS SSL_PROTOCOLSTLSv1.3Allowed SSL/TLS protocols RATELIMIT_API_DOMAIN20r/sAPI domain rate limit RATELIMIT_DASH_DOMAIN20r/sDashboard domain rate limit RATELIMIT_SDK_DOMAIN20r/sSDK domain rate limit RATELIMIT_GENERAL60r/sGlobal rate limit RATELIMIT_API20r/sAPI-specific rate limit RATELIMIT_HEALTH1r/sHealth endpoint rate limit RATELIMIT_STRICT1r/sStrict rate limit CLIENT_MAX_BODY_SIZE_API_DOMAIN10MAPI max request body size CLIENT_MAX_BODY_SIZE_DASH_DOMAIN10MDashboard max request body size CLIENT_MAX_BODY_SIZE_SDK_DOMAIN10MSDK max request body size CLIENT_MAX_BODY_SIZE_GLOBAL100MGlobal max request body size WORKER_PROCESSESautoNginx worker processes WORKER_CONNECTIONS1024Connections per worker GZIP_COMP_LEVEL6Gzip compression level (1–9) PROXY_CONNECT_TIMEOUT60sProxy connect timeout PROXY_SEND_TIMEOUT60sProxy send timeout PROXY_READ_TIMEOUT300sProxy read timeout CACHE_MAX_SIZE1gProxy cache max size CACHE_INACTIVE60mCache inactive expiry ERROR_LOG_LEVELerrorNginx error log level
Backend Connectivity The proxy supports two connectivity modes depending on your network setup.
Use this when there is no tunnel. The backend domains are publicly reachable and your client IP has been whitelisted by the UAE KYC team. BACKEND_API_ADDR = https://api.example.com BACKEND_DASH_ADDR = https://dash.example.com BACKEND_API_HOST = api.example.com BACKEND_DASH_HOST = dash.example.com
Variable Purpose BACKEND_API_ADDRResolves to the real backend IP via public DNS BACKEND_API_HOSTSets the correct Host header (same as the domain in this case)
Use this when your organization has a VPN or tunnel to the UAE KYC infrastructure. The backend is reachable via a private IP. BACKEND_API_ADDR = http://10.0.0.2 BACKEND_DASH_ADDR = http://10.0.0.2 BACKEND_API_HOST = api.example.com BACKEND_DASH_HOST = dash.example.com
Variable Purpose BACKEND_API_ADDR / BACKEND_DASH_ADDRWhere nginx sends the traffic (proxy_pass target) BACKEND_API_HOST / BACKEND_DASH_HOSTThe Host header sent to the backend so it knows which service is being requested
SSL / HTTPS Controlled by a single variable:
ENABLE_SSL = false # HTTP only (default) ENABLE_SSL = true # HTTPS enabled
When ENABLE_SSL=true, place your certificate files in the ssl/ directory. The target paths inside the container are fixed — only the source paths on your host change:
volumes : - ./ssl/api.crt:/etc/nginx/ssl/api.crt:ro - ./ssl/api.key:/etc/nginx/ssl/api.key:ro - ./ssl/dash.crt:/etc/nginx/ssl/dash.crt:ro - ./ssl/dash.key:/etc/nginx/ssl/dash.key:ro - ./ssl/sdk.crt:/etc/nginx/ssl/sdk.crt:ro - ./ssl/sdk.key:/etc/nginx/ssl/sdk.key:ro
SSL protocol defaults to TLSv1.3, configurable via:
After placing certificates, restart:
Optional Configuration
# Per-domain rate limits RATELIMIT_API_DOMAIN = 20r/s RATELIMIT_DASH_DOMAIN = 20r/s RATELIMIT_SDK_DOMAIN = 20r/s # Global rate limits RATELIMIT_GENERAL = 60r/s RATELIMIT_API = 20r/s
Format: {number}r/{s|m|h|d} where s=second, m=minute, h=hour, d=day.
CLIENT_MAX_BODY_SIZE_API_DOMAIN = 10M CLIENT_MAX_BODY_SIZE_DASH_DOMAIN = 10M CLIENT_MAX_BODY_SIZE_SDK_DOMAIN = 10M CLIENT_MAX_BODY_SIZE_GLOBAL = 100M
PROXY_CONNECT_TIMEOUT = 60s PROXY_SEND_TIMEOUT = 60s PROXY_READ_TIMEOUT = 300s
CACHE_MAX_SIZE = 1g CACHE_INACTIVE = 60m
Custom Nginx Directives For advanced use cases (extra headers, rewrites, upstream tweaks), custom nginx directives can be injected per-service via volume mounts. All four files are pre-created empty inside the image and are completely optional.
Uncomment the relevant lines in docker-compose.yml:
volumes : - ./custom/http-custom.conf:/etc/nginx/custom/http-custom.conf:ro # HTTP-level (global) - ./custom/api-custom.conf:/etc/nginx/custom/api-custom.conf:ro # API domain only - ./custom/dash-custom.conf:/etc/nginx/custom/dash-custom.conf:ro # Dashboard domain only - ./custom/sdk-custom.conf:/etc/nginx/custom/sdk-custom.conf:ro # SDK domain only
Create a file and add valid nginx directives:
mkdir -p custom echo 'add_header X-Custom-Header "value";' > custom/api-custom.conf docker compose restart
