← Back to Articles

Custom domain + free HTTPS (TLS) for PocketBase

November 5, 2025 10 min read Originally published on dev.to

In Part 1 we deployed PocketBase on AWS EC2 with Docker.

Now, let's put it behind NGINX and enable TLS certificates using Let's Encrypt.

Time: ~10–15 min.

What this will cover:

  • Domain pointing to the server (api.example.com → )
  • NGINX reverse proxy + Let's Encrypt TLS

This post is the second in a four-part series on deploying and extending PocketBase.

Here are the 4 articles:

  • Part 1: Deploy PocketBase on AWS with Docker
  • • Part 2: Custom domain + free HTTPS (TLS) <= **We are here**
  • • Part 3: S3 storage, email setup, and automated backups
  • • Part 4: Integrating Cloudflare Functions to handle advanced logic or external APIs, a faster way to extend PocketBase without modifying its core or waiting for rebuilds

Once all four parts are live, you'll have a complete, production-ready PocketBase setup with a clean path for future extensions.

Deploying PocketBase manually is simple… until you do it three times.

In this series, I'll show the full manual setup and you will understand why it's worth automating.

22 sec deployment

Step 1: Point from your domain to PocketBase

  1. Get your instance IP
    2. Get EC2 instance public IP
  2. Go to your favorite DNS provider (Cloudflare, Porkbun, etc...) and create a new record
    3. Create DNS record pointing to EC2 IP
  3. Test if the new record propagated already in your terminal
    4. curl http://pb.example.com:8080/api/health

    This should return: {"message":"API is healthy.","code":200,"data":{}}

Step 2: Get NGINX running!

  1. Install NGINX
    2. sudo apt update
sudo apt install -y nginx
  2. Create your NGINX config file
    3. sudo mkdir -p /var/www/certbot
    sudo tee /etc/nginx/sites-available/pb.conf >/dev/null <<'NGINX'
server {
  listen 80;
  server_name pb.example.com;

  location ^~ /.well-known/acme-challenge/ {
    root /var/www/certbot;
  }

  location / {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    # WebSocket support
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";

    proxy_read_timeout 3600s;
    proxy_send_timeout 3600s;

    proxy_pass http://127.0.0.1:8080;
  }
}
NGINX
    sudo ln -s /etc/nginx/sites-available/pb.conf /etc/nginx/sites-enabled/
sudo nginx -t && sudo systemctl reload nginx
  3. Test that PocketBase is accessible on the domain
    4. curl http://pb.example.com

Step 3: Enable HTTPS with Let's Encrypt

  1. Install certbot and run it
    2. sudo apt install -y certbot python3-certbot-nginx
sudo certbot --nginx -d pb.example.com --email you@example.com --agree-tos --redirect
  2. Let's close the port from the previous tutorial
    3. Navigate to security group settings Edit inbound rules to remove port 8080 Confirm removal of port 8080 rule
  3. Test it

    4. => go to https://pb.example.com/_/ and use your login/password

✅ You made it! Congrats! Next: Setup S3 Storage, Email and automated backup.

Or skip setup entirely → deploy PocketBase in 20s with pbdeploy.