Host websites with Plesk
This guide is optimized for website deployment via Docker.
After deploying your Next.js site with Docker, use Plesk to route your domain to the running container via reverse proxy.
- Prerequisites:
- You completed Deploy Next.js websites with Docker.
- Your container is running on
localhost:3000(or another port you chose). - A domain or subdomain exists in Plesk.
Add the domain in Plesk
Issue an SSL certificate (optional but recommended)
Configure Apache & Nginx reverse proxy
Click on Websites & Domains, select your domain and click under Hosting & DNS on Apache & nginx
Scroll down and put this in Additional directives for HTTP and HTTPS:
Note
When hosting multiple sites, keep in mind to adjust the port in the https directives below.
Apache-HTTP Directives
<IfModule mod_rewrite.c>
# Enable the rewriting engine
RewriteEngine On
# Skip redirection for Let's Encrypt / ACME challenge requests
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/
# Redirect all other non-HTTPS traffic to the secure HTTPS version
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>Apache-HTTPS Directives
# --- Redirect HTTP to HTTPS ---
# Ensures all traffic is encrypted by redirecting non-secure requests
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>
# --- SSL Certificate Validation ---
# Exclude Let's Encrypt / ACME challenges from being proxied to the backend
<IfModule mod_proxy.c>
ProxyPass /.well-known !
</IfModule>
# --- Main Proxy Configuration ---
<IfModule mod_proxy.c>
ProxyRequests Off
ProxyPreserveHost On
ProxyTimeout 600
# Notify the backend application that the original request was via HTTPS
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
# --- WebSocket Support ---
# Intercepts WebSocket upgrade requests and routes them to the ws:// protocol
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteCond %{HTTP:Connection} upgrade [NC]
RewriteRule ^/?(.*) "ws://127.0.0.1:3000/$1" [P,L]
</IfModule>
# --- Standard Reverse Proxy ---
# Forward all other traffic to the local backend application
ProxyPass / http://127.0.0.1:3000/ disablereuse=on retry=0
ProxyPassReverse / http://127.0.0.1:3000/
</IfModule>
# --- Security Hardening Headers ---
# Protects the application against common web vulnerabilities
<IfModule mod_headers.c>
# Enforce HTTPS (HSTS)
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
# Prevent Clickjacking
Header always set X-Frame-Options "SAMEORIGIN"
# Prevent MIME-type sniffing
Header always set X-Content-Type-Options "nosniff"
# Control how much referrer information is shared
Header always set Referrer-Policy "strict-origin-when-cross-origin"
# Disable unnecessary browser features for privacy and security
Header always set Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=()"
</IfModule>
# --- Access Control ---
# Deny access to sensitive files and version control directories
<FilesMatch "^\.(env|git|svn|hg)">
Require all denied
</FilesMatch>Note
Prefer 127.0.0.1 over localhost to avoid IPv6 resolution issues.
If you run multiple sites, map different host ports in Docker and adjust the port in the proxy rules.
Created: 20.10.2025
Last Updated: 02.01.2026