MagicMirror² v2.13.0 is available! For more information about this release, check out this topic.

Reverse Proxy and Private Modules

  • Hi all,

    I have set up a reverse proxy server in my network, as I host multiple websites/services that I’d like to access remotely (NextCloud, OctoPrint, PiHole. Currently I only have set up NextCloud). This works fine, and I have the wish to include my Magic Mirror in here as well.
    However, before I do that, I would like to figure out the following 2 points:

    1. Is it possible to change the base web address of the mirror?
      I do not think this is needed, but I was mainly wondering if this option exists. This was needed to get NextCloud to work in my setup, hence the question.
    2. This one’s more important: Can I make some of the modules private, so that they are not exposed to the world wide web?
      This is mainly because I have an instance of my google calendar running on the mirror, with a direct link to the calendar baked into the configfile. I don’t want this address to be sent publicly to whomever accesses my website.

    Any advice is of course welcome 🙂



  • Hi,

    1. is possible if you use subdomains, e.g.
      It does’nt work with subpaths at the moment, e.g.
      There is an open issue and a corresponding pull request. If this pr is merged, subpath is also possible.

    2. Don’t know what you mean exactly, the content of the config.js is (normally) not reachable from the browser. Or should these private calendar items not appear on the website?


  • Hi Karsten,

    Thank you for the advice on the subdomains & subpaths. I need to chew on this one a bit and also play a bit more with apache, but I think I’m able to figure it out. It’ll also be easy for me once the pr is merged, as I then just copy the setup I have for NextCloud.

    With regards to the private modules; you state that the browser does not see the content of the config.js. Does this mean that when I open an external browser, the calendar items are provided by the Magic Mirror instead from Google Calendar directly (and thus, my calendar url stays a secret)?
    Even if this is the case, I don’t know if this is a solution I like to have. This still means that a potential hacker can very easily see if I’m on a vacation or not, which is not something I want to compromise.
    If it’s possible, I would like these calendar items not to appear on the website at all, but still have them shown on my mirror at home (as the kids do need to know when we are going on holiday! 🙂 ). I don’t want my calendar URL to be sent to the browser in any way or that my calendar items are sent in any way other than to the localhost.


  • Project Sponsor Module Developer

    config.js is accessible from browser. You can test this in your local network by accessing MM from a browser on another computer, view source and find out the URL of config.js. Then paste that URL into the browser and you get the whole config in plain text.

    So to make a module private, you have to find a way around this, like reprogram the module to not use the config from client-side.

  • @retroflex thank you, your’re right.

    Checked this again with this unmerged pr. With this pr, the config.js is no longer reachable per browser, so we have to wait for the next release where this is hopefully merged.

    @Jessendelft other possibilities:

    • you can whitelist the ip adresses which are allowed to access the mirror
    • you run 2 instances of the mirror, one private restricted to localhost access and one public with content everyone is allowed to see

  • @karsten13 Running 2 instances, ofcourse! And then in the config I can easily restrict the current setup to localhost only, while the second one can be an open version.
    When I read it, I really wondered why I haven’t thought of this myself. Thank you! 🙂

Log in to reply