Getting Started
The OPI Proxy is designed to get you to a working local setup quickly. The public distribution is Docker-first, so most teams can test the integration without building the source project themselves.
Quick Links
What You Need
For a normal installation, you need:
- Docker Desktop or Docker Engine with Compose
- one
.envfile - local copies of the terminal profile and terminal configuration examples in
config/ - generated authentication in
config/auth.json - optional TLS certificate and key files if you want non-local HTTPS
Quick Start
The public repo is meant to be cloned and run directly:
git clone https://github.com/richiehug/nexi-opi-proxy.git
cd nexi-opi-proxy
cp .env.example .env
cp config/terminal-profiles.json.example config/terminal-profiles.json
cp config/terminals.json.example config/terminals.json
docker compose pull
docker compose run --rm auth-init
docker compose up -dFor a first local smoke test:
curl http://127.0.0.1:3001/healthBefore processing a payment, set the terminal IP address, model, profile, and a stable workstationId in config/terminals.json.
Required Network Paths
Both OPI directions must work. With the normal defaults:
| Direction | Purpose | Default port |
|---|---|---|
| POS/ECR to proxy | HTTP or HTTPS API | TCP 3001 |
| Proxy to terminal | OPI pay channel | TCP 4100 |
| Terminal to proxy | OPI device callbacks | TCP 4102 |
The supplied Linux deployment uses Docker host networking, so the proxy uses the host network stack directly. If the terminal cannot reach the callback port, a payment can start successfully while receipts, display messages, input prompts, or the final result fail to return.
Some terminal configurations use the second OPI channel pair: proxy to terminal on TCP 4101 and terminal to proxy on TCP 4103. Allow those ports as well when they are configured for the terminal. The pay-channel and callback ports in config/terminals.json must always match the terminal setup.
If you change the OPI ports, update the terminal configuration and config/terminals.json together. See Network Requirements for terminal infrastructure and external firewall destinations.
Initialization
The proxy does not ship with config/auth.json.
Generate it with:
docker compose run --rm auth-initThat command:
- creates
config/auth.json - creates the bootstrap admin token if no auth config exists yet
- prints the admin bearer token directly in the terminal
Store that token immediately.
Starting the Service
Once .env and config/ are in place, start the runtime with:
docker compose up -dUseful follow-up commands:
docker compose logs -f proxy
docker compose psLocal HTTP and HTTPS
The transport model keeps local development easy and shared setups safer:
- the public template permits HTTP for an easy first run on a trusted setup network
- shared or remotely reachable deployments should use HTTPS
- TLS material is file-based, so certificates can be mounted into
certs/
For quick local HTTPS testing, the proxy can generate a development certificate:
docker compose run --rm tls-init-devThat certificate is for testing only.
For a production-style setup, use TLS_MODE=required, provide a trusted certificate and key, and set ALLOW_INSECURE_REMOTE_HTTP=false.
What Gets Persisted
The Docker layout keeps merchant-owned runtime data outside the image:
config/data/logs/certs/
That makes upgrades simpler because your configuration, auth state, transaction data, and receipt data stay on the host.
New installations normally use SQLite in data/ through STORAGE=db. Existing installations can continue using JSON files with STORAGE=json.