How Hardcoded Private IPs Killed Our Production Frontend

A hardcoded private IP buried in the frontend source was silently breaking all external access.

Background

We had an internal ERP system (Vite + React frontend, Express backend) that worked perfectly on the LAN. When we tried to expose it externally, nothing worked.

The Problem

Private IPs were hardcoded throughout the frontend:

const BASE_URL = 'http://192.168.x.x:8520/api';

LAN browsers could reach these IPs. External browsers could not. Even after vite build, these IPs were baked into the bundled JS.

The Fix

Replaced all hardcoded IPs with relative paths (/api)
Created .env.production with VITE_API_URL=/api/v1
Changed nginx from proxying to vite dev server → serving built static files with try_files
Built and deployed properly

Vite Dev Proxy Trap

server.proxy in vite.config.ts only works during npm run dev. It has zero effect on production builds.

Lessons

Never hardcode private IPs in frontend code
Never use Vite dev server in production
server.proxy is dev-only
LAN testing is not real testing

How Hardcoded Private IPs Killed Our Production Frontend

Background

The Problem

The Fix

Vite Dev Proxy Trap

Lessons

Comments

More from this blog

AI agents need operating rules, not just prompts

Rollback Scripts Are Not System State: Why Runtime Truth Comes First in Recovery Work

Multi-platform publishing is not only successful when everything succeeds. It should support partial completion.

A scheduled job should not just repeat. It should decide.

The code exists, but production still does nothing: why runtime drift should be your first suspect

Command Palette

Background

The Problem

The Fix

Vite Dev Proxy Trap

Lessons

Comments

More from this blog