Is your feature request related to a problem? Please describe.
It isn't really a problem but for some like me, it probably is.

Describe the solution you'd like
A functional wiki. I am new to networking systems like this and I want to use your system, but with no how-to for starting the system, it is incredibly hard to figure out.

Describe alternatives you've considered
Researching how to use reverse proxy systems but everything is either Apache or NGINX and those don't really apply to this system.

Additional context
I am fine with helping write a how-to for this system because it really is amazing, I just need someone to oversee or someone to instruct on how the system is used and how to set it up past sudo ./zoraxy -port=:8000.

Describe the bug

If I try to stop zoraxy by pressing "Stop Service" it does nopt stop the service and says "Context deadline exceeded". I need to stop zoraxy then cia CLI

To Reproduce
Steps to reproduce the behavior:

1. Go to status page
2. Click on Stop Service
3. See error

Expected behavior

Stopping the service

Additional context

This only happens on my VPS. On my hoemserver, everything is normal.

Is your feature request related to a problem? Please describe.
To save having to re-upload the public / private keys every 3 months it would be great if auto renewal could be built in.

Personally i'd need DNS validation for cloudflare

Describe the bug
Whenever i try to whitelist local IP-Ranges it doesn't work. When visiting a Page, i always get the following error:

When whitelisting the fixed IP of the Client i'm visiting from, it works perfectly.

To Reproduce
Steps to reproduce the behavior:

1. Go to 'Access Control'
2. Click on 'Whitelist'
3. Scroll down to 'IP Whitelist'
4. Add IP-range via CIDR or wildcard
5. Visit proxied Webpage
6. See error

Expected behavior
When adding a CIDR range, IP-Adresses in that range should be able to visit proxied pages

Host Environment (please complete the following information):

• Arch: amd64
• Device: Docker Container with Zoraxy v2.6.2

Is your feature request related to a problem? Please describe.
When trying to visit a non-valid subdomain route, it currently keeps the URL and responds with a self-signed Zoraxy cert, I would like the ability to redirect back to the root domain and have it use one of the ACME certs i generated.

eg
nonexisting.abc.xyz keeps the name and replies with a self-signed cert

Describe the solution you'd like
option 1.
In the Set Proxy Root page, I would like a toggle or a check box to auto route all non-existing domains back to one I can set somewhere here.

nonexisting.abc.xyz redirects to root.abc.xyx and replies with root.abc.xyx SSL cert

option 2.
Add wildcard domain SSL certs with ACME (will need to implement DNS SSL cert generation)
This will mitigate the issue and will be preferred as it will still keep the nonexisting URL but will still have a valid SSL cert.

Describe alternatives you've considered
I tried to add a *.domain.root as a new proxy rule, but it is expecting %2A.abc.xyz instead of *.abc.xyz

If i try to use a certificate from zeroSSL then i get this error:

Acme: error: 400 :: POST :: https://acme.zerossl.com/v2/DV90/newAccount :: urn:ietf:params:acme:error:externalAccountRequired :: The request must include a value for the "externalAccountBinding" field

Is your feature request related to a problem? Please describe.
When doing a Security-Scan of my environment, i received the warning, that TLS 1.0 and 1.1 are still available on port 443:

Describe the solution you'd like
There should be a way to disable the use of such old and deprecated versions of TLS.

Is your feature request related to a problem? Please describe.
Currently, when using the whitelist or blacklist, HTTP status 403 is returned to anyone blocked.

Describe the solution you'd like
It would be nice to be able to return something different (such as a "sorry not available in your country") or redirect to another page or even a custom html page.

Describe alternatives you've considered

• Not use the blocklist: not an option for my use case
• Use another software such as caddy, which has this feature but no nice GUI like zoraxy.

Please consider to add fail2ban for security reasons.
As for example you could check SWAG solution

After getting the image scanned in Dockerhub, this critical CVE showed up. It has to do with the satori/go.uuid module that is being used and should be replaced! gofrs/uuid appears to be a safe replacement but there are plenty of others so I'll leave this up to you since you are the developer of Zoraxy.

where can i set rewrite rules like this:

rewrite ^/.well-known/carddav https://cloud.dd.com/remote.php/dav/ redirect;
rewrite ^/.well-known/caldav https://cloud.dd.com/remote.php/dav/ redirect;

Describe the bug
I would like to bring to your attention that zoraxy, is being misidentified as malware by various antivirus software.

Here is the virus scanning report.
https://www.virustotal.com/gui/file/3cb5a6b1434ab31b841dceb81f432d6654e04e7a416f0550179311f30d2dbaac

Host Environment (please complete the following information):

• Windows x64

Is your feature request related to a problem? Please describe.
I need to expose some web services which don't have their own auth built in.. I currently use NPM and it jas am ACL feature that i can apply to specific subdomains

I was testing out zoraxy and I tried to integrate it on my host system. It runs fine, but there are a few things I encountered, which I wanted to share with you. I used the latest version 2.6 for my tests. First of all, thanks again for this great piece of software.

First my specs:
Ubuntu server 22.04 x64
Browser Firefox and Vivaldi (chrome-based)
Ryzen 5 5600G
B550 Aorus Elite v2
16GB RAM

1. The very first problem was, the edit button on Subdomain Proxy page is not working, it was a lot of work to test everything :)

2. I uploaded my certificate and I tried to add a second one for testing as a subdomain certificate. Then both of them were shown twice. Another question... are intermediate certificates not needed? I have a private key, an intermediate certificate and my certificate.

After I removed one of them, everything was normal again.

3. IPV6 Support, it was impossible for me to create a working subdomain proxy to an IPV6 address. It worked with hostnames, and even with docker internal IPV4 but not with IPV6.

4. This is the most important problem for me. HTTPS Redirect was working just fine, but Apps have problems. The webservice of Jellyfin for example was working completly, but the App did not get any connection. Same was for immich. Immich web was working fine, but not the app. Unable to login. The only app which worked was paperless mobile.

For Jellyfin the app finamp gave me this error:

5. SMTP Settings for password reset. I filled out everything but it tells me " 535 Authentication credentials invalid". Why do I need to use a sender domain? I filled in my domain name (domain.com), but it did not work.

Last question: Is there anyway to contact you, except your mail? A discord or matrix room would be great to exchange with other users.

This were my experience so far. I hope I could give you useful informations. I will test how it works works with wordpress or nextcloud. This needs preparations

Describe the bug
A clear and concise description of what the bug is.

To Reproduce
Steps to reproduce the behavior:

root@zoraxy:/opt/zoraxy/src# ./zoraxy
2023/07/24 14:29:12 [Auth] Authentication session key loaded from database
2023/07/24 14:29:19 [zeroconf] no suitable IPv6 interface: listen udp6 [ff02::]:5353: socket: address family not supported by protocol
2023/07/24 14:29:19 Environment variable ZT_AUTH not defined. Trying to load authtoken from file.
2023/07/24 14:29:19 Unable to read authkey at /var/lib/zerotier-one/authtoken.secret:  exit status 1
2023/07/24 14:29:19 Failed to load ZeroTier controller API authtoken
2023/07/24 14:29:19 Failed to initialize resolver: listen udp6 [ff02::]:5353: socket: address family not supported by protocol
root@zoraxy:/opt/zoraxy/src#

ipv6 is disabled

root@zoraxy:/opt/zoraxy/src# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0@if346: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 9a:61:35:e8:97:3e brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.100.214/24 brd 192.168.100.255 scope global dynamic eth0
       valid_lft 13952sec preferred_lft 13952sec
root@zoraxy:/opt/zoraxy/src#

Expected behavior
It should start

Screenshots

Browser (if it is a bug appears on the UI section of the system):

• OS: bullseye/sid

Host Environment (please complete the following information):

• Arch: amd64

Additional context
Add any other context about the problem here.

Related to #6

Is your feature request related to a problem? Please describe.

My server is not publicly accessible on the internet, but I still use a .com domain name to set up SSL with LetsEncrypt. I usually do this by adding DNS records to my Cloudflare. This is also the only way to set up a wildcard SSL certificate.

Describe the solution you'd like

I would like the Acme resolver to support DNS validation so that I can issue a wildcard SSL certificate for my private server.

Describe alternatives you've considered

I'm currently using NginxProxyManager, which supports this out of the box. (You can even give it your Cloudflare API token and it sets up all the DNS records for you automatically.) Zoraxy looks much more powerful so I'd like to switch to this, but can't migrate until I can use DNS validation.

I think it would be useful to be able to serve a static site from zoraxy itself. A very small homepage could be served directly or custom 404 sites and so on. An equivalent to nginx proxy managers option.

Landing pages are possible this way without needing a Webserver in the Backend.

Is your feature request related to a problem? Please describe.
Currently, Zoraxy is a self-contained binary executable. This poses a problem for Docker hosting because trying to update to a newer version would result in data loss, or at the very least, way more complicated actions to store that data than would be realistically feasible. Having to set your proxy's, virtual dirs, etc for every update would be a huge hassle, especially if this project suddenly blows up and there are a lot more users and features.
Basically, the self-containment is not very good for reproducibility and may cause bigger headaches down the line.

Describe the solution you'd like
Write out the current configuration to a file, (json, yaml, etc).

Describe alternatives you've considered
#14 Suggests a backup/restore feature which may be useful for some situations, but not so much in this case.

Is your feature request related to a problem? Please describe.
Currently, the only way to force SSL with simple UI config is globally via the front page. Some of my proxied connections do not require SSL while others do.

Describe the solution you'd like
I'd like the ability to set, for any individual proxy rule, forced SSL unique to that rule alone. For example, sub.domain.com needs HTTPS, but sub2.domain.com doesn't.

Describe alternatives you've considered
NginxProxyManager, a solution many are likely hoping to switch away from (myself included), has fully custom SSL per-rule like so:

Technically, there isn't anything stopping me from using wildcards or getting a cert for each domain I want to proxy, but some applications can have issues when HTTPS/SSL is introduced unexpectedly.

When adding a new subdomain proxy Zoraxy asks if a new certificate shall be created. Zoraxy then uses Let´s encrypt, but I would like Buypass SSL. So I need an option to set a default provider :)

Describe the bug
It seems like redirects behind a sub-domain proxy are not working properly. I have two services running behind the reverse proxy Kutt and Zipline, both have url short/redirect functions.
If a user tries to open a shorten url of either service, it does change the path behind the domain, but not the domain it should redirect to, that leads to 404 and other errors.
I haven't found anything to adjust the header or behavior.

Expected behavior
The user should be redirected to the appropriate site.

Host Environment (please complete the following information):

• Arch: amd64
• Device: VM
• OS: Debian
• Version 12

Describe the bug
A clear and concise description of what the bug is.
Not completely sure if this is a bug or I just have to disable/enable a feature to use this page but when I click on service expose proxy it loads a blank page.
To Reproduce
Steps to reproduce the behavior:

1. Go to Service Expose Proxy
2. Click on it under bridging to open
3. Presented with blank page on service expose proxy

Expected behavior
A clear and concise description of what you expected to happen.
I expect the service expose proxy to load and show what the page is for and to be used for. I also expect the global area network

Screenshots
If applicable, add screenshots to help explain your problem.
Screenshot of issue

Browser (if it is a bug appears on the UI section of the system):

• OS: [Windows 10]
• Browser [Chrome]
• Version [chrome Version 116.0.5845.141 and Zoraxy Version 2.6.5 Docker Image zoraxydocker/zoraxy:latest]

Host Environment (please complete the following information):

• Arch: [arm64]
• Device: [Intel i7-8700 128gb Ram]
• OS: [e.g. Debian]
• Version [12]

Additional context
Add any other context about the problem here.
Running under zoraxydocker/zoraxy:latest docker

Describe the bug
Uptime false down when internal URL is SSL with no certificate

To Reproduce
Steps to reproduce the behavior:

Create a subdomain to an internal service that is being served over SSL but does not have a certificate applied.

https://192.168.1.4.443 for example

Have a valid SSL certificate uploaded to Zoraxy

Uptime will never report that service as up.

Expected behavior
Service should report as up.

If you want to try out things or you edit a subdomain proxy or virtual directory, it would be nice if the "matching domain" part of the list could be clickable. I click on a entry of the list and the entry opens in a new tab.

Is your feature request related to a problem? Please describe.
I would like to use basic authentication for some of my dockers like Sonarr and Radarr, but i need the subfolder /api to be open.

Describe the solution you'd like
An option to disable basic authentication for subfolders

It would be nice to have an access list per Subdomain next to basic authentication.
This allows only access to specific IP's or Ranges. to subdomains (like NPM Manager)

How its possible to use SMTP without auth on port 25 ?
When I test ziraxy inficate the configuration is not ok because no user/password added :

and smtp server not possible with ip ... :(

Describe the bug
I can see that with the latest update, CPU usage got increased dramatically. And it's at this level almost constantly. Restart of container does not help.

To Reproduce
I've installed Zoraxy on proxmox LXC container. In the scree shoot below you can see container configuration.

Expected behavior
CPU usage previously was close to being idle.

Screenshots

Host Environment (please complete the following information):

• Arch: x64
• Device: Proxmox LXC
• OS: Debian
• Version 12 Bookworm

When running in docker, the proxy destination will never be localhost. but rather a destination inside the local network.
When adding a destination, where the proxy address has self-signed SSL enabled, like so:

and the certificate is only valid for localhost:

is there any way to skip the validation of the local certificate in Zoraxy?

Whenever i try to configure a proxy host this way, i get the following error in my Browser:

The log of Zoraxy gives me the following error:

Any help with this issue would be greatly appreciated!

Just one question how to do that ? lets'encrypt with wildcard ? because if i configure to create one certificat per domain/subdomain i receive the block message acme because mose request .... (I migrate from NPM to zoraxy for test zoraxy solution)

Is your feature request related to a problem? Please describe.
Forward authentication to external platforms, like Keycloak, Authentik or Authelia. This is necessary to provide SSO and protect services that doesn't have its own authentication services (or very insecure ones, like Basic Auth).

Describe the solution you'd like
To be able to configure forward auth in the web UI.

Additional context
Examples for other reverse proxy platforms:
Authelia
Authentik

It would be better to let the user decide or name if he must authenticate to send emails by SMTP

As in my case no need for authentication to send mail because internal mail server postfix with ACL ip etc...

I have some questions that I don't know whether they are bugs or config things:

1. If I enable TLS on any subdomain, the target is not reachable any more and i get a 404 error. Without the targets are reachable.

2. Actual Zoraxy is running in Docker, the config "/zoraxy/config/" is connected to local "/mnt/user/appdata/zoraxy", but that path is empty. So i have the feeling if the docker is updating, all the config is gone

It would be helpful for trouble shooting or monitoring if there would be a button to rset all statistics.

Describe the bug
When attempting to change the Inbound Port on a fresh installation in Docker, the Apply button does nothing and returns an empty API response console error. The desired value is not saved.

To Reproduce
Steps to reproduce the behavior:

1. Perform a fresh installation of Zoraxy 2.6.5 in Docker.
2. Create the initial user and log in.
3. Change the Inbound Port to any numeric value.
4. Click apply.

Expected behavior
The inbound port changes to the specified value.

Screenshots

Browser (if it is a bug appears on the UI section of the system):

• OS: macOS 14.0 Sonoma Beta
• Browser: Brave "Version 1.56.20 Chromium: 115.0.5790.171 (Official Build) (arm64)"

Host Environment (please complete the following information):

• Arch: amd64
• Device: MinisForum UM560X
• OS: Debian 12 (bookworm)

Just as stated.

A great feature would be "Backup and Restore" of the entire Zoraxy configuration. If a user wants to change the server, or changes from docker to hostinstallation and vice versa, they only need to install Zoraxy and import their backupfile.

It would make sense to place this in the Utilities tab. A click on backup would then backup all virtual directories, subdomain proxys and so on, store it in a zip file, which is automaticly downloaded.

To do a restore the configuration this file only needs to be uploaded, and then a restart of Zoraxy is performed.
With this feature it would not matter anymore on which platform Zoraxy is running, it coukd be changed very easily without data loss.

First: Thanks for this great program!

I am testing zoraxy inside LXC and I would like to know if there is any detached mode? At the moment I use screen to detach zoraxy output. I can not leave the CLI open the whole time.

It would be cool to start zoraxy with a "-d" argument in the background.

Then I would like to know if there are any logs?

Describe the bug
After cloning, I'm not seeing how I'd run sudo ./zoraxy -port=:8000 - is this file somewhere else?

To Reproduce
Steps to reproduce the behavior:

1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Browser (if it is a bug appears on the UI section of the system):

• OS: Linux raspberrypi 6.1.21-v8+ #1642 SMP PREEMPT Mon Apr 3 17:24:16 BST 2023 aarch64 GNU/Linux
• Browser [e.g. chrome, safari]
• Version: latest

Host Environment (please complete the following information):

• Arch: [e.g. arm64]
• Device: [e.g. Bananapi R2 PRO]
• OS: [e.g. Armbian]
• Version [e.g. 23.02 Bullseye ]

Additional context
Add any other context about the problem here.

Describe the bug
When generating a Let's Encrypt certificate, they're generated in the staging server

To Reproduce
Steps to reproduce the behavior:
Generate a Let's Encrypt cert using Zoraxy

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots

Host Environment (please complete the following information):

• Arch: x86_64
• Device: Dell Workstation
• OS: Debian
• Version: 12 Bookworm (on a proxmox container)

When selecting static webserver as proxy root Zoraxy should check if webserver is running, or it needs to autostart the webserver to prevent unexpected behavior.

Is your feature request related to a problem? Please describe.
No, it is a direct feature request. I don't use Zerotier, I use Tailscale as it supports SSO on the free tier.

Describe the solution you'd like
The ability to use Tailscale as a GAN option.

Describe alternatives you've considered
Wireguard is another option, or IPSec would be nice too. (raw configuration vs. using a specific service)

Additional context
https://tailscale.com/

I just saw news about a new version, but how do I upgrade?

1. Stop zoraxy service with

sudo systemctl stop zoraxy

2. For pulling the sources it is
   git pull

But I am not familar with go syntax. Do I need to run
go mod tidy and go build ? Or is go build enough?

After the update zoraxy service can be started again with:

sudo systemctl start zoraxy

It would be useful to see which version is used on the status page or in the headline. "Zoraxy v2.6.1" or similar.
Maybe you can build an integrated updater

Is your feature request related to a problem? Please describe.
N/A

Describe the solution you'd like
It would be great to be able to set custom headers on a proxy.

Describe alternatives you've considered
Something similar to Nginx Proxy Managers custom config (I know this isn't based on NGINX but would be great to have something to add headers)

Additional context
N/A

Describe the bug
When i change the port for a proxy, the uptime monitor still keeps the old port and show the site as offline.

Is your feature request related to a problem? Please describe.
Only able to include a single subdomain when creating a proxy rule. When having an external and internal domain, users have to create duplicate rules to account for both domains.

Describe the solution you'd like
Allow for multiple subdomains to be included when creating a proxy rule. These can be common or semi-colon separated in the Subdomain entry.

Describe the bug
Let's say I have a domain example.com and want to proxy http://example.com/linkding to selfhost linkding.

In order to handle linkding/* and linkding/static/* correctly, I set the linkding base path to linkding/.

I add virtual directory config, /linkding/ to 192.168.1.x:9090/linkding/.

When I request http://example.com/linkding it redirects to http://example.com/linkding/linkding/login

I found that when I request 192.168.1.x:9090/linkding/ directly it would respond:

< HTTP/1.1 302 found
< Location: /linkding/login
< ...

And zoraxy will overwrite the Location header, set it to /linkding + /linkding/login.

To Reproduce
See above

Expected behavior
When overriding Location, consider cases where the Location header already contains PathPrefix.

Is your feature request related to a problem? Please describe.
Currently, the specified Docker image (passivelemon/zoraxy-docker) does not support arm64, meaning it cannot run in a Docker container on a Raspberry Pi or an Oracle ARM VM for example.

Describe the solution you'd like
The Docker image uploaded to DockerHub should support arm64.

Describe alternatives you've considered
https://github.com/cyb3rdoc/zoraxy-docker is an alternative image that currently supports arm64, however it is out of date and seemingly unmaintained.

Additional context
N/A

Not sure what it would take to adapt the existing x64 image to support arm64 as well, but in most cases I've seen lately if the application and its dependencies support arm64 natively, it should be a relatively simple build command change. I've done this to a couple containers for the AMP server management panel, see MitchTalmadge/AMP-dockerized#140 and imagegenius/docker-amp#8 for what that entailed. I am happy to try and assist if desired.

Describe the bug
Noticed that Zoraxy is consuming a solid gigabyte of RAM in its docker container. Services that it loadbalances, like Frigate (transcoding 4x2k video streams) uses ~700MB by comparison.

To Reproduce
Steps to reproduce the behavior:

• Run zoraxy in a container for a while
• Measure ran usage with docker stats

Expected behavior
RAM usage to be more in-line with expectation for a loadbalancer seeing trivial traffic

Screenshots
N/A

Browser (if it is a bug appears on the UI section of the system):
N/A

Host Environment (please complete the following information):

• Arch: x86_64
• Device: Server
• OS: Ubuntu
• Version: 22.04.2

When i use Zoraxy to reverse proxy proxmox (for example) the consoles on the vm's don't work.

I believe this is down to web sockets though i could be way off..