tobychui / zoraxy Goto Github PK
View Code? Open in Web Editor NEWA general purpose HTTP reverse proxy and forwarding tool. Now written in Go!
Home Page: https://zoraxy.arozos.com
License: GNU Affero General Public License v3.0
A general purpose HTTP reverse proxy and forwarding tool. Now written in Go!
Home Page: https://zoraxy.arozos.com
License: GNU Affero General Public License v3.0
Is your feature request related to a problem? Please describe.
When trying to visit a non-valid subdomain route, it currently keeps the URL and responds with a self-signed Zoraxy cert, I would like the ability to redirect back to the root domain and have it use one of the ACME certs i generated.
eg
nonexisting.abc.xyz keeps the name and replies with a self-signed cert
Describe the solution you'd like
option 1.
In the Set Proxy Root page, I would like a toggle or a check box to auto route all non-existing domains back to one I can set somewhere here.
nonexisting.abc.xyz redirects to root.abc.xyx and replies with root.abc.xyx SSL cert
option 2.
Add wildcard domain SSL certs with ACME (will need to implement DNS SSL cert generation)
This will mitigate the issue and will be preferred as it will still keep the nonexisting URL but will still have a valid SSL cert.
Describe alternatives you've considered
I tried to add a *.domain.root as a new proxy rule, but it is expecting %2A.abc.xyz instead of *.abc.xyz
Please consider to add fail2ban for security reasons.
As for example you could check SWAG solution
Is your feature request related to a problem? Please describe.
Forward authentication to external platforms, like Keycloak, Authentik or Authelia. This is necessary to provide SSO and protect services that doesn't have its own authentication services (or very insecure ones, like Basic Auth).
Describe the solution you'd like
To be able to configure forward auth in the web UI.
Additional context
Examples for other reverse proxy platforms:
Authelia
Authentik
Describe the bug
When i change the port for a proxy, the uptime monitor still keeps the old port and show the site as offline.
Describe the bug
When generating a Let's Encrypt certificate, they're generated in the staging server
To Reproduce
Steps to reproduce the behavior:
Generate a Let's Encrypt cert using Zoraxy
Expected behavior
A clear and concise description of what you expected to happen.
Host Environment (please complete the following information):
Describe the bug
After cloning, I'm not seeing how I'd run sudo ./zoraxy -port=:8000
- is this file somewhere else?
To Reproduce
Steps to reproduce the behavior:
Expected behavior
A clear and concise description of what you expected to happen.
Screenshots
If applicable, add screenshots to help explain your problem.
Browser (if it is a bug appears on the UI section of the system):
Host Environment (please complete the following information):
Additional context
Add any other context about the problem here.
where can i set rewrite rules like this:
rewrite ^/.well-known/carddav https://cloud.dd.com/remote.php/dav/ redirect;
rewrite ^/.well-known/caldav https://cloud.dd.com/remote.php/dav/ redirect;
After getting the image scanned in Dockerhub, this critical CVE showed up. It has to do with the satori/go.uuid module that is being used and should be replaced! gofrs/uuid appears to be a safe replacement but there are plenty of others so I'll leave this up to you since you are the developer of Zoraxy.
Describe the bug
A clear and concise description of what the bug is.
To Reproduce
Steps to reproduce the behavior:
root@zoraxy:/opt/zoraxy/src# ./zoraxy
2023/07/24 14:29:12 [Auth] Authentication session key loaded from database
2023/07/24 14:29:19 [zeroconf] no suitable IPv6 interface: listen udp6 [ff02::]:5353: socket: address family not supported by protocol
2023/07/24 14:29:19 Environment variable ZT_AUTH not defined. Trying to load authtoken from file.
2023/07/24 14:29:19 Unable to read authkey at /var/lib/zerotier-one/authtoken.secret: exit status 1
2023/07/24 14:29:19 Failed to load ZeroTier controller API authtoken
2023/07/24 14:29:19 Failed to initialize resolver: listen udp6 [ff02::]:5353: socket: address family not supported by protocol
root@zoraxy:/opt/zoraxy/src#
ipv6 is disabled
root@zoraxy:/opt/zoraxy/src# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0@if346: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 9a:61:35:e8:97:3e brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 192.168.100.214/24 brd 192.168.100.255 scope global dynamic eth0
valid_lft 13952sec preferred_lft 13952sec
root@zoraxy:/opt/zoraxy/src#
Expected behavior
It should start
Screenshots
Browser (if it is a bug appears on the UI section of the system):
Host Environment (please complete the following information):
Additional context
Add any other context about the problem here.
It would be better to let the user decide or name if he must authenticate to send emails by SMTP
As in my case no need for authentication to send mail because internal mail server postfix with ACL ip etc...
Just as stated.
Is your feature request related to a problem? Please describe.
I need to expose some web services which don't have their own auth built in.. I currently use NPM and it jas am ACL feature that i can apply to specific subdomains
Describe the bug
It seems like redirects behind a sub-domain proxy are not working properly. I have two services running behind the reverse proxy Kutt and Zipline, both have url short/redirect functions.
If a user tries to open a shorten url of either service, it does change the path behind the domain, but not the domain it should redirect to, that leads to 404 and other errors.
I haven't found anything to adjust the header or behavior.
Expected behavior
The user should be redirected to the appropriate site.
Host Environment (please complete the following information):
Describe the bug
Let's say I have a domain example.com
and want to proxy http://example.com/linkding
to selfhost linkding.
In order to handle linkding/*
and linkding/static/*
correctly, I set the linkding base path to linkding/
.
I add virtual directory config, /linkding/
to 192.168.1.x:9090/linkding/
.
When I request http://example.com/linkding
it redirects to http://example.com/linkding/linkding/login
I found that when I request 192.168.1.x:9090/linkding/
directly it would respond:
< HTTP/1.1 302 found
< Location: /linkding/login
< ...
And zoraxy will overwrite the Location
header, set it to /linkding + /linkding/login
.
zoraxy/src/mod/dynamicproxy/dpcore/dpcore.go
Lines 368 to 371 in 50f222c
To Reproduce
See above
Expected behavior
When overriding Location
, consider cases where the Location
header already contains PathPrefix
.
When selecting static webserver as proxy root Zoraxy should check if webserver is running, or it needs to autostart the webserver to prevent unexpected behavior.
Is your feature request related to a problem? Please describe.
Currently, when using the whitelist or blacklist, HTTP status 403 is returned to anyone blocked.
Describe the solution you'd like
It would be nice to be able to return something different (such as a "sorry not available in your country") or redirect to another page or even a custom html page.
Describe alternatives you've considered
Is your feature request related to a problem? Please describe.
Currently, the specified Docker image (passivelemon/zoraxy-docker) does not support arm64, meaning it cannot run in a Docker container on a Raspberry Pi or an Oracle ARM VM for example.
Describe the solution you'd like
The Docker image uploaded to DockerHub should support arm64.
Describe alternatives you've considered
https://github.com/cyb3rdoc/zoraxy-docker is an alternative image that currently supports arm64, however it is out of date and seemingly unmaintained.
Additional context
N/A
Not sure what it would take to adapt the existing x64 image to support arm64 as well, but in most cases I've seen lately if the application and its dependencies support arm64 natively, it should be a relatively simple build command change. I've done this to a couple containers for the AMP server management panel, see MitchTalmadge/AMP-dockerized#140 and imagegenius/docker-amp#8 for what that entailed. I am happy to try and assist if desired.
Describe the bug
Noticed that Zoraxy is consuming a solid gigabyte of RAM in its docker container. Services that it loadbalances, like Frigate (transcoding 4x2k video streams) uses ~700MB by comparison.
To Reproduce
Steps to reproduce the behavior:
docker stats
Expected behavior
RAM usage to be more in-line with expectation for a loadbalancer seeing trivial traffic
Screenshots
N/A
Browser (if it is a bug appears on the UI section of the system):
N/A
Host Environment (please complete the following information):
If i try to use a certificate from zeroSSL then i get this error:
Acme: error: 400 :: POST :: https://acme.zerossl.com/v2/DV90/newAccount :: urn:ietf:params:acme:error:externalAccountRequired :: The request must include a value for the "externalAccountBinding" field
Just one question how to do that ? lets'encrypt with wildcard ? because if i configure to create one certificat per domain/subdomain i receive the block message acme because mose request .... (I migrate from NPM to zoraxy for test zoraxy solution)
Describe the bug
Whenever i try to whitelist local IP-Ranges it doesn't work. When visiting a Page, i always get the following error:
When whitelisting the fixed IP of the Client i'm visiting from, it works perfectly.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
When adding a CIDR range, IP-Adresses in that range should be able to visit proxied pages
Host Environment (please complete the following information):
When adding a new subdomain proxy Zoraxy asks if a new certificate shall be created. Zoraxy then uses Let´s encrypt, but I would like Buypass SSL. So I need an option to set a default provider :)
I have some questions that I don't know whether they are bugs or config things:
Is your feature request related to a problem? Please describe.
Currently, Zoraxy is a self-contained binary executable. This poses a problem for Docker hosting because trying to update to a newer version would result in data loss, or at the very least, way more complicated actions to store that data than would be realistically feasible. Having to set your proxy's, virtual dirs, etc for every update would be a huge hassle, especially if this project suddenly blows up and there are a lot more users and features.
Basically, the self-containment is not very good for reproducibility and may cause bigger headaches down the line.
Describe the solution you'd like
Write out the current configuration to a file, (json, yaml, etc).
Describe alternatives you've considered
#14 Suggests a backup/restore feature which may be useful for some situations, but not so much in this case.
Describe the bug
A clear and concise description of what the bug is.
Not completely sure if this is a bug or I just have to disable/enable a feature to use this page but when I click on service expose proxy it loads a blank page.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
A clear and concise description of what you expected to happen.
I expect the service expose proxy to load and show what the page is for and to be used for. I also expect the global area network
Screenshots
If applicable, add screenshots to help explain your problem.
Screenshot of issue
Browser (if it is a bug appears on the UI section of the system):
Host Environment (please complete the following information):
Additional context
Add any other context about the problem here.
Running under zoraxydocker/zoraxy:latest docker
Describe the bug
When attempting to change the Inbound Port on a fresh installation in Docker, the Apply button does nothing and returns an empty API response console error. The desired value is not saved.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
The inbound port changes to the specified value.
Browser (if it is a bug appears on the UI section of the system):
Host Environment (please complete the following information):
When i use Zoraxy to reverse proxy proxmox (for example) the consoles on the vm's don't work.
I believe this is down to web sockets though i could be way off..
Related to #6
Is your feature request related to a problem? Please describe.
My server is not publicly accessible on the internet, but I still use a .com domain name to set up SSL with LetsEncrypt. I usually do this by adding DNS records to my Cloudflare. This is also the only way to set up a wildcard SSL certificate.
Describe the solution you'd like
I would like the Acme resolver to support DNS validation so that I can issue a wildcard SSL certificate for my private server.
Describe alternatives you've considered
I'm currently using NginxProxyManager, which supports this out of the box. (You can even give it your Cloudflare API token and it sets up all the DNS records for you automatically.) Zoraxy looks much more powerful so I'd like to switch to this, but can't migrate until I can use DNS validation.
A great feature would be "Backup and Restore" of the entire Zoraxy configuration. If a user wants to change the server, or changes from docker to hostinstallation and vice versa, they only need to install Zoraxy and import their backupfile.
It would make sense to place this in the Utilities tab. A click on backup would then backup all virtual directories, subdomain proxys and so on, store it in a zip file, which is automaticly downloaded.
To do a restore the configuration this file only needs to be uploaded, and then a restart of Zoraxy is performed.
With this feature it would not matter anymore on which platform Zoraxy is running, it coukd be changed very easily without data loss.
I was testing out zoraxy and I tried to integrate it on my host system. It runs fine, but there are a few things I encountered, which I wanted to share with you. I used the latest version 2.6 for my tests. First of all, thanks again for this great piece of software.
First my specs:
Ubuntu server 22.04 x64
Browser Firefox and Vivaldi (chrome-based)
Ryzen 5 5600G
B550 Aorus Elite v2
16GB RAM
The very first problem was, the edit button on Subdomain Proxy page is not working, it was a lot of work to test everything :)
I uploaded my certificate and I tried to add a second one for testing as a subdomain certificate. Then both of them were shown twice. Another question... are intermediate certificates not needed? I have a private key, an intermediate certificate and my certificate.
After I removed one of them, everything was normal again.
For Jellyfin the app finamp gave me this error:
Last question: Is there anyway to contact you, except your mail? A discord or matrix room would be great to exchange with other users.
This were my experience so far. I hope I could give you useful informations. I will test how it works works with wordpress or nextcloud. This needs preparations
I think it would be useful to be able to serve a static site from zoraxy itself. A very small homepage could be served directly or custom 404 sites and so on. An equivalent to nginx proxy managers option.
Landing pages are possible this way without needing a Webserver in the Backend.
It would be nice to have an access list per Subdomain next to basic authentication.
This allows only access to specific IP's or Ranges. to subdomains (like NPM Manager)
Is your feature request related to a problem? Please describe.
Currently, the only way to force SSL with simple UI config is globally via the front page. Some of my proxied connections do not require SSL while others do.
Describe the solution you'd like
I'd like the ability to set, for any individual proxy rule, forced SSL unique to that rule alone. For example, sub.domain.com needs HTTPS, but sub2.domain.com doesn't.
Describe alternatives you've considered
NginxProxyManager, a solution many are likely hoping to switch away from (myself included), has fully custom SSL per-rule like so:
Technically, there isn't anything stopping me from using wildcards or getting a cert for each domain I want to proxy, but some applications can have issues when HTTPS/SSL is introduced unexpectedly.
Is your feature request related to a problem? Please describe.
When doing a Security-Scan of my environment, i received the warning, that TLS 1.0 and 1.1 are still available on port 443:
Describe the solution you'd like
There should be a way to disable the use of such old and deprecated versions of TLS.
Describe the bug
I can see that with the latest update, CPU usage got increased dramatically. And it's at this level almost constantly. Restart of container does not help.
To Reproduce
I've installed Zoraxy on proxmox LXC container. In the scree shoot below you can see container configuration.
Expected behavior
CPU usage previously was close to being idle.
Host Environment (please complete the following information):
Is your feature request related to a problem? Please describe.
To save having to re-upload the public / private keys every 3 months it would be great if auto renewal could be built in.
Personally i'd need DNS validation for cloudflare
Is your feature request related to a problem? Please describe.
I would like to use basic authentication for some of my dockers like Sonarr and Radarr, but i need the subfolder /api to be open.
Describe the solution you'd like
An option to disable basic authentication for subfolders
Is your feature request related to a problem? Please describe.
N/A
Describe the solution you'd like
It would be great to be able to set custom headers on a proxy.
Describe alternatives you've considered
Something similar to Nginx Proxy Managers custom config (I know this isn't based on NGINX but would be great to have something to add headers)
Additional context
N/A
When running in docker, the proxy destination will never be localhost. but rather a destination inside the local network.
When adding a destination, where the proxy address has self-signed SSL enabled, like so:
and the certificate is only valid for localhost:
is there any way to skip the validation of the local certificate in Zoraxy?
Whenever i try to configure a proxy host this way, i get the following error in my Browser:
The log of Zoraxy gives me the following error:
Any help with this issue would be greatly appreciated!
Describe the bug
Uptime false down when internal URL is SSL with no certificate
To Reproduce
Steps to reproduce the behavior:
Create a subdomain to an internal service that is being served over SSL but does not have a certificate applied.
https://192.168.1.4.443 for example
Have a valid SSL certificate uploaded to Zoraxy
Uptime will never report that service as up.
Expected behavior
Service should report as up.
First: Thanks for this great program!
I am testing zoraxy inside LXC and I would like to know if there is any detached mode? At the moment I use screen to detach zoraxy output. I can not leave the CLI open the whole time.
It would be cool to start zoraxy with a "-d" argument in the background.
Then I would like to know if there are any logs?
Is your feature request related to a problem? Please describe.
No, it is a direct feature request. I don't use Zerotier, I use Tailscale as it supports SSO on the free tier.
Describe the solution you'd like
The ability to use Tailscale as a GAN option.
Describe alternatives you've considered
Wireguard is another option, or IPSec would be nice too. (raw configuration vs. using a specific service)
Additional context
https://tailscale.com/
Is your feature request related to a problem? Please describe.
It isn't really a problem but for some like me, it probably is.
Describe the solution you'd like
A functional wiki. I am new to networking systems like this and I want to use your system, but with no how-to for starting the system, it is incredibly hard to figure out.
Describe alternatives you've considered
Researching how to use reverse proxy systems but everything is either Apache or NGINX and those don't really apply to this system.
Additional context
I am fine with helping write a how-to for this system because it really is amazing, I just need someone to oversee or someone to instruct on how the system is used and how to set it up past sudo ./zoraxy -port=:8000
.
I just saw news about a new version, but how do I upgrade?
sudo systemctl stop zoraxy
git pull
But I am not familar with go syntax. Do I need to run
go mod tidy
and go build
? Or is go build
enough?
After the update zoraxy service can be started again with:
sudo systemctl start zoraxy
It would be useful to see which version is used on the status page or in the headline. "Zoraxy v2.6.1" or similar.
Maybe you can build an integrated updater
Describe the bug
If I try to stop zoraxy by pressing "Stop Service" it does nopt stop the service and says "Context deadline exceeded". I need to stop zoraxy then cia CLI
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Stopping the service
Additional context
This only happens on my VPS. On my hoemserver, everything is normal.
Is your feature request related to a problem? Please describe.
Only able to include a single subdomain when creating a proxy rule. When having an external and internal domain, users have to create duplicate rules to account for both domains.
Describe the solution you'd like
Allow for multiple subdomains to be included when creating a proxy rule. These can be common or semi-colon separated in the Subdomain entry.
Describe the bug
I would like to bring to your attention that zoraxy, is being misidentified as malware by various antivirus software.
Here is the virus scanning report.
https://www.virustotal.com/gui/file/3cb5a6b1434ab31b841dceb81f432d6654e04e7a416f0550179311f30d2dbaac
Host Environment (please complete the following information):
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.