serve.zone/dcrouter
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: refresh readme and legal info

Browse Source
This commit is contained in:
Jürgen Kunz
2026-05-07 20:22:12 +00:00
parent 5fbe2eb80b
commit 7bb6559748
6 changed files with 287 additions and 243 deletions
Download Patch File Download Diff File Expand all files Collapse all files
readme.md
+106 -126
View File
@@ -1,34 +1,38 @@
# @serve.zone/dcrouter
![dcrouter banner](https://code.foss.global/serve.zone/docs/raw/branch/main/dcrouter.png)
`dcrouter` is a TypeScript control plane for running a serious multi-protocol edge or datacenter gateway from one process. It wires together SmartProxy for HTTP/HTTPS/TCP routing, smartmta for email, smartdns for authoritative DNS and DNS-over-HTTPS, smartradius, smartvpn, remote ingress tunnels, a TypedRequest API, and the Ops dashboard.
Use it when you want one place to define routes, manage domains and certificates, protect internal services, automate changes over an API, and operate the whole stack from a browser.
`dcrouter` is the serve.zone datacenter gateway runtime: a TypeScript control plane that brings HTTP/HTTPS/TCP routing, email ingress, authoritative DNS, RADIUS, VPN access control, remote ingress tunnels, certificate operations, metrics, and an Ops dashboard into one process.
## Issue Reporting and Security
For reporting bugs, issues, or security vulnerabilities, please visit [community.foss.global/](https://community.foss.global/). This is the central community hub for all issue reporting. Developers who sign and comply with our contribution agreement and go through identification can also get a [code.foss.global/](https://code.foss.global/) account to submit Pull Requests directly.
## Why It Works
## Why It Exists
- 🌐 One runtime for HTTP/HTTPS/TCP, SMTP, authoritative DNS + DoH, RADIUS, VPN, and remote ingress.
- 🧠 Constructor config becomes system-managed routes, while API-created routes stay editable and clearly separated.
- 🔐 Certificates, DNS providers, domains, records, API tokens, access profiles, and protected routes live in one management plane.
- 🖥️ The OpsServer UI and TypedRequest API are first-class parts of the package, not an afterthought.
- ⚡ Qualifying HTTPS forward routes on port `443` get HTTP/3 augmentation by default unless you opt out.
Modern infrastructure often has too many tiny edge tools: a proxy here, a DNS daemon there, a separate cert worker, another dashboard, and a tunnel process bolted on later. `dcrouter` is designed as a cohesive gateway layer for operators who want one audited place to define public routes, domains, edge tunnels, access policy, and operational state.
## What You Get
Highlights:
| Area | What dcrouter does |
- 🌐 SmartProxy-backed HTTP, HTTPS, TCP, TLS/SNI, and optional HTTP/3 route handling
- 📬 SmartMTA-backed SMTP ingress and email-domain operations
- 🧭 SmartDNS-backed authoritative DNS plus generated DNS-over-HTTPS routes
- 🔐 ACME, certificate state, API tokens, users, source profiles, target profiles, and security policies
- 🛡️ RADIUS, VLAN assignment, VPN-protected routes, and remote ingress firewall snapshots
- 🖥️ Browser Ops dashboard and TypedRequest API served by the built-in OpsServer
## Runtime Areas
| Area | What dcrouter manages |
| --- | --- |
| HTTP / HTTPS / TCP | SmartProxy-based reverse proxying, TLS termination or passthrough, path/domain/port matching, TCP/SNI forwarding |
| Email | SMTP ingress and delivery via `UnifiedEmailServer`, route-based mail actions, email-domain management, queue and resend operations |
| DNS | Authoritative zones, nameserver bootstrap records, DNS-over-HTTPS routes on `/dns-query` and `/resolve`, provider-backed domain management |
| Access and Edge | VPN-gated routes, RADIUS auth/accounting, remote ingress edge registrations and tunnel hub support |
| Operations | Browser dashboard, TypedRequest API, route management, tokens, certificates, logs, metrics, and health views |
| Proxying | SmartProxy routes for HTTP, HTTPS, TCP, SNI, TLS termination, passthrough, and backend forwarding |
| Route ownership | Constructor routes, generated email/DNS routes, and API-created routes with explicit origins |
| DNS | Authoritative scopes, generated NS records, static DNS records, provider-backed domains, and DoH endpoints |
| Email | UnifiedEmailServer startup, email-domain management, route-backed delivery actions, received mail operations |
| Certificates | ACME config, stored certificate metadata, provisioning backoff, and certificate status reporting |
| Edge access | Remote ingress hub, edge registrations, derived edge ports, pushed firewall rules, VPN-only route access |
| Network auth | RADIUS clients, MAC Authentication Bypass, VLAN mapping, and accounting sessions |
| Operations | Dashboard views, TypedRequest handlers, metrics, logs, health, API tokens, users, and configuration views |
## Installation
## Install
```bash
pnpm add @serve.zone/dcrouter
@@ -36,7 +40,7 @@ pnpm add @serve.zone/dcrouter
## Quick Start
This example stays on unprivileged ports so you can run it locally without root.
This starts the gateway on unprivileged ports and stores data under the default `~/.serve.zone/dcrouter` base directory.
```typescript
import { DcRouter } from '@serve.zone/dcrouter';
@@ -69,86 +73,77 @@ await router.start();
After startup:
- open the dashboard at `http://localhost:3000`
- log in with the current built-in credentials `admin` / `admin`
- log in with the current built-in development credentials `admin` / `admin`
- send proxied traffic to `http://localhost:18080`
- stop gracefully with `await router.stop()`
## Route Ownership Model
## Configuration Model
dcrouter keeps route ownership explicit so automation does not accidentally stomp on system-generated traffic.
| Route origin | Where it comes from | What you can do |
| --- | --- | --- |
| `config` | Constructor `smartProxyConfig.routes` and related seed config | View and toggle |
| `email` | Email listener and mail-routing derived routes | View and toggle |
| `dns` | Generated DoH and DNS-related routes | View and toggle |
| `api` | Created through the Ops UI or API client | Full CRUD |
Important details:
- system routes are persisted with stable `systemKey` values
- DNS-over-HTTPS routes are persisted and then hydrated with live socket handlers at runtime
- editing and deletion are reserved for `api` routes; system routes are toggle-only by design
## Configuration Cheat Sheet
The main entrypoint is `IDcRouterOptions`.
`DcRouter` is configured with `IDcRouterOptions` from `@serve.zone/dcrouter`.
| Option | Purpose |
| --- | --- |
| `smartProxyConfig` | Main HTTP/HTTPS and TCP/SNI routing config |
| `emailConfig` | Email hostname, ports, domains, and mail routing rules |
| `emailPortConfig` | External-to-internal email port remapping and received-email storage path |
| `tls` | ACME contact and static certificate paths |
| `dnsNsDomains` | Nameserver hostnames used for NS bootstrap and DoH route generation |
| `dnsScopes` | Domains served authoritatively by the embedded DNS server |
| `dnsRecords` | Static constructor-defined DNS records |
| `publicIp` / `proxyIps` | How A records are exposed for nameserver and service records |
| `dbConfig` | Embedded LocalSmartDb or external MongoDB-backed persistence |
| `radiusConfig` | RADIUS auth, VLAN assignment, and accounting |
| `remoteIngressConfig` | Remote ingress hub and edge tunnel setup |
| `vpnConfig` | VPN server and client definitions for protected route access |
| `http3` | Global HTTP/3 behavior for qualifying HTTPS routes |
| `opsServerPort` | Ops dashboard and TypedRequest API port |
| `baseDir` | Root directory for dcrouter runtime data. Defaults to `~/.serve.zone/dcrouter`. |
| `smartProxyConfig` | Main SmartProxy route configuration for HTTP/HTTPS/TCP/SNI traffic. |
| `emailConfig` | UnifiedEmailServer configuration: hostname, ports, domains, and mail routes. |
| `emailPortConfig` | External-to-internal email port mapping and received-email storage path. |
| `tls` | Legacy/static TLS and ACME contact settings used to seed certificate config. |
| `dnsNsDomains` | Nameserver hostnames used for generated NS records and DoH routes. |
| `dnsScopes` | Authoritative domains served by the embedded DNS server. |
| `dnsRecords` | Constructor-defined DNS records. |
| `publicIp` / `proxyIps` | IPs used for generated A records and proxy-aware DNS exposure. |
| `dbConfig` | Smartdata persistence via embedded LocalSmartDb or external MongoDB. |
| `radiusConfig` | RADIUS authentication, accounting, and VLAN assignment. |
| `remoteIngressConfig` | Remote ingress hub configuration for edge tunnel nodes. |
| `vpnConfig` | VPN server/client definitions and VPN-only routing behavior. |
| `http3` | HTTP/3 augmentation settings for qualifying HTTPS routes. |
| `opsServerPort` | Port for the Ops dashboard and `/typedrequest` API. Defaults to `3000`. |
## Important Behavior
Important runtime behavior:
- `dbConfig.enabled` defaults to `true`. If you do not provide `mongoDbUrl`, dcrouter starts an embedded local database automatically.
- If you disable the DB, constructor-driven traffic can still run, but DB-backed features such as persistent routes, tokens, ACME config, and managed domains do not start.
- Qualifying HTTPS forward routes on port `443` get HTTP/3 by default unless `http3.enabled === false` or the route opts out.
- DNS-over-HTTPS endpoints are generated on the first entry of `dnsNsDomains` at `/dns-query` and `/resolve`.
- Email listener ports are internally remapped by default, so common external ports such as `25`, `587`, and `465` end up on internal ports like `10025`, `10587`, and `10465`.
- Provider-backed domains can be managed in the Ops plane without being served by the embedded authoritative DNS server.
- `dbConfig.enabled` defaults to enabled. Without `mongoDbUrl`, dcrouter uses embedded LocalSmartDb.
- If the DB is disabled, constructor-defined proxy traffic can still run, but persistent API routes, tokens, managed domains, and stored certificate state are unavailable.
- Qualifying HTTPS forward routes on port `443` are HTTP/3-augmented unless `http3.enabled === false` or the route opts out.
- DNS-over-HTTPS routes are generated on the first `dnsNsDomains` entry at `/dns-query` and `/resolve`.
- Email listener ports can be remapped internally, for example public `25`, `587`, and `465` to unprivileged internal ports.
## Bigger Example
## Route Ownership
dcrouter keeps generated and operator-created routes separate so automation can reconcile safely.
| Origin | Source | Mutability |
| --- | --- | --- |
| `config` | Constructor `smartProxyConfig.routes` and seed data | Toggle only |
| `email` | Email listener and email-domain generated routes | Toggle only |
| `dns` | Generated DNS-over-HTTPS and DNS-related routes | Toggle only |
| `api` | Ops UI or API client | Full CRUD |
System routes are persisted with stable `systemKey` values. API-created routes are the editable route layer intended for operators and automation.
## Production-Flavored Example
```typescript
import { DcRouter } from '@serve.zone/dcrouter';
const router = new DcRouter({
baseDir: '/var/lib/dcrouter',
smartProxyConfig: {
routes: [
{
name: 'web-app',
match: {
domains: ['app.example.com'],
ports: [443],
},
match: { domains: ['app.example.com'], ports: [443] },
action: {
type: 'forward',
targets: [{ host: '127.0.0.1', port: 8080 }],
targets: [{ host: '10.10.0.21', port: 8080 }],
tls: { mode: 'terminate', certificate: 'auto' },
},
},
{
name: 'internal-admin',
match: {
domains: ['internal.example.com'],
ports: [443],
},
match: { domains: ['admin.example.com'], ports: [443] },
action: {
type: 'forward',
targets: [{ host: '127.0.0.1', port: 9090 }],
targets: [{ host: '10.10.0.30', port: 9000 }],
tls: { mode: 'terminate', certificate: 'auto' },
},
vpnOnly: true,
@@ -158,15 +153,10 @@ const router = new DcRouter({
emailConfig: {
hostname: 'mail.example.com',
ports: [25, 587, 465],
domains: [
{
domain: 'example.com',
dnsMode: 'internal-dns',
},
],
domains: [{ domain: 'example.com', dnsMode: 'internal-dns' }],
routes: [
{
name: 'inbound-mail',
name: 'inbound-example',
match: { recipients: '*@example.com' },
action: {
type: 'forward',
@@ -178,18 +168,15 @@ const router = new DcRouter({
dnsNsDomains: ['ns1.example.com', 'ns2.example.com'],
dnsScopes: ['example.com'],
publicIp: '203.0.113.10',
remoteIngressConfig: {
enabled: true,
tunnelPort: 8443,
hubDomain: 'ingress.example.com',
},
vpnConfig: {
enabled: true,
serverEndpoint: 'vpn.example.com',
clients: [
{
clientId: 'ops-laptop',
description: 'Operations laptop',
},
],
},
dbConfig: {
enabled: true,
clients: [{ clientId: 'ops-laptop', description: 'Operations laptop' }],
},
opsServerPort: 3000,
});
@@ -197,15 +184,9 @@ const router = new DcRouter({
await router.start();
```
## Automation
## Automation API
dcrouter gives you three good integration layers:
- the browser dashboard served by `OpsServer`
- raw TypedRequest contracts via `@serve.zone/dcrouter/interfaces`
- a higher-level OO API client via `@serve.zone/dcrouter/apiclient` or `@serve.zone/dcrouter-apiclient`
### OO API Client Example
The OpsServer exposes TypedRequest handlers at `/typedrequest`. You can use raw contracts or the object-oriented API client.
```bash
pnpm add @serve.zone/dcrouter-apiclient
@@ -220,24 +201,20 @@ const client = new DcRouterApiClient({
await client.login('admin', 'admin');
const { routes } = await client.routes.list();
await client.routes.build()
const route = await client.routes.build()
.setName('api-gateway')
.setMatch({ ports: 443, domains: ['api.example.com'] })
.setAction({ type: 'forward', targets: [{ host: '127.0.0.1', port: 8081 }] })
.save();
if (routes[0] && routes[0].origin !== 'api') {
await routes[0].toggle(false);
}
await route.toggle(true);
```
See `./ts_apiclient/readme.md` for the dedicated client package and `./ts_interfaces/readme.md` for the raw contracts.
Use `@serve.zone/dcrouter/interfaces` or `@serve.zone/dcrouter-interfaces` when you want the raw TypedRequest contracts instead of resource managers.
## OCI / Container Bootstrap
The package also includes an environment-driven bootstrap used by `runCli()` when `DCROUTER_MODE=OCI_CONTAINER`.
`runCli()` supports an environment-driven container mode when `DCROUTER_MODE=OCI_CONTAINER`.
```typescript
import { runCli } from '@serve.zone/dcrouter';
@@ -245,49 +222,52 @@ import { runCli } from '@serve.zone/dcrouter';
await runCli();
```
Useful environment variables include:
Supported environment overrides include:
- `DCROUTER_CONFIG_PATH`
- `DCROUTER_BASE_DIR`
- `DCROUTER_TLS_EMAIL`
- `DCROUTER_TLS_DOMAIN`
- `DCROUTER_PUBLIC_IP`
- `DCROUTER_PROXY_IPS`
- `DCROUTER_DNS_NS_DOMAINS`
- `DCROUTER_DNS_SCOPES`
- `DCROUTER_EMAIL_HOSTNAME`
- `DCROUTER_EMAIL_PORTS`
| Variable | Purpose |
| --- | --- |
| `DCROUTER_CONFIG_PATH` | JSON file loaded as the base `IDcRouterOptions` object. |
| `DCROUTER_BASE_DIR` | Runtime data root. |
| `DCROUTER_TLS_EMAIL` / `DCROUTER_TLS_DOMAIN` | TLS/ACME seed settings. |
| `DCROUTER_PUBLIC_IP` / `DCROUTER_PROXY_IPS` | Public/proxy IP exposure settings. |
| `DCROUTER_DNS_NS_DOMAINS` / `DCROUTER_DNS_SCOPES` | DNS nameserver and authoritative scope settings. |
| `DCROUTER_EMAIL_HOSTNAME` / `DCROUTER_EMAIL_PORTS` | Email server seed settings. |
| `DCROUTER_CACHE_ENABLED` | Enables or disables DB-backed persistence. |
| `DCROUTER_MAX_CONNECTIONS`, `DCROUTER_MAX_CONNECTIONS_PER_IP`, `DCROUTER_CONNECTION_RATE_LIMIT` | SmartProxy capacity and rate-limit overrides. |
## Published Modules
This repository ships several module boundaries from one codebase.
This repository intentionally publishes multiple module boundaries from one codebase.
| Module | Purpose | Docs |
| --- | --- | --- |
| `@serve.zone/dcrouter` | Main runtime and orchestrator | `./readme.md` |
| `@serve.zone/dcrouter/interfaces` | Shared request and data contracts as a subpath export | `./ts_interfaces/readme.md` |
| `@serve.zone/dcrouter/apiclient` | OO API client as a subpath export | `./ts_apiclient/readme.md` |
| `@serve.zone/dcrouter-interfaces` | Standalone interfaces package | `./ts_interfaces/readme.md` |
| `@serve.zone/dcrouter/interfaces` | Shared contracts as a subpath export | `./ts_interfaces/readme.md` |
| `@serve.zone/dcrouter/apiclient` | API client as a subpath export | `./ts_apiclient/readme.md` |
| `@serve.zone/dcrouter-interfaces` | Standalone contracts package | `./ts_interfaces/readme.md` |
| `@serve.zone/dcrouter-apiclient` | Standalone OO API client package | `./ts_apiclient/readme.md` |
| `@serve.zone/dcrouter-migrations` | Standalone migration runner package | `./ts_migrations/readme.md` |
| `@serve.zone/dcrouter-web` | Standalone web dashboard package boundary | `./ts_web/readme.md` |
| `@serve.zone/dcrouter-web` | Dashboard frontend module boundary | `./ts_web/readme.md` |
## Development
```bash
pnpm run build
pnpm test
pnpm run watch
```
Target a single test while working on one area:
Useful source entry points:
```bash
tstest test/test.apiclient.ts --verbose
```
- `ts/index.ts` exports `DcRouter`, `runCli()`, and public module surfaces.
- `ts/classes.dcrouter.ts` owns service startup, dependency ordering, and `IDcRouterOptions`.
- `ts/opsserver/classes.opsserver.ts` wires the dashboard server and TypedRequest handlers.
- `ts/remoteingress/` integrates `@serve.zone/remoteingress` with stored edge registrations.
- `ts_migrations/index.ts` contains all DB schema migration steps.
## License and Legal Information
This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [LICENSE](./license) file.
This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [license](./license) file.
**Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.
@@ -299,7 +279,7 @@ Use of these trademarks must comply with Task Venture Capital GmbH's Trademark G
### Company Information
Task Venture Capital GmbH
Task Venture Capital GmbH
Registered at District Court Bremen HRB 35230 HB, Germany
For any legal inquiries or further information, please contact us via email at hello@task.vc.