@serve.zone/dcrouter

dcrouter is the serve.zone datacenter gateway runtime: a TypeScript control plane that brings HTTP/HTTPS/TCP routing, email ingress, authoritative DNS, RADIUS, VPN access control, remote ingress tunnels, certificate operations, metrics, and an Ops dashboard into one process.

Issue Reporting and Security

For reporting bugs, issues, or security vulnerabilities, please visit community.foss.global/. This is the central community hub for all issue reporting. Developers who sign and comply with our contribution agreement and go through identification can also get a code.foss.global/ account to submit Pull Requests directly.

Why It Exists

Modern infrastructure often has too many tiny edge tools: a proxy here, a DNS daemon there, a separate cert worker, another dashboard, and a tunnel process bolted on later. dcrouter is designed as a cohesive gateway layer for operators who want one audited place to define public routes, domains, edge tunnels, access policy, and operational state.

Highlights:

• 🌐 SmartProxy-backed HTTP, HTTPS, TCP, TLS/SNI, and optional HTTP/3 route handling
• 📬 SmartMTA-backed SMTP ingress and email-domain operations
• 🧭 SmartDNS-backed authoritative DNS plus generated DNS-over-HTTPS routes
• 🔐 ACME, certificate state, API tokens, users, source profiles, target profiles, and security policies
• 🛡️ RADIUS, VLAN assignment, VPN-protected routes, and remote ingress firewall snapshots
• 🖥️ Browser Ops dashboard and TypedRequest API served by the built-in OpsServer

Runtime Areas

Area	What dcrouter manages
Proxying	SmartProxy routes for HTTP, HTTPS, TCP, SNI, TLS termination, passthrough, and backend forwarding
Route ownership	Constructor routes, generated email/DNS routes, and API-created routes with explicit origins
DNS	Authoritative scopes, generated NS records, static DNS records, provider-backed domains, and DoH endpoints
Email	UnifiedEmailServer startup, email-domain management, route-backed delivery actions, received mail operations
Certificates	ACME config, stored certificate metadata, provisioning backoff, and certificate status reporting
Edge access	Remote ingress hub, edge registrations, derived edge ports, pushed firewall rules, VPN-only route access
Network auth	RADIUS clients, MAC Authentication Bypass, VLAN mapping, and accounting sessions
Operations	Dashboard views, TypedRequest handlers, metrics, logs, health, API tokens, users, and configuration views

Install

pnpm add @serve.zone/dcrouter

Quick Start

This starts the gateway on unprivileged ports and stores data under the default ~/.serve.zone/dcrouter base directory.

import { DcRouter } from '@serve.zone/dcrouter';

const router = new DcRouter({
  smartProxyConfig: {
    routes: [
      {
        name: 'local-app',
        match: {
          domains: ['localhost'],
          ports: [18080],
        },
        action: {
          type: 'forward',
          targets: [{ host: '127.0.0.1', port: 3001 }],
        },
      },
    ],
  },
  dbConfig: {
    enabled: true,
  },
  opsServerPort: 3000,
});

await router.start();

After startup:

• open the dashboard at http://localhost:3000
• log in with the current built-in development credentials admin / admin
• send proxied traffic to http://localhost:18080
• stop gracefully with await router.stop()

Configuration Model

DcRouter is configured with IDcRouterOptions from @serve.zone/dcrouter.

Option	Purpose
baseDir	Root directory for dcrouter runtime data. Defaults to ~/.serve.zone/dcrouter.
smartProxyConfig	Main SmartProxy route configuration for HTTP/HTTPS/TCP/SNI traffic.
emailConfig	UnifiedEmailServer configuration: hostname, ports, domains, and mail routes.
emailPortConfig	External-to-internal email port mapping and received-email storage path.
tls	Legacy/static TLS and ACME contact settings used to seed certificate config.
dnsNsDomains	Nameserver hostnames used for generated NS records and DoH routes.
dnsScopes	Authoritative domains served by the embedded DNS server.
dnsRecords	Constructor-defined DNS records.
publicIp / proxyIps	IPs used for generated A records and proxy-aware DNS exposure.
dbConfig	Smartdata persistence via embedded LocalSmartDb or external MongoDB.
radiusConfig	RADIUS authentication, accounting, and VLAN assignment.
remoteIngressConfig	Remote ingress hub configuration for edge tunnel nodes.
vpnConfig	VPN server/client definitions and VPN-only routing behavior.
http3	HTTP/3 augmentation settings for qualifying HTTPS routes.
opsServerPort	Port for the Ops dashboard and /typedrequest API. Defaults to 3000.

Important runtime behavior:

• dbConfig.enabled defaults to enabled. Without mongoDbUrl, dcrouter uses embedded LocalSmartDb.
• If the DB is disabled, constructor-defined proxy traffic can still run, but persistent API routes, tokens, managed domains, and stored certificate state are unavailable.
• Qualifying HTTPS forward routes on port 443 are HTTP/3-augmented unless http3.enabled === false or the route opts out.
• DNS-over-HTTPS routes are generated on the first dnsNsDomains entry at /dns-query and /resolve.
• Email listener ports can be remapped internally, for example public 25, 587, and 465 to unprivileged internal ports.

Route Ownership

dcrouter keeps generated and operator-created routes separate so automation can reconcile safely.

Origin	Source	Mutability
config	Constructor smartProxyConfig.routes and seed data	Toggle only
email	Email listener and email-domain generated routes	Toggle only
dns	Generated DNS-over-HTTPS and DNS-related routes	Toggle only
api	Ops UI or API client	Full CRUD

System routes are persisted with stable systemKey values. API-created routes are the editable route layer intended for operators and automation.

Production-Flavored Example

import { DcRouter } from '@serve.zone/dcrouter';

const router = new DcRouter({
  baseDir: '/var/lib/dcrouter',
  smartProxyConfig: {
    routes: [
      {
        name: 'web-app',
        match: { domains: ['app.example.com'], ports: [443] },
        action: {
          type: 'forward',
          targets: [{ host: '10.10.0.21', port: 8080 }],
          tls: { mode: 'terminate', certificate: 'auto' },
        },
      },
      {
        name: 'internal-admin',
        match: { domains: ['admin.example.com'], ports: [443] },
        action: {
          type: 'forward',
          targets: [{ host: '10.10.0.30', port: 9000 }],
          tls: { mode: 'terminate', certificate: 'auto' },
        },
        vpnOnly: true,
      },
    ],
  },
  emailConfig: {
    hostname: 'mail.example.com',
    ports: [25, 587, 465],
    domains: [{ domain: 'example.com', dnsMode: 'internal-dns' }],
    routes: [
      {
        name: 'inbound-example',
        match: { recipients: '*@example.com' },
        action: {
          type: 'forward',
          forward: { host: 'mail-backend.example.com', port: 25 },
        },
      },
    ],
  },
  dnsNsDomains: ['ns1.example.com', 'ns2.example.com'],
  dnsScopes: ['example.com'],
  publicIp: '203.0.113.10',
  remoteIngressConfig: {
    enabled: true,
    tunnelPort: 8443,
    hubDomain: 'ingress.example.com',
  },
  vpnConfig: {
    enabled: true,
    serverEndpoint: 'vpn.example.com',
    clients: [{ clientId: 'ops-laptop', description: 'Operations laptop' }],
  },
  opsServerPort: 3000,
});

await router.start();

Automation API

The OpsServer exposes TypedRequest handlers at /typedrequest. You can use raw contracts or the object-oriented API client.

pnpm add @serve.zone/dcrouter-apiclient

import { DcRouterApiClient } from '@serve.zone/dcrouter-apiclient';

const client = new DcRouterApiClient({
  baseUrl: 'https://dcrouter.example.com',
});

await client.login('admin', 'admin');

const route = await client.routes.build()
  .setName('api-gateway')
  .setMatch({ ports: 443, domains: ['api.example.com'] })
  .setAction({ type: 'forward', targets: [{ host: '127.0.0.1', port: 8081 }] })
  .save();

await route.toggle(true);

Use @serve.zone/dcrouter/interfaces or @serve.zone/dcrouter-interfaces when you want the raw TypedRequest contracts instead of resource managers.

OCI / Container Bootstrap

runCli() supports an environment-driven container mode when DCROUTER_MODE=OCI_CONTAINER.

import { runCli } from '@serve.zone/dcrouter';

await runCli();

Supported environment overrides include:

Variable	Purpose
DCROUTER_CONFIG_PATH	JSON file loaded as the base IDcRouterOptions object.
DCROUTER_BASE_DIR	Runtime data root.
DCROUTER_TLS_EMAIL / DCROUTER_TLS_DOMAIN	TLS/ACME seed settings.
DCROUTER_PUBLIC_IP / DCROUTER_PROXY_IPS	Public/proxy IP exposure settings.
DCROUTER_DNS_NS_DOMAINS / DCROUTER_DNS_SCOPES	DNS nameserver and authoritative scope settings.
DCROUTER_EMAIL_HOSTNAME / DCROUTER_EMAIL_PORTS	Email server seed settings.
DCROUTER_CACHE_ENABLED	Enables or disables DB-backed persistence.
DCROUTER_MAX_CONNECTIONS, DCROUTER_MAX_CONNECTIONS_PER_IP, DCROUTER_CONNECTION_RATE_LIMIT	SmartProxy capacity and rate-limit overrides.

Published Modules

This repository intentionally publishes multiple module boundaries from one codebase.

Module	Purpose	Docs
@serve.zone/dcrouter	Main runtime and orchestrator	./readme.md
@serve.zone/dcrouter/interfaces	Shared contracts as a subpath export	./ts_interfaces/readme.md
@serve.zone/dcrouter/apiclient	API client as a subpath export	./ts_apiclient/readme.md
@serve.zone/dcrouter-interfaces	Standalone contracts package	./ts_interfaces/readme.md
@serve.zone/dcrouter-apiclient	Standalone OO API client package	./ts_apiclient/readme.md
@serve.zone/dcrouter-migrations	Standalone migration runner package	./ts_migrations/readme.md
@serve.zone/dcrouter-web	Dashboard frontend module boundary	./ts_web/readme.md

Development

pnpm run build
pnpm test
pnpm run watch

Useful source entry points:

• ts/index.ts exports DcRouter, runCli(), and public module surfaces.
• ts/classes.dcrouter.ts owns service startup, dependency ordering, and IDcRouterOptions.
• ts/opsserver/classes.opsserver.ts wires the dashboard server and TypedRequest handlers.
• ts/remoteingress/ integrates @serve.zone/remoteingress with stored edge registrations.
• ts_migrations/index.ts contains all DB schema migration steps.

License and Legal Information

This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the license file.

Please note: The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.

Trademarks

This project is owned and maintained by Task Venture Capital GmbH. The names and logos associated with Task Venture Capital GmbH and any related products or services are trademarks of Task Venture Capital GmbH or third parties, and are not included within the scope of the MIT license granted herein.

Use of these trademarks must comply with Task Venture Capital GmbH's Trademark Guidelines or the guidelines of the respective third-party owners, and any usage must be approved in writing. Third-party trademarks used herein are the property of their respective owners and used only in a descriptive manner, e.g. for an implementation of an API or similar.

Company Information

Task Venture Capital GmbH Registered at District Court Bremen HRB 35230 HB, Germany

For any legal inquiries or further information, please contact us via email at hello@task.vc.

By using this repository, you acknowledge that you have read this section, agree to comply with its terms, and understand that the licensing of the code does not imply endorsement by Task Venture Capital GmbH of any derivative works.