dcrouter/readme.md

@serve.zone/dcrouter

dcrouter is a TypeScript control plane for running a serious multi-protocol edge or datacenter gateway from one process. It wires together SmartProxy for HTTP/HTTPS/TCP routing, smartmta for email, smartdns for authoritative DNS and DNS-over-HTTPS, smartradius, smartvpn, remote ingress tunnels, a TypedRequest API, and the Ops dashboard.

Use it when you want one place to define routes, manage domains and certificates, protect internal services, automate changes over an API, and operate the whole stack from a browser.

Issue Reporting and Security

For reporting bugs, issues, or security vulnerabilities, please visit community.foss.global/. This is the central community hub for all issue reporting. Developers who sign and comply with our contribution agreement and go through identification can also get a code.foss.global/ account to submit Pull Requests directly.

Why It Works

• 🌐 One runtime for HTTP/HTTPS/TCP, SMTP, authoritative DNS + DoH, RADIUS, VPN, and remote ingress.
• 🧠 Constructor config becomes system-managed routes, while API-created routes stay editable and clearly separated.
• 🔐 Certificates, DNS providers, domains, records, API tokens, access profiles, and protected routes live in one management plane.
• 🖥️ The OpsServer UI and TypedRequest API are first-class parts of the package, not an afterthought.
• ⚡ Qualifying HTTPS forward routes on port 443 get HTTP/3 augmentation by default unless you opt out.

What You Get

Area	What dcrouter does
HTTP / HTTPS / TCP	SmartProxy-based reverse proxying, TLS termination or passthrough, path/domain/port matching, TCP/SNI forwarding
Email	SMTP ingress and delivery via UnifiedEmailServer, route-based mail actions, email-domain management, queue and resend operations
DNS	Authoritative zones, nameserver bootstrap records, DNS-over-HTTPS routes on /dns-query and /resolve, provider-backed domain management
Access and Edge	VPN-gated routes, RADIUS auth/accounting, remote ingress edge registrations and tunnel hub support
Operations	Browser dashboard, TypedRequest API, route management, tokens, certificates, logs, metrics, and health views

Installation

pnpm add @serve.zone/dcrouter

Quick Start

This example stays on unprivileged ports so you can run it locally without root.

import { DcRouter } from '@serve.zone/dcrouter';

const router = new DcRouter({
  smartProxyConfig: {
    routes: [
      {
        name: 'local-app',
        match: {
          domains: ['localhost'],
          ports: [18080],
        },
        action: {
          type: 'forward',
          targets: [{ host: '127.0.0.1', port: 3001 }],
        },
      },
    ],
  },
  dbConfig: {
    enabled: true,
  },
  opsServerPort: 3000,
});

await router.start();

After startup:

• open the dashboard at http://localhost:3000
• log in with the current built-in credentials admin / admin
• send proxied traffic to http://localhost:18080
• stop gracefully with await router.stop()

Route Ownership Model

dcrouter keeps route ownership explicit so automation does not accidentally stomp on system-generated traffic.

Route origin	Where it comes from	What you can do
config	Constructor smartProxyConfig.routes and related seed config	View and toggle
email	Email listener and mail-routing derived routes	View and toggle
dns	Generated DoH and DNS-related routes	View and toggle
api	Created through the Ops UI or API client	Full CRUD

Important details:

• system routes are persisted with stable systemKey values
• DNS-over-HTTPS routes are persisted and then hydrated with live socket handlers at runtime
• editing and deletion are reserved for api routes; system routes are toggle-only by design

Configuration Cheat Sheet

The main entrypoint is IDcRouterOptions.

Option	Purpose
smartProxyConfig	Main HTTP/HTTPS and TCP/SNI routing config
emailConfig	Email hostname, ports, domains, and mail routing rules
emailPortConfig	External-to-internal email port remapping and received-email storage path
tls	ACME contact and static certificate paths
dnsNsDomains	Nameserver hostnames used for NS bootstrap and DoH route generation
dnsScopes	Domains served authoritatively by the embedded DNS server
dnsRecords	Static constructor-defined DNS records
publicIp / proxyIps	How A records are exposed for nameserver and service records
dbConfig	Embedded LocalSmartDb or external MongoDB-backed persistence
radiusConfig	RADIUS auth, VLAN assignment, and accounting
remoteIngressConfig	Remote ingress hub and edge tunnel setup
vpnConfig	VPN server and client definitions for protected route access
http3	Global HTTP/3 behavior for qualifying HTTPS routes
opsServerPort	Ops dashboard and TypedRequest API port

Important Behavior

• dbConfig.enabled defaults to true. If you do not provide mongoDbUrl, dcrouter starts an embedded local database automatically.
• If you disable the DB, constructor-driven traffic can still run, but DB-backed features such as persistent routes, tokens, ACME config, and managed domains do not start.
• Qualifying HTTPS forward routes on port 443 get HTTP/3 by default unless http3.enabled === false or the route opts out.
• DNS-over-HTTPS endpoints are generated on the first entry of dnsNsDomains at /dns-query and /resolve.
• Email listener ports are internally remapped by default, so common external ports such as 25, 587, and 465 end up on internal ports like 10025, 10587, and 10465.
• Provider-backed domains can be managed in the Ops plane without being served by the embedded authoritative DNS server.

Bigger Example

import { DcRouter } from '@serve.zone/dcrouter';

const router = new DcRouter({
  smartProxyConfig: {
    routes: [
      {
        name: 'web-app',
        match: {
          domains: ['app.example.com'],
          ports: [443],
        },
        action: {
          type: 'forward',
          targets: [{ host: '127.0.0.1', port: 8080 }],
          tls: { mode: 'terminate', certificate: 'auto' },
        },
      },
      {
        name: 'internal-admin',
        match: {
          domains: ['internal.example.com'],
          ports: [443],
        },
        action: {
          type: 'forward',
          targets: [{ host: '127.0.0.1', port: 9090 }],
          tls: { mode: 'terminate', certificate: 'auto' },
        },
        vpnOnly: true,
      },
    ],
  },
  emailConfig: {
    hostname: 'mail.example.com',
    ports: [25, 587, 465],
    domains: [
      {
        domain: 'example.com',
        dnsMode: 'internal-dns',
      },
    ],
    routes: [
      {
        name: 'inbound-mail',
        match: { recipients: '*@example.com' },
        action: {
          type: 'forward',
          forward: { host: 'mail-backend.example.com', port: 25 },
        },
      },
    ],
  },
  dnsNsDomains: ['ns1.example.com', 'ns2.example.com'],
  dnsScopes: ['example.com'],
  publicIp: '203.0.113.10',
  vpnConfig: {
    enabled: true,
    serverEndpoint: 'vpn.example.com',
    clients: [
      {
        clientId: 'ops-laptop',
        description: 'Operations laptop',
      },
    ],
  },
  dbConfig: {
    enabled: true,
  },
  opsServerPort: 3000,
});

await router.start();

Automation

dcrouter gives you three good integration layers:

• the browser dashboard served by OpsServer
• raw TypedRequest contracts via @serve.zone/dcrouter/interfaces
• a higher-level OO API client via @serve.zone/dcrouter/apiclient or @serve.zone/dcrouter-apiclient

OO API Client Example

pnpm add @serve.zone/dcrouter-apiclient

import { DcRouterApiClient } from '@serve.zone/dcrouter-apiclient';

const client = new DcRouterApiClient({
  baseUrl: 'https://dcrouter.example.com',
});

await client.login('admin', 'admin');

const { routes } = await client.routes.list();

await client.routes.build()
  .setName('api-gateway')
  .setMatch({ ports: 443, domains: ['api.example.com'] })
  .setAction({ type: 'forward', targets: [{ host: '127.0.0.1', port: 8081 }] })
  .save();

if (routes[0] && routes[0].origin !== 'api') {
  await routes[0].toggle(false);
}

See ./ts_apiclient/readme.md for the dedicated client package and ./ts_interfaces/readme.md for the raw contracts.

OCI / Container Bootstrap

The package also includes an environment-driven bootstrap used by runCli() when DCROUTER_MODE=OCI_CONTAINER.

import { runCli } from '@serve.zone/dcrouter';

await runCli();

Useful environment variables include:

• DCROUTER_CONFIG_PATH
• DCROUTER_BASE_DIR
• DCROUTER_TLS_EMAIL
• DCROUTER_TLS_DOMAIN
• DCROUTER_PUBLIC_IP
• DCROUTER_PROXY_IPS
• DCROUTER_DNS_NS_DOMAINS
• DCROUTER_DNS_SCOPES
• DCROUTER_EMAIL_HOSTNAME
• DCROUTER_EMAIL_PORTS

Published Modules

This repository ships several module boundaries from one codebase.

Module	Purpose	Docs
@serve.zone/dcrouter	Main runtime and orchestrator	./readme.md
@serve.zone/dcrouter/interfaces	Shared request and data contracts as a subpath export	./ts_interfaces/readme.md
@serve.zone/dcrouter/apiclient	OO API client as a subpath export	./ts_apiclient/readme.md
@serve.zone/dcrouter-interfaces	Standalone interfaces package	./ts_interfaces/readme.md
@serve.zone/dcrouter-apiclient	Standalone OO API client package	./ts_apiclient/readme.md
@serve.zone/dcrouter-migrations	Standalone migration runner package	./ts_migrations/readme.md
@serve.zone/dcrouter-web	Standalone web dashboard package boundary	./ts_web/readme.md

Development

pnpm run build
pnpm test

Target a single test while working on one area:

tstest test/test.apiclient.ts --verbose

License and Legal Information

This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the LICENSE file.

Please note: The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.

Trademarks

This project is owned and maintained by Task Venture Capital GmbH. The names and logos associated with Task Venture Capital GmbH and any related products or services are trademarks of Task Venture Capital GmbH or third parties, and are not included within the scope of the MIT license granted herein.

Use of these trademarks must comply with Task Venture Capital GmbH's Trademark Guidelines or the guidelines of the respective third-party owners, and any usage must be approved in writing. Third-party trademarks used herein are the property of their respective owners and used only in a descriptive manner, e.g. for an implementation of an API or similar.

Company Information

Task Venture Capital GmbH
Registered at District Court Bremen HRB 35230 HB, Germany

For any legal inquiries or further information, please contact us via email at hello@task.vc.

By using this repository, you acknowledge that you have read this section, agree to comply with its terms, and understand that the licensing of the code does not imply endorsement by Task Venture Capital GmbH of any derivative works.