feat: Update documentation for Caddy reverse proxy integration and Docker service configuration
This commit is contained in:
@@ -44,30 +44,40 @@ ts/database/
|
|||||||
|
|
||||||
Migration 8 converted certificate storage from file paths to PEM content.
|
Migration 8 converted certificate storage from file paths to PEM content.
|
||||||
|
|
||||||
## Reverse Proxy (November 2025 - Caddy)
|
## Reverse Proxy (November 2025 - Caddy Docker Service)
|
||||||
|
|
||||||
The reverse proxy now uses **Caddy** for production-grade reverse proxying with native SNI support, HTTP/2, HTTP/3, and WebSocket handling.
|
The reverse proxy uses **Caddy** running as a Docker Swarm service for production-grade reverse proxying with native SNI support, HTTP/2, HTTP/3, and WebSocket handling.
|
||||||
|
|
||||||
**Architecture:**
|
**Architecture:**
|
||||||
- Caddy binary downloaded to `.nogit/caddy` on first run (v2.10.2)
|
- Caddy runs as Docker Swarm service (`onebox-caddy`) on the overlay network
|
||||||
- Caddy process managed by `CaddyManager` class
|
- No binary download required - uses `caddy:2-alpine` Docker image
|
||||||
- Configuration pushed dynamically via Caddy Admin API (port 2019)
|
- Configuration pushed dynamically via Caddy Admin API (port 2019)
|
||||||
- Automatic HTTPS disabled - certificates managed externally via SmartACME
|
- Automatic HTTPS disabled - certificates managed externally via SmartACME
|
||||||
- Zero-downtime configuration updates
|
- Zero-downtime configuration updates
|
||||||
|
- Services reached by Docker service name (e.g., `onebox-hello-world:80`)
|
||||||
|
|
||||||
**Key files:**
|
**Key files:**
|
||||||
- `ts/classes/caddy.ts` - CaddyManager class for binary and Admin API
|
- `ts/classes/caddy.ts` - CaddyManager class for Docker service and Admin API
|
||||||
- `ts/classes/reverseproxy.ts` - Delegates to CaddyManager
|
- `ts/classes/reverseproxy.ts` - Delegates to CaddyManager
|
||||||
|
|
||||||
**Certificate workflow:**
|
**Certificate workflow:**
|
||||||
1. `CertRequirementManager` creates requirements for domains
|
1. `CertRequirementManager` creates requirements for domains
|
||||||
2. Daemon processes requirements via `certmanager.ts`
|
2. Daemon processes requirements via `certmanager.ts`
|
||||||
3. Certificates stored in database (PEM content)
|
3. Certificates stored in database (PEM content)
|
||||||
4. `reverseProxy.addCertificate()` writes PEM files to `.nogit/certs/` and updates Caddy config
|
4. `reverseProxy.addCertificate()` passes PEM content to Caddy via `load_pem` (inline in config)
|
||||||
5. Caddy serves TLS with the loaded certificates
|
5. Caddy serves TLS with the loaded certificates (no volume mounts needed)
|
||||||
|
|
||||||
**Configuration:**
|
**Docker Service Configuration:**
|
||||||
- Dev mode: HTTP on 8080, HTTPS on 8443
|
- Service name: `onebox-caddy`
|
||||||
- Production: HTTP on 80, HTTPS on 443
|
- Image: `caddy:2-alpine`
|
||||||
- Admin API: localhost:2019 (not exposed externally)
|
- Network: `onebox-network` (overlay, attachable)
|
||||||
- Automatic HTTPS disabled to prevent Caddy from binding to default ports
|
- Startup: Writes initial config with `admin.listen: 0.0.0.0:2019` for host access
|
||||||
|
|
||||||
|
**Port Mapping:**
|
||||||
|
- Dev mode: HTTP on 8080, HTTPS on 8443, Admin on 2019
|
||||||
|
- Production: HTTP on 80, HTTPS on 443, Admin on 2019
|
||||||
|
- All ports use `PublishMode: 'host'` for direct binding
|
||||||
|
|
||||||
|
**Log Receiver:**
|
||||||
|
- Caddy sends access logs to `tcp/172.17.0.1:9999` (Docker bridge gateway)
|
||||||
|
- `CaddyLogReceiver` on host receives and processes logs
|
||||||
|
|||||||
49
readme.md
49
readme.md
@@ -1,8 +1,8 @@
|
|||||||
# @serve.zone/onebox
|
# @serve.zone/onebox
|
||||||
|
|
||||||
> 🚀 Self-hosted Docker Swarm platform with native reverse proxy, automatic SSL, and real-time WebSocket updates
|
> 🚀 Self-hosted Docker Swarm platform with Caddy reverse proxy, automatic SSL, and real-time WebSocket updates
|
||||||
|
|
||||||
**Onebox** transforms any Linux server into a powerful container hosting platform. Deploy Docker Swarm services with automatic HTTPS, DNS configuration, and a native Deno reverse proxy - all managed through a beautiful Angular web interface with real-time updates.
|
**Onebox** transforms any Linux server into a powerful container hosting platform. Deploy Docker Swarm services with automatic HTTPS, DNS configuration, and Caddy reverse proxy running as a Docker service - all managed through a beautiful Angular web interface with real-time updates.
|
||||||
|
|
||||||
## Issue Reporting and Security
|
## Issue Reporting and Security
|
||||||
|
|
||||||
@@ -10,12 +10,12 @@ For reporting bugs, issues, or security vulnerabilities, please visit [community
|
|||||||
|
|
||||||
## What Makes Onebox Different? 🎯
|
## What Makes Onebox Different? 🎯
|
||||||
|
|
||||||
- **Native Deno Reverse Proxy** - Built from scratch in Deno (no Nginx required!), featuring HTTP/HTTPS servers with SNI support and bidirectional WebSocket proxying
|
- **Caddy Reverse Proxy in Docker** - Production-grade HTTP/HTTPS proxy running as a Swarm service with native service discovery, HTTP/2, HTTP/3, and bidirectional WebSocket proxying
|
||||||
- **Docker Swarm First** - All workloads run as Swarm services, not standalone containers, for built-in orchestration
|
- **Docker Swarm First** - All workloads (including the reverse proxy!) run as Swarm services on the overlay network for seamless service-to-service communication
|
||||||
- **Real-time Everything** - WebSocket-powered live updates for service status, logs, and metrics across all connected clients
|
- **Real-time Everything** - WebSocket-powered live updates for service status, logs, and metrics across all connected clients
|
||||||
- **Single Executable** - Compiles to a standalone binary - just run it, no dependencies
|
- **Single Executable** - Compiles to a standalone binary - just run it, no dependencies
|
||||||
- **Private Registry Included** - Built-in Docker registry with token-based auth and auto-deploy on push
|
- **Private Registry Included** - Built-in Docker registry with token-based auth and auto-deploy on push
|
||||||
- **Zero Config SSL** - Automatic Let's Encrypt certificates with hot-reload
|
- **Zero Config SSL** - Automatic Let's Encrypt certificates with inline `load_pem` (no volume mounts needed)
|
||||||
- **Cloudflare Integration** - Automatic DNS record management and zone synchronization
|
- **Cloudflare Integration** - Automatic DNS record management and zone synchronization
|
||||||
- **Modern Stack** - Deno runtime + SQLite database + Angular 19 UI
|
- **Modern Stack** - Deno runtime + SQLite database + Angular 19 UI
|
||||||
|
|
||||||
@@ -23,7 +23,7 @@ For reporting bugs, issues, or security vulnerabilities, please visit [community
|
|||||||
|
|
||||||
### Core Platform
|
### Core Platform
|
||||||
- 🐳 **Docker Swarm Management** - Deploy, scale, and orchestrate services with Swarm mode
|
- 🐳 **Docker Swarm Management** - Deploy, scale, and orchestrate services with Swarm mode
|
||||||
- 🌐 **Native Reverse Proxy** - Deno-based HTTP/HTTPS proxy with dynamic routing from database
|
- 🌐 **Caddy Reverse Proxy** - Production-grade proxy running as Docker service with SNI, HTTP/2, HTTP/3
|
||||||
- 🔒 **Automatic SSL Certificates** - Let's Encrypt integration with hot-reload and renewal monitoring
|
- 🔒 **Automatic SSL Certificates** - Let's Encrypt integration with hot-reload and renewal monitoring
|
||||||
- ☁️ **Cloudflare DNS Integration** - Automatic DNS record creation and zone synchronization
|
- ☁️ **Cloudflare DNS Integration** - Automatic DNS record creation and zone synchronization
|
||||||
- 📦 **Built-in Registry** - Private Docker registry with per-service tokens and auto-update
|
- 📦 **Built-in Registry** - Private Docker registry with per-service tokens and auto-update
|
||||||
@@ -108,11 +108,19 @@ Onebox is built with modern technologies for performance and developer experienc
|
|||||||
└─────────────────┬───────────────────────────────┘
|
└─────────────────┬───────────────────────────────┘
|
||||||
│
|
│
|
||||||
┌─────────────────▼───────────────────────────────┐
|
┌─────────────────▼───────────────────────────────┐
|
||||||
│ Native Reverse Proxy │
|
│ Docker Swarm │
|
||||||
│ HTTP (80) + HTTPS (443) + SNI + WS Proxy │
|
│ ┌──────────────────────────────┐ │
|
||||||
|
│ │ onebox-network (overlay) │ │
|
||||||
|
│ ├──────────────────────────────┤ │
|
||||||
|
│ │ onebox-caddy (Caddy proxy) │ │
|
||||||
|
│ │ HTTP (80) + HTTPS (443) │ │
|
||||||
|
│ │ Admin API → config updates │ │
|
||||||
|
│ ├──────────────────────────────┤ │
|
||||||
|
│ │ Your Services │ │
|
||||||
|
│ │ (reachable by service name) │ │
|
||||||
|
│ └──────────────────────────────┘ │
|
||||||
└─────┬───────────────────────────────────────────┘
|
└─────┬───────────────────────────────────────────┘
|
||||||
│
|
│
|
||||||
├──► Docker Swarm Services
|
|
||||||
├──► SSL Certificate Manager (Let's Encrypt)
|
├──► SSL Certificate Manager (Let's Encrypt)
|
||||||
├──► Cloudflare DNS Manager
|
├──► Cloudflare DNS Manager
|
||||||
├──► Built-in Docker Registry
|
├──► Built-in Docker Registry
|
||||||
@@ -124,8 +132,8 @@ Onebox is built with modern technologies for performance and developer experienc
|
|||||||
| Component | Description |
|
| Component | Description |
|
||||||
|-----------|-------------|
|
|-----------|-------------|
|
||||||
| **Deno Runtime** | Modern TypeScript with built-in security |
|
| **Deno Runtime** | Modern TypeScript with built-in security |
|
||||||
| **Native Reverse Proxy** | Custom HTTP/HTTPS proxy with TLS SNI support |
|
| **Caddy Reverse Proxy** | Docker Swarm service with HTTP/2, HTTP/3, SNI, and WebSocket support |
|
||||||
| **Docker Swarm** | Container orchestration (NOT standalone containers) |
|
| **Docker Swarm** | Container orchestration (all workloads run as services) |
|
||||||
| **SQLite Database** | Configuration, metrics, and user data |
|
| **SQLite Database** | Configuration, metrics, and user data |
|
||||||
| **WebSocket Server** | Real-time bidirectional communication |
|
| **WebSocket Server** | Real-time bidirectional communication |
|
||||||
| **Let's Encrypt** | Automatic SSL certificate management |
|
| **Let's Encrypt** | Automatic SSL certificate management |
|
||||||
@@ -301,9 +309,9 @@ onebox/
|
|||||||
├── ts/
|
├── ts/
|
||||||
│ ├── classes/ # Core implementations
|
│ ├── classes/ # Core implementations
|
||||||
│ │ ├── onebox.ts # Main coordinator
|
│ │ ├── onebox.ts # Main coordinator
|
||||||
│ │ ├── reverseproxy.ts # Native HTTP/HTTPS proxy
|
│ │ ├── reverseproxy.ts # Reverse proxy orchestration
|
||||||
|
│ │ ├── caddy.ts # Caddy Docker service management
|
||||||
│ │ ├── docker.ts # Docker Swarm API
|
│ │ ├── docker.ts # Docker Swarm API
|
||||||
│ │ ├── database.ts # SQLite storage
|
|
||||||
│ │ ├── httpserver.ts # REST API + WebSocket
|
│ │ ├── httpserver.ts # REST API + WebSocket
|
||||||
│ │ ├── services.ts # Service orchestration
|
│ │ ├── services.ts # Service orchestration
|
||||||
│ │ ├── certmanager.ts # SSL certificate management
|
│ │ ├── certmanager.ts # SSL certificate management
|
||||||
@@ -315,11 +323,20 @@ onebox/
|
|||||||
│ │ ├── cloudflare-sync.ts # Cloudflare zone sync
|
│ │ ├── cloudflare-sync.ts # Cloudflare zone sync
|
||||||
│ │ ├── daemon.ts # Systemd daemon management
|
│ │ ├── daemon.ts # Systemd daemon management
|
||||||
│ │ └── apiclient.ts # API client utilities
|
│ │ └── apiclient.ts # API client utilities
|
||||||
|
│ ├── database/ # Database layer (repository pattern)
|
||||||
|
│ │ ├── index.ts # Main OneboxDatabase class
|
||||||
|
│ │ ├── base.repository.ts # Base repository class
|
||||||
|
│ │ └── repositories/ # Domain-specific repositories
|
||||||
|
│ │ ├── service.repository.ts
|
||||||
|
│ │ ├── certificate.repository.ts
|
||||||
|
│ │ ├── auth.repository.ts
|
||||||
|
│ │ ├── metrics.repository.ts
|
||||||
|
│ │ └── ...
|
||||||
│ ├── cli.ts # CLI router
|
│ ├── cli.ts # CLI router
|
||||||
│ ├── types.ts # TypeScript interfaces
|
│ ├── types.ts # TypeScript interfaces
|
||||||
│ ├── logging.ts # Logging utilities
|
│ ├── logging.ts # Logging utilities
|
||||||
│ └── plugins.ts # Dependency imports
|
│ └── plugins.ts # Dependency imports
|
||||||
├── ui/ # Angular web interface
|
├── ui/ # Angular 19 web interface
|
||||||
├── test/ # Test files
|
├── test/ # Test files
|
||||||
├── mod.ts # Main entry point
|
├── mod.ts # Main entry point
|
||||||
└── deno.json # Deno configuration
|
└── deno.json # Deno configuration
|
||||||
@@ -551,6 +568,10 @@ This repository contains open-source code that is licensed under the MIT License
|
|||||||
|
|
||||||
This project is owned and maintained by Task Venture Capital GmbH. The names and logos associated with Task Venture Capital GmbH and any related products or services are trademarks of Task Venture Capital GmbH and are not included within the scope of the MIT license granted herein. Use of these trademarks must comply with Task Venture Capital GmbH's Trademark Guidelines, and any usage must be approved in writing by Task Venture Capital GmbH.
|
This project is owned and maintained by Task Venture Capital GmbH. The names and logos associated with Task Venture Capital GmbH and any related products or services are trademarks of Task Venture Capital GmbH and are not included within the scope of the MIT license granted herein. Use of these trademarks must comply with Task Venture Capital GmbH's Trademark Guidelines, and any usage must be approved in writing by Task Venture Capital GmbH.
|
||||||
|
|
||||||
|
### Issue Reporting and Security
|
||||||
|
|
||||||
|
For reporting bugs, issues, or security vulnerabilities, please visit [community.foss.global/](https://community.foss.global/). This is the central community hub for all issue reporting. Developers who sign and comply with our contribution agreement and go through identification can also get a [code.foss.global/](https://code.foss.global/) account to submit Pull Requests directly.
|
||||||
|
|
||||||
### Company Information
|
### Company Information
|
||||||
|
|
||||||
Task Venture Capital GmbH
|
Task Venture Capital GmbH
|
||||||
|
|||||||
Reference in New Issue
Block a user