Setup issue, certificates and Pocket-ID #40

New Issue

adam · 2025-12-29T14:23:00+01:00

adam commented

2025-12-29 14:23:00 +01:00

Originally created by @reddwarf666 on GitHub (Feb 23, 2025).

Hi,

Running Docker on:

OS Information linux x86_64 Alpine Linux v3.21
Kernel Version 6.12.11-0-lts

Tried to setup as per the documentation:
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/yusing/go-proxy/main/scripts/setup.sh)"

Issue that broke the setup:

Line 167:
	TIMEZONE=$(cat /etc/timezone)
Error:
	cat: read error: Is a directory

So the script quits right after that message and setup is stopped. So for now I stopped trying godoxy as well.

Another thing I was curious about are certificates in godoxy.
Currently I run Nginx Proxy Manager and handling certificates in there is super simple and it uses letsencrypt.
Does godoxy support letsencrypt and the same functionality and UI/interface to handle this part?
So for example auto renew letsencrypt certificates and handling certificates in the UI (setting up, creating, manual renew, etc.)

And the reason I want to use godoxy would be to start using Pocket-ID but I cannot find a guide to have godoxy use Pocket-ID to pretect services/apps I have running in my docker environment. And guide you can point me to to have a look and understand how to set this up with godoxy?

Originally created by @reddwarf666 on GitHub (Feb 23, 2025). Hi, Running Docker on: > OS Information linux x86_64 Alpine Linux v3.21 > Kernel Version 6.12.11-0-lts Tried to setup as per the documentation: `/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/yusing/go-proxy/main/scripts/setup.sh)"` Issue that broke the setup: ``` Line 167: TIMEZONE=$(cat /etc/timezone) Error: cat: read error: Is a directory ``` So the script quits right after that message and setup is stopped. So for now I stopped trying godoxy as well. Another thing I was curious about are certificates in godoxy. Currently I run Nginx Proxy Manager and handling certificates in there is super simple and it uses letsencrypt. Does godoxy support letsencrypt and the same functionality and UI/interface to handle this part? So for example auto renew letsencrypt certificates and handling certificates in the UI (setting up, creating, manual renew, etc.) And the reason I want to use godoxy would be to start using Pocket-ID but I cannot find a guide to have godoxy use Pocket-ID to pretect services/apps I have running in my docker environment. And guide you can point me to to have a look and understand how to set this up with godoxy?

adam closed this issue

2025-12-29 14:23:02 +01:00

adam commented

2025-12-29 14:23:03 +01:00

@yusing commented on GitHub (Feb 23, 2025):

Have fixed the setup script, please test it again.

If you are using cloudflare for Let's Encrypt the script will guide you through the setup process and examples are in config/config.yml too. This is a one-time setup, certs will be managed automatically.

For OIDC docs, it's here: https://github.com/yusing/godoxy/wiki#oidc

You will have to add two "Allowed Callback URL"s in your OIDC (change (domain.com to your actual domain).

https://godoxy.domain.com/api/auth/callback This one is for WebUI and
https://*.domain.com/auth/callback This one is for other apps using middleware

Add these to .env:

GODOXY_OIDC_ISSUER_URL: Authorization URL
GODOXY_OIDC_CLIENT_ID: Client ID
GODOXY_OIDC_CLIENT_SECRET: Client secret
GODOXY_OIDC_REDIRECT_URL: the first callback url
GODOXY_OIDC_ALLOWED_USERS: your pocket-id username

After setting these, to enable OIDC for specific app, it's just two lines in docker compose:

services:
  your_app:
    ...
    # here
    labels:
      proxy.#1.middlewares.oidc:

Have just added these examples to wiki as well :)

@yusing commented on GitHub (Feb 23, 2025): Have fixed the setup script, please test it again. If you are using cloudflare for Let's Encrypt the script will guide you through the setup process and examples are in `config/config.yml` too. This is a one-time setup, certs will be managed automatically. For OIDC docs, it's here: https://github.com/yusing/godoxy/wiki#oidc You will have to add two "Allowed Callback URL"s in your OIDC (change **(`domain.com` to your actual domain)**. - https://godoxy.domain.com/api/auth/callback This one is for WebUI and - https://*.domain.com/auth/callback This one is for other apps using middleware ![Image](https://github.com/user-attachments/assets/665985f6-9954-4069-81b5-3635e276d510) ![Image](https://github.com/user-attachments/assets/743b521d-c331-4f04-8492-d9272043a671) Add these to `.env`: `GODOXY_OIDC_ISSUER_URL`: Authorization URL `GODOXY_OIDC_CLIENT_ID`: Client ID `GODOXY_OIDC_CLIENT_SECRET`: Client secret `GODOXY_OIDC_REDIRECT_URL`: the first callback url `GODOXY_OIDC_ALLOWED_USERS`: your pocket-id username After setting these, to enable OIDC for specific app, it's just two lines in docker compose: ```yaml services: your_app: ... # here labels: proxy.#1.middlewares.oidc: ``` Have just added these examples to wiki as well :)

adam commented

2025-12-29 14:23:03 +01:00

@reddwarf666 commented on GitHub (Feb 24, 2025):

Hi,

Thanks for the extensive reply!

OK, I just tried the (updated) setup again:
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/yusing/go-proxy/main/scripts/setup.sh)"

This is the result:

Using curl for downloads
Setting up GoDoxy
Branch: main
Creating directory "config"
Downloading ".env.example" to ".env"
Done
Warning: could not detect timezone, please set it manually
Downloading "compose.example.yml" to "compose.yml"
Done
Downloading "config.example.yml" to "config/config.yml"
Done
Setting up login user
Enter login username: steven
Enter login password: Guppie2010
Setting up login user "steven" with password "Guppie2010"
Setting up autocert for SSL certificate
Do you want to enable autocert? (y/n): y
Setting up autocert
Enter domain (e.g. example.com): jikade.com
Enter email for Let's Encrypt: steven@jikade.com
Are you using cloudflare? (y/n): n
Not using cloudflare, skipping autocert setup
Please refer to https://github.com/yusing/go-proxy/wiki/Supported-DNS-01-Providers for more information
Setup finished

Please note the "Warning: could not detect timezone, please set it manually" line, it seems the script has a problem finding timezone information. Is the advice to set this on the host itself? Why do I need to set this at a host level on my docker server? And if absolutely needed, would the syntax then be (for manually setting it): TIMEZONE=Europe/Amsterdam ?

I tried both variants of commands I could see in the setup script.

Command: TIMEZONE=$(cat /etc/timezone)
Result: cat: read error: Is a directory

Command: TIMEZONE=$(timedatectl status | grep "Time zone" | awk '{print $3}')
Result: -ash: timedatectl: not found

But other then the timezone issue the setup script seems to have worked.
One note though, if package would have been needed it would probably have failed as the package manager on Alpine is, as far as I know, called "apk" and I did not see any references for that. I saw references in install_pkg() for "apt", "yum" and "pacman" but not "apk". Just an fyi.

When the server starts I see this in the logs:

02-24 11:49 INF event occurred
                  • updated
                    • godoxy
                  • event errors
                    • add > qbittorrent: listen udp 172.30.0.2:0: bind: cannot assign requested address name=local type=docker

Seems to be a conflict in ports?
I do have a container for qbittorrent and these are the exposed ports in the compose file for it:

    ports:
      - 8086:8086
      - 6881:6881
      - 6881:6881/udp

As far as I can tell there are no conflicts on ports between the two, perhaps some ports I do not know about are exposed and conflict? What are the ports used by godoxy other then 80, 443 and 3000? Perhaps I can find the conflict if I know the port number in question.

For now I continued testing by stopping godoxy, stopping qbittorrent and starting godoxy again.
This is from the logs:

Container started
02-24 12:08 INF GoDoxy version v0.9.8
02-24 12:08 INF loaded route providers
                  • docker@local 12 routes
02-24 12:08 INF homepage overrides config loaded, 0 items
02-24 12:08 INF icon cache loaded (0 icons)
02-24 12:08 INF server started addr=:80 module=server name=proxy
02-24 12:08 WRN service went down name=nginx-proxy-manager
02-24 12:08 INF prometheus metrics enabled
02-24 12:08 INF server started addr=127.0.0.1:8888 module=server name=api
02-24 12:08 WRN service went down name=godoxy
02-24 12:08 INF event occurred
                  • updated
                    • godoxy name=local type=docker
02-24 12:08 WRN service went down name=godoxy
02-24 12:08 INF service is up name=godoxy

When I tried to login with the URL "http://zbox:3000" it keeps looping to the login page for some reason and I see this in the log:

2025/02/24 12:08:34 net/http: invalid Cookie.Domain ".0.0.1"; dropping domain attribute
02-24 12:08 WRN no match domains configured, accepting websocket API request from all origins

When I tried using ports 80 and 443 to access godoxy I got this:

http://zbox
no such route: zbox

https://zbox

Unable to connect
Firefox can’t establish a connection to the server at zbox.

When I tried with "https://zbox:3000/" (so SSL over port 3000, I am getting desperate by now as you may have noticed 😅):

Secure Connection Failed
An error occurred during a connection to zbox:3000. SSL received a record that exceeded the maximum permissible length.
Error code: SSL_ERROR_RX_RECORD_TOO_LONG

FYI: I run Docker on a server called "zbox" and never access any pages or browse on the Docker server itself (i.e. localhost or 127.0.0.1), I always browse to services on containers from my laptop. The name "zbox" resolves in the internal network to the IP for that docker server.

To answer your question on letsencrypt: I do not use cloudflare so also not for certificates or anything like that.
Truth be told, I have no clue how Nginx Proxy Manager does it and that is the beauty of it: it just works.
I have no love for certificates and the fact that I can tell NPM "give me a auto renew certificate and do whatever you need to do" is one of it's major selling points tbh. Again, no idea about where or how NPM does it and I appreciate that but at no point did NPM ask me "do you use cloudflare" when certificates are involved. So I guess cloudflare is not a needed component in that chain. Is suppose there is a service/API from Letsencrypt to request certificates?
This is why I leave this topic in the capable hands of people who know about these things 😀
My advice would be: offer letsencrypt certificates and handle it all via the WebUI
If you want to have an idea on how easy this can (and in my opinion should) be, have a look at Nginx Proxy Manager and how it is handled in there. It is a literal no-brainer and a thing of beauty (for a person how hates certificates that is).
Sure, offer all the bells and whistles for the experts but please, have a point-and-click option for idiots like me 😀

@reddwarf666 commented on GitHub (Feb 24, 2025): Hi, Thanks for the extensive reply! OK, I just tried the (updated) setup again: `/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/yusing/go-proxy/main/scripts/setup.sh)"` This is the result: ``` Using curl for downloads Setting up GoDoxy Branch: main Creating directory "config" Downloading ".env.example" to ".env" Done Warning: could not detect timezone, please set it manually Downloading "compose.example.yml" to "compose.yml" Done Downloading "config.example.yml" to "config/config.yml" Done Setting up login user Enter login username: steven Enter login password: Guppie2010 Setting up login user "steven" with password "Guppie2010" Setting up autocert for SSL certificate Do you want to enable autocert? (y/n): y Setting up autocert Enter domain (e.g. example.com): jikade.com Enter email for Let's Encrypt: steven@jikade.com Are you using cloudflare? (y/n): n Not using cloudflare, skipping autocert setup Please refer to https://github.com/yusing/go-proxy/wiki/Supported-DNS-01-Providers for more information Setup finished ``` Please note the "**Warning: could not detect timezone, please set it manually**" line, it seems the script has a problem finding timezone information. Is the advice to set this on the host itself? Why do I need to set this at a host level on my docker server? And if absolutely needed, would the syntax then be (for manually setting it): `TIMEZONE=Europe/Amsterdam` ? I tried both variants of commands I could see in the setup script. ``` Command: TIMEZONE=$(cat /etc/timezone) Result: cat: read error: Is a directory Command: TIMEZONE=$(timedatectl status | grep "Time zone" | awk '{print $3}') Result: -ash: timedatectl: not found ``` But other then the timezone issue the setup script seems to have worked. One note though, if package would have been needed it would probably have failed as the package manager on Alpine is, as far as I know, called "apk" and I did not see any references for that. I saw references in install_pkg() for "apt", "yum" and "pacman" but not "apk". Just an fyi. When the server starts I see this in the logs: ``` 02-24 11:49 INF event occurred • updated • godoxy • event errors • add > qbittorrent: listen udp 172.30.0.2:0: bind: cannot assign requested address name=local type=docker ``` Seems to be a conflict in ports? I do have a container for qbittorrent and these are the exposed ports in the compose file for it: ``` ports: - 8086:8086 - 6881:6881 - 6881:6881/udp ``` As far as I can tell there are no conflicts on ports between the two, perhaps some ports I do not know about are exposed and conflict? What are the ports used by godoxy other then 80, 443 and 3000? Perhaps I can find the conflict if I know the port number in question. For now I continued testing by stopping godoxy, stopping qbittorrent and starting godoxy again. This is from the logs: ``` Container started 02-24 12:08 INF GoDoxy version v0.9.8 02-24 12:08 INF loaded route providers • docker@local 12 routes 02-24 12:08 INF homepage overrides config loaded, 0 items 02-24 12:08 INF icon cache loaded (0 icons) 02-24 12:08 INF server started addr=:80 module=server name=proxy 02-24 12:08 WRN service went down name=nginx-proxy-manager 02-24 12:08 INF prometheus metrics enabled 02-24 12:08 INF server started addr=127.0.0.1:8888 module=server name=api 02-24 12:08 WRN service went down name=godoxy 02-24 12:08 INF event occurred • updated • godoxy name=local type=docker 02-24 12:08 WRN service went down name=godoxy 02-24 12:08 INF service is up name=godoxy ``` When I tried to login with the URL "http://zbox:3000" it keeps looping to the login page for some reason and I see this in the log: ``` 2025/02/24 12:08:34 net/http: invalid Cookie.Domain ".0.0.1"; dropping domain attribute 02-24 12:08 WRN no match domains configured, accepting websocket API request from all origins ``` When I tried using ports 80 and 443 to access godoxy I got this: http://zbox `no such route: zbox` https://zbox ``` Unable to connect Firefox can’t establish a connection to the server at zbox. ``` When I tried with "https://zbox:3000/" (so SSL over port 3000, I am getting desperate by now as you may have noticed 😅): ``` Secure Connection Failed An error occurred during a connection to zbox:3000. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG ``` FYI: I run Docker on a server called "zbox" and never access any pages or browse on the Docker server itself (i.e. localhost or 127.0.0.1), I always browse to services on containers from my laptop. The name "zbox" resolves in the internal network to the IP for that docker server. To answer your question on letsencrypt: I do not use cloudflare so also not for certificates or anything like that. Truth be told, I have no clue how Nginx Proxy Manager does it and that is the beauty of it: it just works. I have no love for certificates and the fact that I can tell NPM "give me a auto renew certificate and do whatever you need to do" is one of it's major selling points tbh. Again, no idea about where or how NPM does it and I appreciate that but at no point did NPM ask me "do you use cloudflare" when certificates are involved. So I guess cloudflare is not a needed component in that chain. Is suppose there is a service/API from Letsencrypt to request certificates? This is why I leave this topic in the capable hands of people who know about these things 😀 My advice would be: offer letsencrypt certificates and handle it all via the WebUI If you want to have an idea on how easy this can (and in my opinion should) be, have a look at Nginx Proxy Manager and how it is handled in there. It is a literal no-brainer and a thing of beauty (for a person how hates certificates that is). Sure, offer all the bells and whistles for the experts but please, have a point-and-click option for idiots like me 😀

adam commented

2025-12-29 14:23:04 +01:00

@yusing commented on GitHub (Feb 24, 2025):

Warning: could not detect timezone, please set it manually

Sorry for the confusion, set it in your .env, not the host machine. This is optional, but if you don't set this the timestamp in logs will be incorrect.

"Not using cloudflare, skipping autocert setup"

Means you have skipped Let's Encrypt setup. So https is not enabled, and auth requires https (as of the current version)

add > qbittorrent: listen udp 172.30.0.2:0: bind: cannot assign requested address name=local type=docker

GoDoxy chooses the smallest port as default, and since you have exposed it as UDP, it will be served as UDP stream. But seems like there are problems with the UDP implementation.

    ports:
      - 8086:8086
      - 6881:6881
      - 6881:6881/udp # here

To fix it add a label to specify the port manually:

labels:
  proxy.#1.port: 8086

http://zbox/ Unable to connect Firefox can’t establish a connection to the server at zbox

You should access the WebUI through https://godoxy.yourdomain.com instead of ip/host:3000, and since you have skipped https setup, this will not work as well.

but at no point did NPM ask me "do you use cloudflare" when certificates are involved

Seems like NPM was doing HTTP-01 challenge to grab a certificate, which means you have exposed your site to the internet, which is not recommended. GoDoxy uses DNS-01 Challenge to obtain certificates, that's why a DNS provider is required. Currently the setup script only support Cloudflare, but you can check out available options in Wiki and set it manually in config/config.yml.

@yusing commented on GitHub (Feb 24, 2025): > Warning: could not detect timezone, please set it manually Sorry for the confusion, set it in your `.env`, not the host machine. This is optional, but if you don't set this the timestamp in logs will be incorrect. > "Not using cloudflare, skipping autocert setup" Means you have skipped Let's Encrypt setup. So https is not enabled, and auth requires https (as of the current version) > `add > qbittorrent: listen udp 172.30.0.2:0: bind: cannot assign requested address name=local type=docker` GoDoxy chooses the smallest port as default, and since you have exposed it as UDP, it will be served as UDP stream. But seems like there are problems with the UDP implementation. ```yaml ports: - 8086:8086 - 6881:6881 - 6881:6881/udp # here ``` To fix it add a label to specify the port manually: ```yaml labels: proxy.#1.port: 8086 ``` > http://zbox/ Unable to connect Firefox can’t establish a connection to the server at zbox You should access the WebUI through `https://godoxy.yourdomain.com` instead of `ip/host:3000`, and since you have skipped https setup, this will not work as well. > but at no point did NPM ask me "do you use cloudflare" when certificates are involved Seems like NPM was doing HTTP-01 challenge to grab a certificate, which means you have exposed your site to the internet, which is not recommended. GoDoxy uses DNS-01 Challenge to obtain certificates, that's why a DNS provider is required. Currently the setup script only support Cloudflare, but you can check out available options in Wiki and set it manually in `config/config.yml`.

adam commented

2025-12-29 14:23:04 +01:00

@yusing commented on GitHub (Feb 24, 2025):

Let's encrypt settings example here (which is also in your config.yml):

autocert:
  provider: cloudflare
  email: abc@gmail.com # ACME Email
  domains: # a list of domains for cert registration
    - "*.domain.com"
    - "domain.com"
  options:
    auth_token: c1234565789-abcdefghijklmnopqrst # your zone API token

@yusing commented on GitHub (Feb 24, 2025): Let's encrypt settings example here (which is also in your `config.yml`): ```yaml autocert: provider: cloudflare email: abc@gmail.com # ACME Email domains: # a list of domains for cert registration - "*.domain.com" - "domain.com" options: auth_token: c1234565789-abcdefghijklmnopqrst # your zone API token ```

adam commented

2025-12-29 14:23:04 +01:00

@yusing commented on GitHub (Feb 24, 2025):

Also errors like this does not mean that you have to restart GoDoxy, it will skip this container when there is an error loading it. In most cases you do not have to restart GoDoxy.

 • event errors
    • add > qbittorrent:

@yusing commented on GitHub (Feb 24, 2025): Also errors like this does not mean that you have to restart GoDoxy, it will skip this container when there is an error loading it. In most cases you do not have to restart GoDoxy. ``` • event errors • add > qbittorrent: ```

adam commented

2025-12-29 14:23:06 +01:00

@reddwarf666 commented on GitHub (Feb 24, 2025):

Sorry for the confusion, set it in your .env, not the host machine. This is optional, but if you don't set this the timestamp in logs will be incorrect

Thanks, this part is clear now! I have set this in the .env file.

You should access the WebUI through https://godoxy.yourdomain.com instead of ip/host:3000, and since you have skipped https setup, this will not work as well.

Hmm, but I have no A type DNS record called "godoxy" set on my domain. How would that work?
I understand that for each service I want to have the proxy respond to I need to create an A record on my domain and the proxy catches it and routes traffic as needed.
So if I run a service/container like 'portainer' I would create an A record called 'portainer' and point it to my public IP address. I then can browse to 'https://portainer.yourdomain.com'. Right?

Means you have skipped Let's Encrypt setup. So https is not enabled, and auth requires https (as of the current version)

So the login page of godoxy runs on http but that does not work and the login will only work on https but this is not possible as the certificate setup is wrong/missing/etc? Hence the error about certificates in the browser?

To fix it add a label to specify the port manually:

labels:
proxy.#1.port: 8086

Where would this label go? In godoxy or qbittorrent? Is 8086 the conflicting port? And what is "#1" in this?
If I would need to add this on the compose file of qbittorrent, does that mean godoxy is already trying to 'use' or 'manage' the qbittorrent container?

Seems like NPM was doing HTTP-01 challenge to grab a certificate, which means you have exposed your site to the internet, which is not recommended. GoDoxy uses DNS-01 Challenge to obtain certificates, that's why a DNS provider is required. Currently the setup script only support Cloudflare, but you can check out available options in Wiki and set it manually in config/config.yml.

Here my complete lack of understanding this certificates thing comes in light I am afraid.
In your example for cloudflare:

autocert:
provider: cloudflare
email: abc@gmail.com # ACME Email
domains: # a list of domains for cert registration
- "*.domain.com"
- "domain.com"
options:
auth_token: c1234565789-abcdefghijklmnopqrst # your zone API token

I have no clue where this "auth_token" is, I have no values for this field as far as I know.
Should I re-run the setup to generate this token?

Perhaps this whole setup with godoxy is just showcasing my inability to use an app like godoxy and I should stay 'in my lane' with NPM. I see so many things I do not understand, like that labels thing or the auth token, etc.
I am willing to admit defeat instead of wasting your valuable time. I appreciate your help immensely but perhaps I am to dumb or stupid to actually use your app. I am starting to think I am way over my head with this thing.

Here is my idea of a proxy/expose to the internet setup I have in mind, what I want to mimic/achieve with godoxy:

I have multiple containers running in docker on a separate stand alone server.
A couple of these containers I want to expose to the internet.
I would like to use a proxy server to handle this container traffic.
This proxy server should have the ability to secure the traffic with a certificate.
The certificates should be easily created, assigned and auto renewed.
I have no interest in exposing this proxy server (the webui access that is) to the internet.
--> this is the point where I am at with NMP and it all works flawlessly, never have to look at it once set.
I would like to protect each service/container with authentication like OIDC/OTP/Passkey/etc.

Right now with godoxy I am trying to get at point 7, the goal is point 8 of course.

What is blocking me at the moment is certificates, conflicting ports and accessing the WebUI so I can start evaluating godoxy to see if I truly want to replace NPM with it.

I don't want to sound like a complainer or be negative but I have invested like 6 hours into godoxy just to see the UI, let alone assess the applicability to replace NPM as proxy server. It is not going well 😄
Again, this is largely on me and I might be in way over my head with it.

I need to rethink my options and strategies. Or take a break and step away to get some fresh and a positive perspective.

@reddwarf666 commented on GitHub (Feb 24, 2025): > Sorry for the confusion, set it in your .env, not the host machine. This is optional, but if you don't set this the timestamp in logs will be incorrect Thanks, this part is clear now! I have set this in the .env file. > You should access the WebUI through https://godoxy.yourdomain.com instead of ip/host:3000, and since you have skipped https setup, this will not work as well. Hmm, but I have no A type DNS record called "godoxy" set on my domain. How would that work? I understand that for each service I want to have the proxy respond to I need to create an A record on my domain and the proxy catches it and routes traffic as needed. So if I run a service/container like 'portainer' I would create an A record called 'portainer' and point it to my public IP address. I then can browse to 'https://portainer.yourdomain.com'. Right? > Means you have skipped Let's Encrypt setup. So https is not enabled, and auth requires https (as of the current version) So the login page of godoxy runs on http but that does not work and the login will only work on https but this is not possible as the certificate setup is wrong/missing/etc? Hence the error about certificates in the browser? > To fix it add a label to specify the port manually: > > `labels:` > `proxy.#1.port: 8086` Where would this label go? In godoxy or qbittorrent? Is 8086 the conflicting port? And what is "#1" in this? If I would need to add this on the compose file of qbittorrent, does that mean godoxy is already trying to 'use' or 'manage' the qbittorrent container? > Seems like NPM was doing HTTP-01 challenge to grab a certificate, which means you have exposed your site to the internet, which is not recommended. GoDoxy uses DNS-01 Challenge to obtain certificates, that's why a DNS provider is required. Currently the setup script only support Cloudflare, but you can check out available options in Wiki and set it manually in config/config.yml. Here my complete lack of understanding this certificates thing comes in light I am afraid. In your example for cloudflare: > autocert: > provider: cloudflare > email: abc@gmail.com # ACME Email > domains: # a list of domains for cert registration > - "*.domain.com" > - "domain.com" > options: > auth_token: c1234565789-abcdefghijklmnopqrst # your zone API token I have no clue where this "auth_token" is, I have no values for this field as far as I know. Should I re-run the setup to generate this token? Perhaps this whole setup with godoxy is just showcasing my inability to use an app like godoxy and I should stay 'in my lane' with NPM. I see so many things I do not understand, like that labels thing or the auth token, etc. I am willing to admit defeat instead of wasting your valuable time. I appreciate your help immensely but perhaps I am to dumb or stupid to actually use your app. I am starting to think I am way over my head with this thing. Here is my idea of a proxy/expose to the internet setup I have in mind, what I want to mimic/achieve with godoxy: 1. I have multiple containers running in docker on a separate stand alone server. 2. A couple of these containers I want to expose to the internet. 3. I would like to use a proxy server to handle this container traffic. 4. This proxy server should have the ability to secure the traffic with a certificate. 5. The certificates should be easily created, assigned and auto renewed. 6. I have no interest in exposing this proxy server (the webui access that is) to the internet. 7. --> this is the point where I am at with NMP and it all works flawlessly, never have to look at it once set. 8. I would like to protect each service/container with authentication like OIDC/OTP/Passkey/etc. Right now with godoxy I am trying to get at point 7, the goal is point 8 of course. What is blocking me at the moment is certificates, conflicting ports and accessing the WebUI so I can start evaluating godoxy to see if I truly want to replace NPM with it. I don't want to sound like a complainer or be negative but I have invested like 6 hours into godoxy just to see the UI, let alone assess the applicability to replace NPM as proxy server. It is not going well 😄 Again, this is largely on me and I might be in way over my head with it. I need to rethink my options and strategies. Or take a break and step away to get some fresh and a positive perspective.

adam commented

2025-12-29 14:23:06 +01:00

@yusing commented on GitHub (Feb 24, 2025):

I guess you should take a break and try this later.

but I have no A type DNS record called "godoxy" set on my domain. How would that work?

As stated in the prerequisite part, you should add a wildcard record pointing the domain to your machine.

For example, a record of "*.example.com -> 10.0.0.1" resolves every "<subdomain>.example.com" to 10.0.0.1, letting the reverse proxy handle all the requests.

login will only work on https but this is not possible as the certificate setup is wrong/missing/etc

You can delete the API_JWT_SECRET part in your .env. This will disable authentication, so you can try it out without https.

Where would this label go

The app that you run, in this case, qBitTorrent.

[…] what is "#1" in this

Let me explain a few things first.

Docker Labels are the metadata of the container. In a simple words, it’s similar to the “environment” directive where you set environmental variables, but for the container itself, not the process.

How GoDoxy works:

List all the containers
Read container name, labels and port configuration for each of them
Create a route if applicable (a route is like a "Virtual Host" in NPM)

GoDoxy reads the label proxy.aliases as the subdomain(s) for the container, if unset it defaults to container_name. For example, with the label proxy.aliases: qbt you can access your app via qbt.domain.com.

Getting back to the question: "#1" means the first route of the container, I used this as an example because I didn't know what your container name is.

does that mean godoxy is already trying to 'use' or 'manage' the qbittorrent container?

Yes, this is the core of GoDoxy: create routes dynamically from running containers. In NPM, you have to create them manually every time you start a new service. But with GoDoxy, you don’t have to (most of time).

I have no clue where this "auth_token" is

This is the Zone API token for cloudflare, if you use cloudflare as the nameserver for your domain, you can create one in their dashboard. Example here: https://www.derekseaman.com/2023/04/getting-your-cloudflare-zone-api-key-and-account-id.html

perhaps I am to dumb or stupid to actually use your app. I am starting to think I am way over my head with this thing.

No you’re not. It's just you missed some basics of docker and reverse proxies, and also thinking in a "NPM way". Take some rests bro, maybe try GoDoxy again when v0.10 releases (coming very soon).

@yusing commented on GitHub (Feb 24, 2025): I guess you should take a break and try this later. > but I have no A type DNS record called "godoxy" set on my domain. How would that work? As stated in the prerequisite part, you should add a wildcard record pointing the domain to your machine. For example, a record of "*.example.com -> 10.0.0.1" resolves every "\<subdomain\>.example.com" to 10.0.0.1, letting the reverse proxy handle all the requests. > login will only work on https but this is not possible as the certificate setup is wrong/missing/etc You can delete the API_JWT_SECRET part in your .env. This will disable authentication, so you can try it out without https. > Where would this label go The app that you run, in this case, qBitTorrent. > […] what is "\#1" in this Let me explain a few things first. Docker Labels are the metadata of the container. In a simple words, it’s similar to the “environment” directive where you set environmental variables, but for the container itself, not the process. How GoDoxy works: 1. List all the containers 2. Read container name, labels and port configuration for each of them 3. Create a route if applicable (a route is like a "Virtual Host" in NPM) GoDoxy reads the label `proxy.aliases` as the subdomain(s) for the container, if unset it defaults to `container_name`. For example, with the label `proxy.aliases: qbt` you can access your app via `qbt.domain.com`. Getting back to the question: "\#1" means the first route of the container, I used this as an example because I didn't know what your container name is. > does that mean godoxy is already trying to 'use' or 'manage' the qbittorrent container? Yes, this is the core of GoDoxy: create routes dynamically from running containers. In NPM, you have to create them manually every time you start a new service. But with GoDoxy, you don’t have to (most of time). > I have no clue where this "auth_token" is This is the Zone API token for cloudflare, if you use cloudflare as the nameserver for your domain, you can create one in their dashboard. Example here: https://www.derekseaman.com/2023/04/getting-your-cloudflare-zone-api-key-and-account-id.html > perhaps I am to dumb or stupid to actually use your app. I am starting to think I am way over my head with this thing. No you’re not. It's just you missed some basics of docker and reverse proxies, and also thinking in a "NPM way". Take some rests bro, maybe try GoDoxy again when v0.10 releases (coming very soon).

adam commented

2025-12-29 14:23:06 +01:00

@reddwarf666 commented on GitHub (Feb 24, 2025):

Thanks for the explanation to an annoying, moody and ignorant user 😄
Your insights really help and make sense, I will take them to hart and try later.

Your comment about viewing this from a NPM pov is spot on and this behaviour does not help me a lot. I got just the right amount of info and understanding from NPM to be a bothering nuisance, hehehe.

One thing though, about certificates and how it is handled, to wrap my mind around this.

I think I am meant to create an account at some DNS provider and use them to handle the letsencrypt part, is that right?
The auto renew part is happening behind the scenes
It is expected to have a wildcard certificate to handle all possible containers, should you want to expose them
I do not have to create certificate(s), that is all done by godoxy if the need arises (no wildcard, per service certificate)

take some rests bro

Perhaps the best advice out of all your advises 😆

@reddwarf666 commented on GitHub (Feb 24, 2025): Thanks for the explanation to an annoying, moody and ignorant user 😄 Your insights really help and make sense, I will take them to hart and try later. Your comment about viewing this from a NPM pov is spot on and this behaviour does not help me a lot. I got just the right amount of info and understanding from NPM to be a bothering nuisance, hehehe. One thing though, about certificates and how it is handled, to wrap my mind around this. 1) I think I am meant to create an account at some DNS provider and use them to handle the letsencrypt part, is that right? 2) The auto renew part is happening behind the scenes 3) It is expected to have a wildcard certificate to handle all possible containers, should you want to expose them 4) I do not have to create certificate(s), that is all done by godoxy if the need arises (no wildcard, per service certificate) > take some rests bro Perhaps the best advice out of all your advises 😆

adam commented

2025-12-29 14:23:06 +01:00

@yusing commented on GitHub (Feb 24, 2025):

Yes, all your thoughts are correctly!

@yusing commented on GitHub (Feb 24, 2025): Yes, all your thoughts are correctly!

adam commented

2025-12-29 14:23:06 +01:00

@reddwarf666 commented on GitHub (Feb 27, 2025):

Ok, I just went to Cloudflare and it wants to pull in my domain and change name-servers at my DNS registrar. As I cannot oversee the implications of doing this (family members will be impacted if stuff on my domain stops working) and I am not comfortable to do so. Plus it is still not clear what I need to do with Cloudflare in respect for just certificates. Make account, register my domain, importing DNS, changing name-servers. Just to get a certificate....
It is too much, I feel I am pulling in an elephant to catch a mouse.

I also tried running keycloak with NPM and in doing so I got an issue:

Fatal glibc error: CPU does not support x86-64-v2
Container stopped

I'm guessing I will face this issue with others as well, like pocket-id, and this is the final straw for me, I throw in the towel and give up. I will have security through obscurity. I will keep using NPM as it is so dead simple and just works.

Thanks for all your efforts and help, I wish you all the best with godoxy!

@reddwarf666 commented on GitHub (Feb 27, 2025): Ok, I just went to Cloudflare and it wants to pull in my domain and change name-servers at my DNS registrar. As I cannot oversee the implications of doing this (family members will be impacted if stuff on my domain stops working) and I am not comfortable to do so. Plus it is still not clear what I need to do with Cloudflare in respect for just certificates. Make account, register my domain, importing DNS, changing name-servers. Just to get a certificate.... It is too much, I feel I am pulling in an elephant to catch a mouse. I also tried running keycloak with NPM and in doing so I got an issue: ``` Fatal glibc error: CPU does not support x86-64-v2 Container stopped ``` I'm guessing I will face this issue with others as well, like pocket-id, and this is the final straw for me, I throw in the towel and give up. I will have security through obscurity. I will keep using NPM as it is so dead simple and just works. Thanks for all your efforts and help, I wish you all the best with godoxy!

adam commented

2025-12-29 14:23:07 +01:00

@yusing commented on GitHub (Feb 27, 2025):

It's not limited to cloudflare, currently also supports ovh, duckdns and clouddns.

Anyway, thanks for trying it out and giving some feedbacks.

@yusing commented on GitHub (Feb 27, 2025): It's not limited to cloudflare, currently also supports ovh, duckdns and clouddns. Anyway, thanks for trying it out and giving some feedbacks.

adam commented

2025-12-29 14:23:07 +01:00

@reddwarf666 commented on GitHub (Feb 27, 2025):

I know, and no doubt it involves accounts, domain registry and name servers. I do not target cloudflare but the act of involving a 3rd party to get at another (4th?) party to get some certificates. I have my reservations on that and like the 'it just works' method of NPM. No accounts, no DNS, no nameservers no API keys, no client-id's, etc.

It's not my place to say what should be done and your service/app could be considered such a specific and technical involved process that it is simply not possible to simplify the process or setup. It is not for everyone and needs some insights and knowledge to make it all work, that is fair.

That said, I wonder what makes NPM so simple and show me the opposite side of that coin.
I have my ideas but I am not sure if this is the platform or place to discuss that.

@reddwarf666 commented on GitHub (Feb 27, 2025): I know, and no doubt it involves accounts, domain registry and name servers. I do not target cloudflare but the act of involving a 3rd party to get at another (4th?) party to get some certificates. I have my reservations on that and like the 'it just works' method of NPM. No accounts, no DNS, no nameservers no API keys, no client-id's, etc. It's not my place to say what should be done and your service/app could be considered such a specific and technical involved process that it is simply not possible to simplify the process or setup. It is not for everyone and needs some insights and knowledge to make it all work, that is fair. That said, I wonder what makes NPM so simple and show me the opposite side of that coin. I have my ideas but I am not sure if this is the platform or place to discuss that.

adam commented

2025-12-29 14:23:07 +01:00

@yusing commented on GitHub (Feb 28, 2025):

It's basically the same as this in NPM.

the 'it just works' method of NPM

I believe what you mean by "it just works" is by doing HTTP-01 challenge (untick "Use a DNS Challenge"). As you can't grab a wildcard certificate with HTTP-01, which already meant you have to expose everything you host to the internet to get a cert for each subdomain.

It is not for everyone and needs some insights and knowledge to make it all work

This applies to self-hosting too.

@yusing commented on GitHub (Feb 28, 2025): ![Image](https://github.com/user-attachments/assets/dedd196e-f420-4663-adb3-8bc7dfef582d) It's basically the same as this in NPM. > the 'it just works' method of NPM I believe what you mean by "it just works" is by doing HTTP-01 challenge (untick "Use a DNS Challenge"). As you can't grab a wildcard certificate with HTTP-01, which already meant you have to expose everything you host to the internet to get a cert for each subdomain. > It is not for everyone and needs some insights and knowledge to make it all work This applies to self-hosting too.

adam commented

2025-12-29 14:23:07 +01:00

@reddwarf666 commented on GitHub (Feb 28, 2025):

It's all good. There's more to the whole thing but never mind. I appreciate your work and what you have done, it is awesome!

I did the whole NPM/OAuth2-proxy/Pocket-id thing and got what I wanted so it all works out.

Have a great weekend!

@reddwarf666 commented on GitHub (Feb 28, 2025): It's all good. There's more to the whole thing but never mind. I appreciate your work and what you have done, it is awesome! I did the whole NPM/OAuth2-proxy/Pocket-id thing and got what I wanted so it all works out. Have a great weekend!

adam commented

2025-12-29 14:23:08 +01:00

@yusing commented on GitHub (Mar 1, 2025):

Thanks, have a great weekend too. I'm closing this for now, please let me know if you need further help.

@yusing commented on GitHub (Mar 1, 2025): Thanks, have a great weekend too. I'm closing this for now, please let me know if you need further help.

adam referenced this issue

2025-12-29 14:25:41 +01:00

[PR #40] [MERGED] fix: allow oauth_state token to be cross-domain #147

Sign in to join this conversation.