question regarding safety #63

New Issue

Closed

opened 2025-12-29 09:22:23 +01:00 by adam · 31 comments

adam commented 2025-12-29 09:22:23 +01:00

Owner

Copy Link

Originally created by @gilbrotheraway on GitHub (Apr 21, 2025).

i love how simple the setup was however it was scary to see all my services automatically exposed, i wonder if there's any crowdsec/geoblock integrations?

Originally created by @gilbrotheraway on GitHub (Apr 21, 2025). i love how simple the setup was however it was scary to see all my services automatically exposed, i wonder if there's any crowdsec/geoblock integrations?

adam closed this issue 2025-12-29 09:22:23 +01:00

adam commented 2025-12-29 09:22:24 +01:00

Author

Owner

Copy Link

@yusing commented on GitHub (Apr 21, 2025):

Edit: Geoblock is now available on v0.11

If you do not want to expose your services automatically, you have several options:

1. Add an exclamation mark ! after docker provider name (e.g. local!: $DOCKER_HOST) See: https://github.com/yusing/godoxy/wiki#behaviors. With this only containers with GoDoxy labels proxy.{anything...} will be exposed.

2. Use the CIDRWhitelist middleware

3. (Recommended) Use ACL (Maxmind account required for country and tz matching

acl:
  default: deny     # or allow (default: allow)
  allow_local: true # (default: true)
  allow:
    - ip:1.2.3.4
    - cidr:1.2.3.4/32
    - country:US
    - tz:Asia/Shanghai
  deny:
    - ip:1.2.3.4
    - cidr:1.2.3.4/32
    - country:US
    - tz:Asia/Shanghai
  maxmind:
    account_id: 123456
    license_key: your-license-key
    database: geolite # or geoip2 if you have subscription
  log:
    path: /app/logs/acl.log # (default: none)
    stdout: false     # print to stdout (default: false)
    keep: last 10     # (default: none)
    log_allowed: true # (default: false)

4. (Recommended) Allow ONLY LAN/VPN connections (e.g. tailscale, Wireguard, etc.)

sudo ufw enable
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow in on tailscale0
sudo ufw allow in on {your-lan-interface}
sudo ufw delete 22/tcp
sudo ufw delete 80/tcp
sudo ufw delete 443/tcp
sudo ufw delete 443/udp # will support HTTP3 on the next version

Full article: https://tailscale.com/kb/1077/secure-server-ubuntu

@yusing commented on GitHub (Apr 21, 2025): Edit: Geoblock is now available on v0.11 If you do not want to expose your services automatically, you have several options: 1. Add an exclamation mark `!` after docker provider name (e.g. `local!: $DOCKER_HOST`) See: https://github.com/yusing/godoxy/wiki#behaviors. With this only containers with GoDoxy labels `proxy.{anything...}` will be exposed. 2. Use the [CIDRWhitelist middleware](https://github.com/yusing/godoxy/wiki/Middlewares#cidr-whitelist) 3. **(Recommended)** Use ACL (Maxmind account required for `country` and `tz` matching ```yaml acl: default: deny # or allow (default: allow) allow_local: true # (default: true) allow: - ip:1.2.3.4 - cidr:1.2.3.4/32 - country:US - tz:Asia/Shanghai deny: - ip:1.2.3.4 - cidr:1.2.3.4/32 - country:US - tz:Asia/Shanghai maxmind: account_id: 123456 license_key: your-license-key database: geolite # or geoip2 if you have subscription log: path: /app/logs/acl.log # (default: none) stdout: false # print to stdout (default: false) keep: last 10 # (default: none) log_allowed: true # (default: false) ``` 4. **(Recommended)** Allow **ONLY** LAN/VPN connections (e.g. tailscale, Wireguard, etc.) ```shell sudo ufw enable sudo ufw default deny incoming sudo ufw default allow outgoing sudo ufw allow in on tailscale0 sudo ufw allow in on {your-lan-interface} sudo ufw delete 22/tcp sudo ufw delete 80/tcp sudo ufw delete 443/tcp sudo ufw delete 443/udp # will support HTTP3 on the next version ``` Full article: https://tailscale.com/kb/1077/secure-server-ubuntu

adam commented 2025-12-29 09:22:24 +01:00

Author

Owner

Copy Link

@gilbrotheraway commented on GitHub (Apr 22, 2025):

these are indeed great options
i only mentioned them because geoip alone here(brazil) blocks 100% of IPs

not sure how to check if there's traffic coming?

btw i restarted the server and noticed this, any tips how to fix detection on cold start or is it feature maybe?

- Network: http://127.0.0.1:3000/
✓ Starting...
✓ Ready in 970ms
04-21 20:07 INF loaded route providers
• docker@local! 0 routes
04-21 20:07 WRN errors in config: docker@local!: error during connect: Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.48/containers/json?all=1";: list containers timeout
04-21 20:07 INF next renewal in 59 days, 17 hours and 27 minutes
04-21 20:07 INF certificate expire on 2025-07-20 16:34:19
04-21 20:07 INF server started addr=:80 server=proxy
04-21 20:07 INF server started addr=:8443 server=proxy
04-21 20:07 INF prometheus metrics enabled
04-21 20:07 INF server started addr=127.0.0.1:8888 server=api

@gilbrotheraway commented on GitHub (Apr 22, 2025): these are indeed great options i only mentioned them because geoip alone here(brazil) blocks 100% of IPs not sure how to check if there's traffic coming? btw i restarted the server and noticed this, any tips how to fix detection on cold start or is it feature maybe? ``` - Network: http://127.0.0.1:3000/ ✓ Starting... ✓ Ready in 970ms 04-21 20:07 INF loaded route providers • docker@local! 0 routes 04-21 20:07 WRN errors in config: docker@local!: error during connect: Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.48/containers/json?all=1";: list containers timeout 04-21 20:07 INF next renewal in 59 days, 17 hours and 27 minutes 04-21 20:07 INF certificate expire on 2025-07-20 16:34:19 04-21 20:07 INF server started addr=:80 server=proxy 04-21 20:07 INF server started addr=:8443 server=proxy 04-21 20:07 INF prometheus metrics enabled 04-21 20:07 INF server started addr=127.0.0.1:8888 server=api ```

adam commented 2025-12-29 09:22:24 +01:00

Author

Owner

Copy Link

@yusing commented on GitHub (Apr 22, 2025):

Incoming requests will be logged to a file, check your config.yml

@yusing commented on GitHub (Apr 22, 2025): Incoming requests will be logged to a file, check your `config.yml`

adam commented 2025-12-29 09:22:25 +01:00

Author

Owner

Copy Link

@yusing commented on GitHub (Apr 22, 2025):

You have set the wrong DOCKER_HOST in .env so it's not connecting to Docker.

@yusing commented on GitHub (Apr 22, 2025): You have set the wrong `DOCKER_HOST` in `.env` so it's not connecting to Docker.

adam commented 2025-12-29 09:22:25 +01:00

Author

Owner

Copy Link

@gilbrotheraway commented on GitHub (Apr 22, 2025):

You have set the wrong DOCKER_HOST in .env so it's not connecting to Docker.

though it works fine when i reboot godoxy, it's only on cold starts because the container spins up faster than others, i love how little resources it uses and how fast it is just thought there might be an ENV to delay containers detection?

now on the middleware topic is there something like security-headers

@gilbrotheraway commented on GitHub (Apr 22, 2025): > You have set the wrong `DOCKER_HOST` in `.env` so it's not connecting to Docker. though it works fine when i reboot godoxy, it's only on cold starts because the container spins up faster than others, i love how little resources it uses and how fast it is just thought there might be an ENV to delay containers detection? now on the middleware topic is there something like security-headers

adam commented 2025-12-29 09:22:25 +01:00

Author

Owner

Copy Link

@yusing commented on GitHub (Apr 22, 2025):

What do you mean by cold start? It does not matter whether GoDoxy start before or after other containers.

I guess you're talking about the "loaded 0 routes" message. It's simply because you have enabled explict only mode for provider local. Only containers with labels proxy.{...} will be loaded.

security-headers

GoDoxy does not set security headers automatically, most apps will set CSP headers, CORS headers, etc. on their own, based on the infrastructure of the app and environment variables user have set (e.g. BASE_URL, ORIGIN. etc.)

If you want to enforce security headers, you can use the request middleware like this (may break the app / UI depends on what you've set):

# config.yml

entrypoint:
  middlewares:
    - use: ModifyResponse
      set_headers:
        X-Frame-Options: DENY
        X-Content-Type-Options: nosniff
        Strict-Transport-Security: max-age=31536000; includeSubDomains

@yusing commented on GitHub (Apr 22, 2025): What do you mean by cold start? It does not matter whether GoDoxy start before or after other containers. I guess you're talking about the "loaded 0 routes" message. It's simply because you have enabled explict only mode for provider `local`. Only containers with labels `proxy.{...}` will be loaded. > security-headers GoDoxy does not set security headers automatically, most apps will set CSP headers, CORS headers, etc. on their own, based on the infrastructure of the app and environment variables user have set (e.g. `BASE_URL`, `ORIGIN`. etc.) If you want to enforce security headers, you can use the request middleware like this (may break the app / UI depends on what you've set): ```yaml # config.yml entrypoint: middlewares: - use: ModifyResponse set_headers: X-Frame-Options: DENY X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains ```

adam commented 2025-12-29 09:22:25 +01:00

Author

Owner

Copy Link

@gilbrotheraway commented on GitHub (Apr 22, 2025):

What do you mean by cold start? It does not matter whether GoDoxy start before or after other containers.

i mean restarting the server, it's starting before the socket can be read or something

all works when i restart godoxy

security-headers

GoDoxy does not set security headers automatically, most apps will set CSP headers, CORS headers, etc. on their own, based on the infrastructure of the app and environment variables user have set (e.g. BASE_URL, ORIGIN. etc.)

If you want to enforce security headers, you can use the request middleware like this (may break the app / UI depends on what you've set):

config.yml

entrypoint:
middlewares:
request:
set_headers:
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains

is there any documentation you can point me that describes these options?

I'm also trying to set CloudflareRealIP so the geoblock from Cloudflare works, but no idea what to set on "recursive" directive or the value fields

@gilbrotheraway commented on GitHub (Apr 22, 2025): > What do you mean by cold start? It does not matter whether GoDoxy start before or after other containers. i mean restarting the server, it's starting before the socket can be read or something all works when i restart godoxy > > security-headers > > GoDoxy does not set security headers automatically, most apps will set CSP headers, CORS headers, etc. on their own, based on the infrastructure of the app and environment variables user have set (e.g. `BASE_URL`, `ORIGIN`. etc.) > > If you want to enforce security headers, you can use the request middleware like this (may break the app / UI depends on what you've set): > > # config.yml > > entrypoint: > middlewares: > request: > set_headers: > X-Frame-Options: DENY > X-Content-Type-Options: nosniff > Strict-Transport-Security: max-age=31536000; includeSubDomains is there any documentation you can point me that describes these options? I'm also trying to set CloudflareRealIP so the geoblock from Cloudflare works, but no idea what to set on "recursive" directive or the value fields

adam commented 2025-12-29 09:22:25 +01:00

Author

Owner

Copy Link

@yusing commented on GitHub (Apr 22, 2025):

it's starting before the socket can be read or something

Put GoDoxy and docker-socket-proxy together in the same docker compose, then

services:
  socket-proxy:
    ...
  app:
    container_name: godoxy
    depends: # add this
      - socket-proxy

is there any documentation you can point me that describes these options?

https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#introduction

I'm also trying to set CloudflareRealIP so the geoblock from Cloudflare works

CloudflareRealIP does not affect how Cloudflare works. Cloudflare's geoblock will work no matter you set it or not, as long as Cloudflare is in front of GoDoxy:

End User -> CF -> GoDoxy -> Service

What it does is basically looking up the CF-Connecting-IP header and treat it as the remote ip if the original remote ip is in the cloudflare ip list:

• https://www.cloudflare.com/ips-v4
• https://www.cloudflare.com/ips-v6

Doing so let the access logger can record the correct client ip instead of cloudflare's ips.

but no idea what to set on "recursive" directive or the value fields

CloudflareRealIP middleware is a preset of the ReadIP middleware, it requires no value field.

# config.yml
entrypoint:
  middlewares: # combining with above
    - use: CloudflareRealIP
    - use: ModifyResponse
      set_headers:
        X-Frame-Options: DENY
        X-Content-Type-Options: nosniff
        Strict-Transport-Security: max-age=31536000; includeSubDomains

@yusing commented on GitHub (Apr 22, 2025): > it's starting before the socket can be read or something Put GoDoxy and docker-socket-proxy together in the same docker compose, then ```yaml services: socket-proxy: ... app: container_name: godoxy depends: # add this - socket-proxy ``` > is there any documentation you can point me that describes these options? https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#introduction > I'm also trying to set CloudflareRealIP so the geoblock from Cloudflare works `CloudflareRealIP` does not affect how Cloudflare works. Cloudflare's geoblock will work no matter you set it or not, as long as Cloudflare is in front of GoDoxy: `End User -> CF -> GoDoxy -> Service` What it does is basically looking up the `CF-Connecting-IP` header and treat it as the remote ip if the original remote ip is in the cloudflare ip list: - https://www.cloudflare.com/ips-v4 - https://www.cloudflare.com/ips-v6 Doing so let the access logger can record the correct client ip instead of cloudflare's ips. > but no idea what to set on "recursive" directive or the value fields [`CloudflareRealIP`](https://github.com/yusing/godoxy/wiki/Middlewares#cloudflare) middleware is a preset of the `ReadIP` middleware, it requires no value field. ```yaml # config.yml entrypoint: middlewares: # combining with above - use: CloudflareRealIP - use: ModifyResponse set_headers: X-Frame-Options: DENY X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains ```

adam commented 2025-12-29 09:22:25 +01:00

Author

Owner

Copy Link

@gilbrotheraway commented on GitHub (Apr 22, 2025):

i set in the config

• use: CloudflareRealIP

and now I can't access any routes including godoxy frontend

request error="no such route: godoxy" method=GET remote=192.168.15.1:34946 url=/
edit: same happens when setting redirecttohttp

Put GoDoxy and docker-socket-proxy together in the same docker compose, then

Thanks will try that

is there any documentation you can point me that describes these options?

https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#introduction

can one use exact same syntax?

I'm also trying to set CloudflareRealIP so the geoblock from Cloudflare works

CloudflareRealIP does not affect how Cloudflare works. Cloudflare's geoblock will work no matter you set it or not, as long as Cloudflare is in front of GoDoxy:

is this AI answer wrong?

End User -> CF -> GoDoxy -> Service

I'm not using tunnels if that's what you mean, all i have is a cloudflare domain with firewall rules to block all countries but the vpn is still able to access it

@gilbrotheraway commented on GitHub (Apr 22, 2025): i set in the config - use: CloudflareRealIP and now I can't access any routes including godoxy frontend `request error="no such route: godoxy" method=GET remote=192.168.15.1:34946 url=/ ` edit: same happens when setting redirecttohttp > Put GoDoxy and docker-socket-proxy together in the same docker compose, then > Thanks will try that > > is there any documentation you can point me that describes these options? > > https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#introduction can one use exact same syntax? > > I'm also trying to set CloudflareRealIP so the geoblock from Cloudflare works > > `CloudflareRealIP` does not affect how Cloudflare works. Cloudflare's geoblock will work no matter you set it or not, as long as Cloudflare is in front of GoDoxy: is this AI answer wrong?  > > `End User -> CF -> GoDoxy -> Service` I'm not using tunnels if that's what you mean, all i have is a cloudflare domain with firewall rules to block all countries but the vpn is still able to access it

adam commented 2025-12-29 09:22:25 +01:00

Author

Owner

Copy Link

@yusing commented on GitHub (Apr 22, 2025):

now I can't access any routes including godoxy frontend

I guess you’ve set something wrong, revert the config.yml and add middlewares to the entrypoint with WebUI.

can one use exact same syntax?

Ya, they’re just key-value mappings. Just make sure to double quote the value in case there’re special characters.

is this AI answer wrong?

AI was right, I’ve just had a presumption that you’re running cf tunnels and blocking other traffic. People can still bypass cf if you didn’t block port 80 and 443 publicly.

@yusing commented on GitHub (Apr 22, 2025): > now I can't access any routes including godoxy frontend I guess you’ve set something wrong, revert the config.yml and add middlewares to the entrypoint with WebUI. > can one use exact same syntax? Ya, they’re just key-value mappings. Just make sure to double quote the value in case there’re special characters. > is this AI answer wrong? AI was right, I’ve just had a presumption that you’re running cf tunnels and blocking other traffic. People can still bypass cf if you didn’t block port 80 and 443 publicly.

adam commented 2025-12-29 09:22:25 +01:00

Author

Owner

Copy Link

@gilbrotheraway commented on GitHub (Apr 22, 2025):

I guess you’ve set something wrong, revert the config.yml and add middlewares to the entrypoint with WebUI.

yeah, i think it's because i forgot to add middleware labels to the container sorry

can one use exact same syntax?

Ya, they’re just key-value mappings. Just make sure to double quote the value in case there’re special characters.

gotcha, aside from CIDR/set-headers what other middlewares need custom values?

AI was right, I’ve just had a presumption that you’re running cf tunnels and blocking other traffic. People can still bypass cf if you didn’t block port 80 and 443 publicly.

i managed to get it working by ticking the "proxy" switch on in Cloudflare DNS records panel
before i was under the impression that reverse proxies needed the real IP and proxied wouldn't work

@gilbrotheraway commented on GitHub (Apr 22, 2025): > I guess you’ve set something wrong, revert the config.yml and add middlewares to the entrypoint with WebUI. yeah, i think it's because i forgot to add middleware labels to the container sorry > > can one use exact same syntax? > > Ya, they’re just key-value mappings. Just make sure to double quote the value in case there’re special characters. gotcha, aside from CIDR/set-headers what other middlewares need custom values? > AI was right, I’ve just had a presumption that you’re running cf tunnels and blocking other traffic. People can still bypass cf if you didn’t block port 80 and 443 publicly. i managed to get it working by ticking the "proxy" switch on in Cloudflare DNS records panel before i was under the impression that reverse proxies needed the real IP and proxied wouldn't work

adam commented 2025-12-29 09:22:26 +01:00

Author

Owner

Copy Link

@gilbrotheraway commented on GitHub (Apr 22, 2025):

now I'm wondering will Cloudflare decrypt my traffic in this setup?? 🤔

@gilbrotheraway commented on GitHub (Apr 22, 2025): now I'm wondering will Cloudflare decrypt my traffic in this setup?? 🤔

adam commented 2025-12-29 09:22:26 +01:00

Author

Owner

Copy Link

@yusing commented on GitHub (Apr 22, 2025):

yeah, i think it's because i forgot to add middleware labels to the container sorry

Not talking about container, you should add the middleware to entrypoint in config.yml so it will work for every services

gotcha, aside from CIDR/set-headers what other middlewares need custom values?

They're all here: https://github.com/yusing/godoxy/wiki/Middlewares

I'll clean this up for easier to read and understand.

i managed to get it working by ticking the "proxy" switch on in Cloudflare DNS records panel

Nice.

now I'm wondering will Cloudflare decrypt my traffic in this setup??

They will, in order to get page rules and other cloudflare features to work.

@yusing commented on GitHub (Apr 22, 2025): > yeah, i think it's because i forgot to add middleware labels to the container sorry Not talking about container, you should add the middleware to entrypoint in `config.yml` so it will work for every services > gotcha, aside from CIDR/set-headers what other middlewares need custom values? They're all here: https://github.com/yusing/godoxy/wiki/Middlewares I'll clean this up for easier to read and understand. > i managed to get it working by ticking the "proxy" switch on in Cloudflare DNS records panel Nice. > now I'm wondering will Cloudflare decrypt my traffic in this setup?? They will, in order to get page rules and other cloudflare features to work.

adam commented 2025-12-29 09:22:26 +01:00

Author

Owner

Copy Link

@gilbrotheraway commented on GitHub (Apr 22, 2025):

They will, in order to get page rules and other cloudflare features to work.

how is it possible if they don't have the ssl key?

@gilbrotheraway commented on GitHub (Apr 22, 2025): > They will, in order to get page rules and other cloudflare features to work. how is it possible if they don't have the ssl key?

adam commented 2025-12-29 09:22:26 +01:00

Author

Owner

Copy Link

@gilbrotheraway commented on GitHub (Apr 22, 2025):

any idea what's going on I'm trying to proxy kiwix-serve but it's stuck on "starting screen"

04-22 17:56 INF event occurred
• updated
• kiwix name=local! type=docker
Failed to proxy http://127.0.0.1:8888/v1/docker/logs/local!/7f203539c98b37c112062c0ae97dd279ff30fafbc5ba81ce9f0b98bb1459dff9?stdout=true&stderr=true [Error: read ECONNRESET] {
errno: -104,
code: 'ECONNRESET',
syscall: 'read'
}

it's the only one of a dozen services with any problem

@gilbrotheraway commented on GitHub (Apr 22, 2025): any idea what's going on I'm trying to proxy kiwix-serve but it's stuck on "starting screen" ``` 04-22 17:56 INF event occurred • updated • kiwix name=local! type=docker Failed to proxy http://127.0.0.1:8888/v1/docker/logs/local!/7f203539c98b37c112062c0ae97dd279ff30fafbc5ba81ce9f0b98bb1459dff9?stdout=true&stderr=true [Error: read ECONNRESET] { errno: -104, code: 'ECONNRESET', syscall: 'read' } ``` it's the only one of a dozen services with any problem

adam commented 2025-12-29 09:22:26 +01:00

Author

Owner

Copy Link

@yusing commented on GitHub (Apr 22, 2025):

how is it possible if they don't have the ssl key?

AFAIK, when you turn on proxy or use CF tunnels, the cert being served will be CF's cert.

End User <-- CF SSL --> CF <-- [Origin SSL] --> Origin

@yusing commented on GitHub (Apr 22, 2025): > how is it possible if they don't have the ssl key? AFAIK, when you turn on proxy or use CF tunnels, the cert being served will be CF's cert. `End User <-- CF SSL --> CF <-- [Origin SSL] --> Origin`

adam commented 2025-12-29 09:22:26 +01:00

Author

Owner

Copy Link

@yusing commented on GitHub (Apr 22, 2025):

any idea what's going on I'm trying to proxy kiwix-serve but it's stuck on "starting screen"

04-22 17:56 INF event occurred
• updated
• kiwix name=local! type=docker
Failed to proxy http://127.0.0.1:8888/v1/docker/logs/local!/7f203539c98b37c112062c0ae97dd279ff30fafbc5ba81ce9f0b98bb1459dff9?stdout=true&stderr=true [Error: read ECONNRESET] {
errno: -104,
code: 'ECONNRESET',
syscall: 'read'
}

it's the only one of a dozen services with any problem

The Error: read ECONNRESET is about you've reset the connection (e.g. quiting GoDoxy or leaving the docker logs page) while you were on the docker logs page.

Not related to you being stuck on the starting screen. Go check for browser logs and kiwix's log to see what's going wrong.

@yusing commented on GitHub (Apr 22, 2025): > any idea what's going on I'm trying to proxy kiwix-serve but it's stuck on "starting screen" > > ``` > 04-22 17:56 INF event occurred > • updated > • kiwix name=local! type=docker > Failed to proxy http://127.0.0.1:8888/v1/docker/logs/local!/7f203539c98b37c112062c0ae97dd279ff30fafbc5ba81ce9f0b98bb1459dff9?stdout=true&stderr=true [Error: read ECONNRESET] { > errno: -104, > code: 'ECONNRESET', > syscall: 'read' > } > ``` > > it's the only one of a dozen services with any problem The Error: read ECONNRESET is about you've reset the connection (e.g. quiting GoDoxy or leaving the docker logs page) while you were on the docker logs page. Not related to you being stuck on the starting screen. Go check for browser logs and kiwix's log to see what's going wrong.

adam commented 2025-12-29 09:22:27 +01:00

Author

Owner

Copy Link

@gilbrotheraway commented on GitHub (Apr 23, 2025):

The Error: read ECONNRESET is about you've reset the connection (e.g. quiting GoDoxy or leaving the docker logs page) while you were on the docker logs page.

Not related to you being stuck on the starting screen. Go check for browser logs and kiwix's log to see what's going wrong.

you're right, I'll do it later because when i try to up kiwix with the proxy label it brings the whole compose system down

@gilbrotheraway commented on GitHub (Apr 23, 2025): > > The Error: read ECONNRESET is about you've reset the connection (e.g. quiting GoDoxy or leaving the docker logs page) while you were on the docker logs page. > > Not related to you being stuck on the starting screen. Go check for browser logs and kiwix's log to see what's going wrong. you're right, I'll do it later because when i try to up kiwix with the proxy label it brings the whole compose system down

adam commented 2025-12-29 09:22:27 +01:00

Author

Owner

Copy Link

@gilbrotheraway commented on GitHub (Apr 23, 2025):

how is it possible if they don't have the ssl key?

AFAIK, when you turn on proxy or use CF tunnels, the cert being served will be CF's cert.

End User <-- CF SSL --> CF <-- [Origin SSL] --> Origin

i think i found away around it:
set the wildcard subdomains to dns only and cname
leave base domain proxied
use whatever CF WAF/rules

this way i get geoblock working and the certificate shows letsencrypt in the browser

@gilbrotheraway commented on GitHub (Apr 23, 2025): > > how is it possible if they don't have the ssl key? > > AFAIK, when you turn on proxy or use CF tunnels, the cert being served will be CF's cert. > > `End User <-- CF SSL --> CF <-- [Origin SSL] --> Origin` i think i found away around it: set the wildcard subdomains to dns only and cname leave base domain proxied use whatever CF WAF/rules this way i get geoblock working and the certificate shows letsencrypt in the browser 

adam commented 2025-12-29 09:22:27 +01:00

Author

Owner

Copy Link

@yusing commented on GitHub (Apr 23, 2025):

The Error: read ECONNRESET is about you've reset the connection (e.g. quiting GoDoxy or leaving the docker logs page) while you were on the docker logs page.

Not related to you being stuck on the starting screen. Go check for browser logs and kiwix's log to see what's going wrong.

you're right, I'll do it later because when i try to up kiwix with the proxy label it brings the whole compose system down

Lol. How is that even possible?

@yusing commented on GitHub (Apr 23, 2025): > > > > > The Error: read ECONNRESET is about you've reset the connection (e.g. quiting GoDoxy or leaving the docker logs page) while you were on the docker logs page. > > > > Not related to you being stuck on the starting screen. Go check for browser logs and kiwix's log to see what's going wrong. > > you're right, I'll do it later because when i try to up kiwix with the proxy label it brings the whole compose system down Lol. How is that even possible?

adam commented 2025-12-29 09:22:27 +01:00

Author

Owner

Copy Link

@yusing commented on GitHub (Apr 23, 2025):

how is it possible if they don't have the ssl key?

AFAIK, when you turn on proxy or use CF tunnels, the cert being served will be CF's cert.

End User <-- CF SSL --> CF <-- [Origin SSL] --> Origin

i think i found away around it:
set the wildcard subdomains to dns only and cname
leave base domain proxied
use whatever CF WAF/rules

this way i get geoblock working and the certificate shows letsencrypt in the browser

Only people visiting your base domain will be blocked, they will still bypass cf when visiting subdomains.

@yusing commented on GitHub (Apr 23, 2025): > > > how is it possible if they don't have the ssl key? > > > > AFAIK, when you turn on proxy or use CF tunnels, the cert being served will be CF's cert. > > > > `End User <-- CF SSL --> CF <-- [Origin SSL] --> Origin` > > i think i found away around it: > set the wildcard subdomains to dns only and cname > leave base domain proxied > use whatever CF WAF/rules > > this way i get geoblock working and the certificate shows letsencrypt in the browser > >  Only people visiting your base domain will be blocked, they will still bypass cf when visiting subdomains.

adam commented 2025-12-29 09:22:27 +01:00

Author

Owner

Copy Link

@yusing commented on GitHub (Apr 25, 2025):

if there's any crowdsec/geoblock integrations?

Geoblock here you go: https://github.com/yusing/godoxy/wiki/Access-Control-List#connection-level-acl

@yusing commented on GitHub (Apr 25, 2025): > if there's any crowdsec/geoblock integrations? Geoblock here you go: https://github.com/yusing/godoxy/wiki/Access-Control-List#connection-level-acl

adam commented 2025-12-29 09:22:27 +01:00

Author

Owner

Copy Link

@gilbrotheraway commented on GitHub (Apr 25, 2025):

Only people visiting your base domain will be blocked, they will still bypass cf when visiting subdomains.

of course i tested it before sharing here

what happens is the cloudflare page is not shown but a simple "forbidden" text instead

just to update whoever may get here, this is not working anymore not sure what changed

@gilbrotheraway commented on GitHub (Apr 25, 2025): > Only people visiting your base domain will be blocked, they will still bypass cf when visiting subdomains. of course i tested it before sharing here what happens is the cloudflare page is not shown but a simple "forbidden" text instead just to update whoever may get here, this is not working anymore not sure what changed

adam commented 2025-12-29 09:22:27 +01:00

Author

Owner

Copy Link

@yusing commented on GitHub (Apr 25, 2025):

Only people visiting your base domain will be blocked, they will still bypass cf when visiting subdomains.

of course i tested it before sharing here

Alright my bad.

what happens is the cloudflare page is not shown but a simple "forbidden" text instead

I do in the same thing in the CIDRWhitelist middleware.

Geoblock here you go: https://github.com/yusing/godoxy/wiki/Access-Control-List#connection-level-acl

lol time to ditch Cloudflare for good

Yeah let's go.

@yusing commented on GitHub (Apr 25, 2025): > > > Only people visiting your base domain will be blocked, they will still bypass cf when visiting subdomains. > > of course i tested it before sharing here Alright my bad. > what happens is the cloudflare page is not shown but a simple "forbidden" text instead I do in the same thing in the CIDRWhitelist middleware. > > Geoblock here you go: https://github.com/yusing/godoxy/wiki/Access-Control-List#connection-level-acl > > > lol time to ditch Cloudflare for good Yeah let's go.

adam commented 2025-12-29 09:22:27 +01:00

Author

Owner

Copy Link

@gilbrotheraway commented on GitHub (Apr 28, 2025):

@yusing after updating the containers aren't idling anymore :(

tried with 11.6 11.4, 11.1, 11.0

@gilbrotheraway commented on GitHub (Apr 28, 2025): @yusing after updating the containers aren't idling anymore :( tried with 11.6 11.4, 11.1, 11.0

adam commented 2025-12-29 09:22:28 +01:00

Author

Owner

Copy Link

@yusing commented on GitHub (Apr 28, 2025):

Just fixed on 0.11.7, please pull and try again.
Log rotation is also fixed.

@yusing commented on GitHub (Apr 28, 2025): Just fixed on 0.11.7, please pull and try again. Log rotation is also fixed.

adam commented 2025-12-29 09:22:28 +01:00

Author

Owner

Copy Link

@gilbrotheraway commented on GitHub (Apr 29, 2025):

Just fixed on 0.11.7, please pull and try again. Log rotation is also fixed.

wow you're fast, can confirm idlesleep works now

also i noticed the oidc timeout is not being respected anymore

@gilbrotheraway commented on GitHub (Apr 29, 2025): > Just fixed on 0.11.7, please pull and try again. Log rotation is also fixed. wow you're fast, can confirm idlesleep works now also i noticed the oidc timeout is not being respected anymore

adam commented 2025-12-29 09:22:28 +01:00

Author

Owner

Copy Link

@yusing commented on GitHub (Apr 29, 2025):

also i noticed the oidc timeout is not being respected anymore

If you have added the scope offline_access or/and when your IdP responded with a refresh_token, GoDoxy will now do this:

Let's use Authentik as an example. When you log in you will have two cookies, one is granted by Authentik (Id token, expires in 5 minutes) and the other is granted by GoDoxy (session_token, expires in `API_JWT_TOKEN_TTL). GoDoxy will also get a refresh token from the IdP, which will be stored on the server.

So when the former is expired and the latter is not, GoDoxy will do token refresh for you, until the refresh token was invalidated by your IdP / after 1 month of the initial auth / any error occurred.

On successful token refresh, you will get a new ID token and session token. So on and so on until either the session token or the refresh token expires.

Default expiry:
Session cookie: API_JWT_TOKEN_TTL (24 hours if unset)
ID Token: 5 minutes by default for Authentik
Refresh Token: 30 days by default for Authentik

You can tune these settings to a comfortable level.

@yusing commented on GitHub (Apr 29, 2025): > also i noticed the oidc timeout is not being respected anymore If you have added the scope `offline_access` or/and when your IdP responded with a refresh_token, GoDoxy will now do this: Let's use Authentik as an example. When you log in you will have two cookies, one is granted by Authentik (Id token, expires in 5 minutes) and the other is granted by GoDoxy (session_token, expires in `API_JWT_TOKEN_TTL). GoDoxy will also get a refresh token from the IdP, which will be stored on the server. So when the former is expired and the latter is not, GoDoxy will do token refresh for you, until the refresh token was invalidated by your IdP / after 1 month of the initial auth / any error occurred. On successful token refresh, you will get a new ID token and session token. So on and so on until either the session token or the refresh token expires. Default expiry: Session cookie: `API_JWT_TOKEN_TTL` (24 hours if unset) ID Token: 5 minutes by default for Authentik Refresh Token: 30 days by default for Authentik You can tune these settings to a comfortable level.

adam commented 2025-12-29 09:22:28 +01:00

Author

Owner

Copy Link

@gilbrotheraway commented on GitHub (Apr 29, 2025):

also i noticed the oidc timeout is not being respected anymore

If you have added the scope offline_access or/and when your IdP responded with a refresh_token, GoDoxy will now do this:

what is that?

Let's use Authentik as an example. When you log in you will have two cookies, one is granted by Authentik (Id token, expires in 5 minutes) and the other is granted by GoDoxy (session_token, expires in `API_JWT_TOKEN_TTL). GoDoxy will also get a refresh token from the IdP, which will be stored on the server.

So when the former is expired and the latter is not, GoDoxy will do token refresh for you, until the refresh token was invalidated by your IdP / after 1 month of the initial auth / any error occurred.

On successful token refresh, you will get a new ID token and session token. So on and so on until either the session token or the refresh token expires.

Default expiry: Session cookie: API_JWT_TOKEN_TTL (24 hours if unset) ID Token: 5 minutes by default for Authentik Refresh Token: 30 days by default for Authentik

You can tune these settings to a comfortable level.

any way to do that on pocket-id?

@gilbrotheraway commented on GitHub (Apr 29, 2025): > > also i noticed the oidc timeout is not being respected anymore > > If you have added the scope `offline_access` or/and when your IdP responded with a refresh_token, GoDoxy will now do this: what is that? > Let's use Authentik as an example. When you log in you will have two cookies, one is granted by Authentik (Id token, expires in 5 minutes) and the other is granted by GoDoxy (session_token, expires in `API_JWT_TOKEN_TTL). GoDoxy will also get a refresh token from the IdP, which will be stored on the server. > > So when the former is expired and the latter is not, GoDoxy will do token refresh for you, until the refresh token was invalidated by your IdP / after 1 month of the initial auth / any error occurred. > > On successful token refresh, you will get a new ID token and session token. So on and so on until either the session token or the refresh token expires. > > Default expiry: Session cookie: `API_JWT_TOKEN_TTL` (24 hours if unset) ID Token: 5 minutes by default for Authentik Refresh Token: 30 days by default for Authentik > > You can tune these settings to a comfortable level. any way to do that on pocket-id?

adam commented 2025-12-29 09:22:28 +01:00

Author

Owner

Copy Link

@yusing commented on GitHub (Apr 29, 2025):

Pocket ID seems to respond with a refresh token without the offline_access scope, so this is the reason of "i noticed the oidc timeout is not being respected anymore"

@yusing commented on GitHub (Apr 29, 2025): Pocket ID seems to respond with a refresh token without the `offline_access` scope, so this is the reason of "i noticed the oidc timeout is not being respected anymore"

adam commented 2025-12-29 09:22:28 +01:00

Author

Owner

Copy Link

@yusing commented on GitHub (Apr 29, 2025):

Hey, I'm closing this issue for now. Should you have any questions, please submit a new issue or reach me on Discord.

@yusing commented on GitHub (Apr 29, 2025): Hey, I'm closing this issue for now. Should you have any questions, please submit a new issue or reach me on Discord.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

compat

feat/agent-stream

dev

main-backup

feat/custom-json-marshaling

feat/non-root-non-host-mode

v0.24.0

v0.23.1

v0.23.0

v0.22.1

v0.22.0

v0.21.3

v0.21.2

v0.21.1

v0.21.0

v0.20.14

v0.20.13

v0.20.12

v0.20.11

v0.20.10

v0.20.9

v0.20.8

v0.20.7

v0.20.6

v0.20.5

v0.20.4

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.2

v0.19.1

v0.19.0

v0.18.6

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.6

v0.17.5

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.2

v0.16.0-pathfix

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.2

v0.14.1

v0.14.0

v0.13.8

v0.13.7

v0.13.6

v0.13.5

v0.13.4

v0.13.3

v0.13.2

v0.13.1

v0.13.0

v0.12.3

v0.12.2

v0.12.1

v0.12.0

v0.11.9

v0.11.8

v0.11.7

v0.11.6-buildfix

v0.11.6

v0.11.5

v0.11.4

v0.11.3

v0.11.2-2

v0.11.2-1

v0.11.2

v0.11.1

v0.11.0

v0.10.2

v0.10.1

v0.10.0

v0.9.10

v0.9.9-1

v0.9.9

v0.9.8

0.9.8

0.9.7

0.9.6

0.9.5

0.9.4-1

0.9.4

0.9.3

0.9.2

0.9.1

0.9

0.8.1

0.8.0

0.7.7

0.7.6

0.7.5

0.7.4

0.7.3

0.7.2

0.7.1

0.7.0

0.6.4-1

0.6.4

0.6.3

0.6.2

0.6.1

0.6

0.6-rp1

0.5.8

0.5.7

0.5.6

0.5.5

0.5.4

0.5.3

0.5.2

0.5.1

0.5.0

0.5.0-rc6

0.5.0-rc5

0.5.0-rc4

0.5.0-rc3

0.5.0-rc2

0.5.0-rc1

0.5.0-beta3

0.5.0-beta2

0.5.0-beta

0.4.8-1

0.4.8

0.4.7

0.4.6

0.4.5

0.4.4

0.4.3

0.4.2

0.4.1

0.4.0

0.3.1

0.3

0.2.2

0.2.1

0.2-alpha

0.1-stable

Labels

Clear labels

bug

enhancement

pull-request

Mirrored from GitHub Pull Request

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/godoxy#63