App Submission: Zoraxy - Reverse Proxy Manager #1751
Conversation
App Submission: LinkStack - Self-hosted open-source Linktree alternative
|
Zoraxy is a lightweight alternative to Nginx, ideal for home servers like Umbrel, offering easy setup through a graphical interface. With built-in authentication and automatic SSL handling, it’s simple and resource-efficient. Despite its user-friendliness, it remains more powerful than Nginx in self-hosted environments. |
|
Thanks for yet ANOTHER submission @dennysubke! I don't have familiarity with Zoraxy, but do you know if this bind mount is needed: - /var/run/docker.sock:/var/run/docker.sockBinding the host's docker socket is, unfortunately, a deal-breaker for security reasons. This would give Zoraxy complete access to the Docker daemon on the host, allowing it to manage other containers and easily break out of the containerized environment. With access to /var/run/docker.sock, the container gains root-level control over the host. Any process in the container could start privileged containers, access sensitive files, or even compromise the entire host system There's a couple apps in our app store that get around this by running alongside a docker-in-docker (dind) container and binding to the dind's docker socket as a workaround (e.g., portainer and dockge). |
|
docker.sock is "Used for additional functionality with Zoraxy." Link |
Good point - binding |
Thanks for the suggestion @dirstel. When we get a feature like this added (on the roadmap) we'll likely use something lower-level. We've got some ideas 😉 |
There was a problem hiding this comment.
Apologies for the delay @dennysubke! Thanks again for yet another submission 🫡.
Good point - binding /var/run/docker.sock indeed poses security risks. Could you make the changes to use docker-in-docker (dind) instead?
Ah, sorry I hadn't really looked at the app at all when I made that comment. Now that I see what this is we can't use dind here because Zoraxy is binding to the Docker socket to get info on what Docker containers are running on the host. If we bind the socket of a dind container it would be useless because no containers will be running in it.
I just took a quick look through the codebase and I think there's a path forward for us here:
- the docker socket is being used for some quality of life improvements when running zoraxy via Docker. For example, when creating proxy rules it allows you to select from a list of running containers to get IP addresses, ports, etc.
- that makes things nice, but it isn't strictly required for zoraxy to run
- we can remove the socket bind and also add
DOCKER: "false"as an env var which I think will make it so the components in the UI that show running docker containers won't show up so users don't think something is broken.
I've gone through and left a review below. Let me know if anything is confusing.
| @@ -0,0 +1,23 @@ | |||
| services: | |||
There was a problem hiding this comment.
Current Compose doesn't use version in the docker-compose.yml, but we need to add version: '3.7' here anyways to maintain compatibility with umbrelOS 0.5. Similar to #1742 (comment)
There was a problem hiding this comment.
Done! Added version: '3.7' to ensure compatibility with UmbrelOS 0.5. 😊
zoraxy/docker-compose.yml
Outdated
| environment: | ||
| APP_HOST: zoraxy_server_1 | ||
| APP_PORT: 8000 | ||
| PROXY_AUTH_ADD: "false" |
There was a problem hiding this comment.
I noticed that there is a NOAUTH environment variable we can use to disable authentication for the Zoraxy UI:
https://github.com/tobychui/zoraxy/tree/main/docker#environment
What do you think about removing Zoraxy's auth and then removing PROXY_AUTH_ADD: "false" here so that the UI is protected by umbrelOS's auth and inherits other security features like 2FA if a user has it enabled? This also means reduced friction for a user signing in since they can:
- log in through umbrel homescreen.
- click Zoraxy and not have to input credentials again.
Similar to what we did here: #1742 (comment)
There was a problem hiding this comment.
Great, already taken care of!
zoraxy/docker-compose.yml
Outdated
| #ports: -> The proxy service is listening on port 8400 | ||
| # 8480:80 | ||
| # 8443:443 | ||
| # 8400:8000 |
There was a problem hiding this comment.
Since Zoraxy is a reverse proxy doesn't it need to expose http and https ports for its basic functionality?
User's are going to need to open ports on their router and then port forward to Zoraxy running on their Umbrel. You can bind to free ports that haven't been taken by other apps yet. So something like:
ports:
- 41080:80
- 41443:443Then right at the top of the app description you could note which ports are for which protocol.
There was a problem hiding this comment.
Done! Ports 41080 for HTTP and 41443 for HTTPS are now set, and I'll add the protocol details to the app description.
zoraxy/docker-compose.yml
Outdated
| # 8443:443 | ||
| # 8400:8000 | ||
| volumes: | ||
| - ${APP_DATA_DIR}/config/:/opt/zoraxy/config/ |
There was a problem hiding this comment.
Let's do the same thing as the other submissions and put this one level deeper on the host inside a parent data directory so that it has similar structure to the majority of other apps, and it makes it easy to add more bind mounts inside data in the future.
- ${APP_DATA_DIR}/data/config/:/opt/zoraxy/config/
Reminder, you'll need to make the equivalent change to the committed directories.
There was a problem hiding this comment.
Done! Moved it one level deeper inside a parent data directory.
zoraxy/docker-compose.yml
Outdated
| volumes: | ||
| - ${APP_DATA_DIR}/config/:/opt/zoraxy/config/ | ||
| # ${APP_DATA_DIR}/zerotier/config/:/var/lib/zerotier-one/ -> If you are not using ZeroTier, this directory is irrelevant. | ||
| - /var/run/docker.sock:/var/run/docker.sock |
There was a problem hiding this comment.
We can remove the docker socket bind based on the discussion above: #1751 (review)
There was a problem hiding this comment.
Done! Removed the Docker socket bind as discussed.
zoraxy/umbrel-app.yml
Outdated
| description: >- | ||
| Zoraxy is a powerful, user-friendly reverse proxy server and forwarding tool, designed to provide a straightforward, flexible, and secure method for managing web traffic within home labs and developer environments. Written in Go, Zoraxy caters to both novice and experienced users by simplifying the process of routing HTTP requests to backend servers, enabling efficient and reliable service management without relying on traditional, more complex servers like NGINX or Apache. |
There was a problem hiding this comment.
I'm thinking we should add port instructions and a warning at the top here, what do you think? You can just steal it directly from the nginx proxy manager app:
umbrel-apps/nginx-proxy-manager/umbrel-app.yml
Lines 8 to 17 in 9432ddf
There was a problem hiding this comment.
💪 Added port instructions and a warning at the top, following the nginx proxy manager app format.
| gallery: | ||
| - 1.jpg | ||
| - 2.jpg | ||
| - 3.jpg |
There was a problem hiding this comment.
You've got 5 lovely gallery images, so gotta add 4 and 5 😉
There was a problem hiding this comment.
Thank you! 😃 Added gallery images 4 and 5 to complete the set. 👌
|
| Severity | File | Description |
|---|---|---|
| ℹ️ | zoraxy/docker-compose.yml |
Mounted file/directory "/zoraxy/data/config/" doesn't exist: The volume "${APP_DATA_DIR}/data/config/:/opt/zoraxy/config" tries to mount the file/directory "/zoraxy/data/config/", but it is not present. This can lead to permission errors! |
| ℹ️ | zoraxy/docker-compose.yml |
External port mapping "41080:80": Port mappings may be unnecessary for the app to function correctly. Docker's internal DNS resolves container names to IP addresses within the same network. External access to the web interface is handled by the app_proxy container. Port mappings are only needed if external access is required to a port not proxied by the app_proxy, or if an app needs to expose multiple ports for its functionality (e.g., DHCP, DNS, P2P, etc.). |
| ℹ️ | zoraxy/docker-compose.yml |
External port mapping "41443:443": Port mappings may be unnecessary for the app to function correctly. Docker's internal DNS resolves container names to IP addresses within the same network. External access to the web interface is handled by the app_proxy container. Port mappings are only needed if external access is required to a port not proxied by the app_proxy, or if an app needs to expose multiple ports for its functionality (e.g., DHCP, DNS, P2P, etc.). |
| ℹ️ | zoraxy/docker-compose.yml |
Potentially using unsafe user in service "server": The default container user "root" can lead to security vulnerabilities. If you are using the root user, please try to specify a different user (e.g. "1000:1000") in the compose file or try to set the UID/PUID and GID/PGID environment variables to 1000. |
zoraxy/umbrel-app.yml |
"icon" and "gallery" needs to be empty for new app submissions: The "icon" and "gallery" fields must be empty for new app submissions as it is being created by the Umbrel team. |
Legend
| Symbol | Description |
|---|---|
| ❌ | Error: This must be resolved before this PR can be merged. |
| Warning: This is highly encouraged to be resolved, but is not strictly mandatory. | |
| ℹ️ | Info: This is just for your information. |
Hey @nmfretz I’ve made the necessary adjustments. Hope I didn’t miss any points. Thank you for your detailed explanations. These will help me for future projects. 👍 |
App Submission
Zoraxy - Reverse Proxy Manager
...
Icon
...
Gallery images
...
I have tested my app on: