{"id":28518317,"url":"https://github.com/liujed/dns01proxy","last_synced_at":"2026-04-02T18:29:16.570Z","repository":{"id":297849893,"uuid":"998093566","full_name":"liujed/dns01proxy","owner":"liujed","description":"Proxy server for ACME DNS-01 challenges","archived":false,"fork":false,"pushed_at":"2026-03-29T04:37:50.000Z","size":248,"stargazers_count":6,"open_issues_count":1,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-03-29T07:26:29.062Z","etag":null,"topics":["acme","acme-dns","acme-sh","acmesh","caddy","go","golang","https","https-certificate","lego","security","ssl","ssl-certificate","tls","tls-certificate"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/liujed.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-06-07T21:09:58.000Z","updated_at":"2026-03-29T04:36:56.000Z","dependencies_parsed_at":null,"dependency_job_id":"6c24181c-c5ec-4878-9357-9b42a484ed1d","html_url":"https://github.com/liujed/dns01proxy","commit_stats":null,"previous_names":["liujed/dns01proxy"],"tags_count":11,"template":false,"template_full_name":null,"purl":"pkg:github/liujed/dns01proxy","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/liujed%2Fdns01proxy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/liujed%2Fdns01proxy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/liujed%2Fdns01proxy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/liujed%2Fdns01proxy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/liujed","download_url":"https://codeload.github.com/liujed/dns01proxy/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/liujed%2Fdns01proxy/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31312901,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-02T12:59:32.332Z","status":"ssl_error","status_checked_at":"2026-04-02T12:54:48.875Z","response_time":89,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["acme","acme-dns","acme-sh","acmesh","caddy","go","golang","https","https-certificate","lego","security","ssl","ssl-certificate","tls","tls-certificate"],"created_at":"2025-06-09T05:36:54.575Z","updated_at":"2026-04-02T18:29:16.562Z","avatar_url":"https://github.com/liujed.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Proxy server for ACME DNS-01 challenges\n\n**dns01proxy** is a server for using DNS-01 challenges to get TLS/SSL\ncertificates from Let's Encrypt, or any ACME-compatible certificate authority,\nwithout exposing your DNS credentials to every host that needs a certificate.\n\nIt acts as a proxy for DNS-01 challenge requests, allowing hosts to delegate\ntheir DNS record updates during ACME validation. This makes it possible to\nissue certificates to internal or private hosts that can't (or shouldn't) have\ndirect access to your DNS provider or API keys.\n\ndns01proxy is designed to work with:\n* [acme.sh](https://acme.sh/)'s\n  [`acmeproxy`](https://github.com/acmesh-official/acme.sh/wiki/dnsapi2#dns_acmeproxy)\n  provider,\n* [lego](https://go-acme.github.io/lego/)'s\n  [`httpreq`](https://go-acme.github.io/lego/dns/httpreq/index.html) DNS\n  provider, and\n* [Caddy](https://caddyserver.com/)'s\n  [`acmeproxy`](https://caddyserver.com/docs/modules/dns.providers.acmeproxy)\n  DNS provider module.\n\n## Features\n\n* Privilege separation. Internal or private hosts can complete DNS-01\n  challenges without having direct access to DNS API keys. In turn, the private\n  keys for issued certificates stay private to the ACME clients.\n* HTTPS built-in, automatic, and always on. dns01proxy uses its configured DNS\n  credentials to automatically get and renew its own TLS/SSL certificate.\n* Mandatory client authentication using HTTP Basic Authentication.\n* Optional per-client policies for limiting which DNS names each client can get\n  a certificate for.\n\n## Installing dns01proxy\n\nThere are two options for getting dns01proxy.\n\n### Pre-compiled binaries\n\ndns01proxy is built using Caddy, and uses DNS provider modules that are written\nby the Caddy community. dns01proxy ships a number of binaries, each built with\na single DNS module. To install, just download a build of the [latest\nrelease](https://github.com/liujed/dns01proxy/releases) that matches your DNS\nprovider.\n\n\u003e [!CAUTION]\n\u003e Always check that you trust the author of the DNS module. The\n\u003e [release notes](https://github.com/liujed/dns01proxy/releases) has details\n\u003e about the source of the DNS module in each build.\n\n### Caddy module\n\nAlternatively, dns01proxy is also available as a Caddy module, which adds\ndns01proxy to [Caddy](https://caddyserver.com/) as a subcommand, app, and HTTP\nhandler. See the [caddy-dns01proxy](https://github.com/liujed/caddy-dns01proxy)\nproject for more on this second option.\n\n## Configuring dns01proxy\n\ndns01proxy is configured through a single TOML file. Below is an example\nconfiguration for running at `https://dns01proxy.example.com` with Cloudflare\nas a DNS provider.\n\n```toml\nhostnames = [\"dns01proxy.example.com\"]\nlisten = [\":443\"]\n\n[dns.provider]\nname = \"cloudflare\"\napi_token = \"{env.CF_API_TOKEN}\"  # Reads from an environment variable.\n\n# One for each user. Password is hashed using `dns01proxy hash-password`.\n[[accounts]]\nusername = \"AzureDiamond\"\npassword = \"$2a$14$N5bGBXf7zwAW9Ym7IQ/mxOHTGsvFNOTEAiN4/r1LnvfzYCpiWcHOa\"\nallow_domains = [\"private.example.com\"]\n```\n\nEach DNS provider has a different set of configuration parameters. See the\nCaddy documentation link for your provider in the [release\nnotes](https://github.com/liujed/dns01proxy/releases). Caddy documents its\nmodules' options in JSON, but remember that you'll need to configure the module\nin TOML.\n\n\u003cdetails\u003e\n\u003csummary\u003eFull structure\u003c/summary\u003e\n\n```toml\n# The server's hostnames. Used for obtaining TLS/SSL certificates.\nhostnames = [\"\u003chostname\u003e\"]\n\n# The sockets on which to listen.\nlisten = [\"\u003cip_addr:port\u003e\"]\n\n# Configures the set of trusted proxies, for accurate logging of client IP\n# addresses. This must be an `http.ip_sources` Caddy module. See Caddy's module\n# documentation at https://caddyserver.com/docs/modules/\n#\n# Note that Caddy documents its modules' options in JSON. You'll need to\n# configure the module in TOML. For example, to configure\n# `http.ip_sources.static`:\n#\n#     [trusted_proxies]\n#     source = \"static\"\n#     ranges = [\"10.0.0.1\", \"192.168.0.1\"]\n#\n[trusted_proxies]\nsource = \"\u003cmodule_name\u003e\"\n# •••  # Module-specific configuration goes here.\n\n[dns]\n# The TTL to use in DNS TXT records. Optional. Not usually needed.\nttl = \"\u003cttl\u003e\"  # e.g., \"2m\"\n\n# Custom DNS resolvers to prefer over system or built-in defaults. Set this to\n# a public resolver if you are using split-horizon DNS.\nresolvers = [\"\u003cresolver\u003e\"]\n\n# The DNS provider for publishing DNS-01 responses. This must be a\n# `dns.providers` Caddy module that is compiled into your dns01proxy binary.\n# See the Caddy documentation link for your provider in the release notes:\n# https://github.com/liujed/dns01proxy/releases\n#\n# Note that Caddy documents its modules' options in JSON. You'll need to\n# configure the module in TOML. For example, to configure\n# `dns.providers.cloudflare`:\n#\n#     [dns.provider]\n#     name = \"cloudflare\"\n#     api_token = \"{env.CF_API_TOKEN}\"  # Reads from an environment variable.\n#\n[dns.provider]\nname = \"\u003cprovider_name\u003e\"\n# •••  # Module-specific configuration goes here.\n\n\n# Configures HTTP basic authentication and the domains for which each user can\n# get TLS/SSL certificates.\n[[accounts]]\nuser_id = \"\u003cuserID\u003e\"\n\n# To hash passwords, use `dns01proxy hash-password`.\npassword = \"\u003chashed_password\u003e\"\n\n# These largely follow Smallstep's domain name rules:\n#\n#   https://smallstep.com/docs/step-ca/policies/#domain-names\n#\n# Due to a limitation in ACME and DNS-01, allowing a domain also allows\n# wildcard certificates for that domain.\nallow_domains = [\"\u003cdomain\u003e\"]\ndeny_domains = [\"\u003cdomain\u003e\"]\n```\n\n\u003c/details\u003e\n\nIf you prefer JSON, then just use the same JSON structure as the configuration\nfor the [`dns01proxy` Caddy app](https://github.com/liujed/caddy-dns01proxy#configuring-a-dns01proxy-app-in-json).\n\n## Running dns01proxy\n\nTo run dns01proxy, use the `run` subcommand. For example,\n```\ndns01proxy run --config /usr/local/etc/dns01proxy.toml\n```\n\n## Integrating with acme.sh\n\ndns01proxy works with [acme.sh](https://acme.sh/)'s\n[`acmeproxy`](https://github.com/acmesh-official/acme.sh/wiki/dnsapi2#dns_acmeproxy)\nprovider:\n```sh\nexport ACMEPROXY_ENDPOINT='https://dns01proxy.example.com'\nexport ACMEPROXY_USERNAME='AzureDiamond'\nexport ACMEPROXY_PASSWORD='hunter2'\nacme.sh --issue --dns dns_acmeproxy -d example.com\n```\n\n## Integrating with lego\n\ndns01proxy works with [lego](https://go-acme.github.io/lego/)'s\n[`httpreq`](https://go-acme.github.io/lego/dns/httpreq/index.html) DNS\nprovider:\n```sh\nexport HTTPREQ_ENDPOINT='https://dns01proxy.example.com'\nexport HTTPREQ_USERNAME='AzureDiamond'\nexport HTTPREQ_PASSWORD='hunter2'\nlego --email you@example.com --dns httpreq -d example.com run\n```\n\n## Integrating with Caddy\n\ndns01proxy works with [Caddy](https://caddyserver.com/)'s\n[`acmeproxy`](https://caddyserver.com/docs/modules/dns.providers.acmeproxy) DNS\nprovider module:\n```json\n{\n  \"endpoint\": \"https://dns01proxy.example.com\",\n  \"username\": \"AzureDiamond\",\n  \"password\": \"hunter2\"\n}\n```\n\n## Acknowledgements\n\ndns01proxy is a reimplementation of\n[acmeproxy](https://github.com/mdbraber/acmeproxy/), which is no longer being\ndeveloped. Whereas acmeproxy was built on top of lego, dns01proxy uses\n[libdns](https://github.com/libdns/libdns) under the hood, which allows for\nbetter compatibility with acme.sh.\n\n[acmeproxy.pl](https://github.com/madcamel/acmeproxy.pl) is another\nreimplementation of acmeproxy, written in Perl.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fliujed%2Fdns01proxy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fliujed%2Fdns01proxy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fliujed%2Fdns01proxy/lists"}