{"id":29016439,"url":"https://github.com/oncetap/docker-reverse-proxy","last_synced_at":"2026-04-10T15:05:58.827Z","repository":{"id":300601760,"uuid":"1006517254","full_name":"oncetap/docker-reverse-proxy","owner":"oncetap","description":"Docker Compose + Traefik + Cloudflare + Let's Encrypt","archived":false,"fork":false,"pushed_at":"2025-06-22T16:08:59.000Z","size":4997,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2025-06-22T17:21:51.057Z","etag":null,"topics":["adguardhome","beszel","busybox","cloudflare","counter-strike","dns-over-https","dns-over-tls","dns-server","docker","docker-compose","fastapi","fastdl","letsencrypt","mtls","musl","python","static-site","tls-certificate","traefik"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/oncetap.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-06-22T12:58:40.000Z","updated_at":"2025-06-22T17:17:09.000Z","dependencies_parsed_at":"2025-06-22T17:33:18.177Z","dependency_job_id":null,"html_url":"https://github.com/oncetap/docker-reverse-proxy","commit_stats":null,"previous_names":["oncetap/docker-reverse-proxy"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/oncetap/docker-reverse-proxy","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oncetap%2Fdocker-reverse-proxy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oncetap%2Fdocker-reverse-proxy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oncetap%2Fdocker-reverse-proxy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oncetap%2Fdocker-reverse-proxy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/oncetap","download_url":"https://codeload.github.com/oncetap/docker-reverse-proxy/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oncetap%2Fdocker-reverse-proxy/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":261960448,"owners_count":23236575,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["adguardhome","beszel","busybox","cloudflare","counter-strike","dns-over-https","dns-over-tls","dns-server","docker","docker-compose","fastapi","fastdl","letsencrypt","mtls","musl","python","static-site","tls-certificate","traefik"],"created_at":"2025-06-25T22:08:28.034Z","updated_at":"2025-12-30T21:28:19.067Z","avatar_url":"https://github.com/oncetap.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Setup\n\n## Notice\nAll configuration files are already pre-configured, edits are the only thing that's left to get their containers up and running.\n\nThese containers are also expected to be run with `sudo` if you're not root, and outside of the home directory.\n\n## Requirements\n- Certbot with Cloudflare DNS Plugin (`certbot-dns-cloudflare`\u003csup\u003eAUR\u003c/sup\u003e)\n- Docker\n- Docker Compose\n- `sudo docker network create proxy`\n- `sudo docker network create --internal socket-proxy-net`\n- ufw\n- `sudo ufw allow 80/tcp; sudo ufw allow 443; sudo ufw allow 853/tcp`\n\n## Increase Buffer Sizes for UDP connections (mainly for HTTP3/QUIC)\n\n`sudo nano /etc/sysctl.d/99-buffer-size.conf` with the contents:\n```\nnet.core.rmem_max=7500000\nnet.core.wmem_max=7500000\n```\nAfterwards, run `sudo sysctl -p /etc/sysctl.d/99-buffer-size.conf`. This config persists across reboots if the Linux distro uses systemd.\n\n## Docker Compose\n- **Build/Start**:\n  - `sudo docker compose up -d`\n  - `sudo docker compose up -d --force-recreate`\n- **Stop**: `sudo docker compose down`\n- **View Logs**:\n  - `sudo docker logs containername --details -f`\n  - `sudo docker composers logs -f`\n- **Inspect**: `sudo docker inspect containername`\n- **Build/Rebuild Dockerfile**: `sudo docker compose build`\n- **Update**:\n  - `docker pull image:tag`\n  - `docker compose pull`\n\n## Cloudflare\nDNS changes might take a few minutes to propagate, especially if TLS certificates are involved with a reverse proxy.\n\nAll DNS records for sites must also be created as DNS-only records on Cloudflare pointing to the server's public address, unless the container and domain are configured like `apptest` to support Cloudflare proxied sites.\n\nThe `domain.tld` zone must also be set to `Encryption mode: Full`. This can be changed in `SSL/TLS \u003e Overview \u003e SSL/TLS encryption (Configure) \u003e Custom SSL/TLS (Select) [Full]`.\n\n## Let's Encrypt\n\nFrom `Cloudflare Dashboard \u003e Profile \u003e API Tokens \u003e Edit zone DNS (Use template) \u003e Include Specific Zone \u003e Copy the generated token`\n\n`sudo nano /etc/letsencrypt/cloudflare/cloudflare.ini` with the contents:\n```\ndns_cloudflare_api_token = YOUR_COPIED_API_TOKEN\n```\n\n### Create certificates\n\n#### Test the creation\n```\nsudo certbot certonly \\\n  --dns-cloudflare \\\n  --dns-cloudflare-credentials /etc/letsencrypt/cloudflare/cloudflare.ini \\\n  -d domain.tld \\\n  -d \"*.domain.tld\" \\\n  -d \"*.dns.domain.tld\" \\\n  --email email@domain.tld \\\n  --agree-tos \\\n  --no-eff-email \\\n  --dry-run \\\n  --dns-cloudflare-propagation-seconds 60\n```\n\n#### If successful, create it\n```\nsudo certbot certonly \\\n  --dns-cloudflare \\\n  --dns-cloudflare-credentials /etc/letsencrypt/cloudflare/cloudflare.ini \\\n  -d domain.tld \\\n  -d \"*.domain.tld\" \\\n  -d \"*.dns.domain.tld\" \\\n  --email email@domain.tld \\\n  --agree-tos \\\n  --no-eff-email \\\n  --dns-cloudflare-propagation-seconds 60\n```\n\n#### Enable automatic renewal\n```\nsudo systemctl enable --now certbot-renew.timer\n```\n\n## Regarding the TLS Setup Complexity \nFor some reason, Traefik keeps using unsecure, self-signed certificates instead of the working, Let's Encrypt-generated certificates.\nBecause of this, the TLS certificate setup has to be done this way.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foncetap%2Fdocker-reverse-proxy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Foncetap%2Fdocker-reverse-proxy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foncetap%2Fdocker-reverse-proxy/lists"}