zoraxy icon indicating copy to clipboard operation
zoraxy copied to clipboard
verified publisher icon tobychui

[ENHANCEMENTS]Certificate on a Local only proxy

Open amau05 opened this issue 5 months ago • 6 comments

Thanks for your hard work guys, Zoraxy works great I just have this little thing bugging me:

Is your feature request related to a problem? Please describe. Let say I want to create a https proxy to be only available on my LAN but I already have some other proxies accessible by WAN. The only way I see is by disabling the A record on my (sub)domain or configure access rule to only let LAN Ip pass-through that proxy. The issue is I cannot get a certificate then (or at least not get the auto renew to work) as it would fail the challenge.

Describe the solution you'd like Get a way to let the certificate challenge to work while forbidding traffic to the actual (sub)domain from outside LAN to be able to reach the service.

From my understanding (maybe I'm wrong I'm a newbie) the let's encrypt challenge work by creating a file the CA can check on the (sub)domain to verify ownership. Is there a way to let that file be accessible to the web but not the actual service who use that (sub)domain?

Describe alternatives you've considered For now I manually recreate the A record each time I need to renew the certificate on those proxies.

I know some would say that using https on your lan is overkill but I like to do it, I feel more safe especially since users on my LAN cannot be trusted to keep everything secure. Some apps require https by default too but I wouldn't want to let them accessible to the outside world.

amau05 avatar Jul 19 '25 20:07 amau05

Personally, I have my private and public services on separate vnets and using different proxies (zoraxy on the public one, npm on the private one), I remember that when setting up certificates on npm I had to use a DNS challenge

AnthonyMichaelTDM avatar Jul 19 '25 20:07 AnthonyMichaelTDM

It complexify the setup quite a lot (even if I admit it makes it more secure). If possible I would to keep everything in one place for ease of management. :smiley:

amau05 avatar Jul 19 '25 20:07 amau05

No I get that, my main point was to suggest you set it up as a DNS challenge (how you do it depends on your dns provider, I use cloudflare so it was pretty easy to set up an api key)

AnthonyMichaelTDM avatar Jul 19 '25 20:07 AnthonyMichaelTDM

I don't know, have you consider there is an issue with your setup? I think there are only 3 uses cases that make sense to me:

  1. If you are in a trusted environment (e.g. your home LAN), you mostly won't need a certificate (unless your site have some sort of requirements that must go through SSL / HTTPS, e.g. WebRTC, but then a self-signed cert with a browser "I trust this certificate" confirmation will also work). If you dont trust your users in your own network, you should use (3)
  2. Another situation is that you want to expose your site to the internet, then you will need a public CA signed certificate installed. Since your site has to be reachable from the internet, the current Zoraxy ACME mechanism should work (or DNS challenge if you want to use wildcard cert to hide what subdomains you have been listening)
  3. You have your own self-hosted CA for your internal services and you sign your own certificate using your own CA key. In that case you can upload the certificate to Zoraxy manually in the SSL / TLS page.

Maybe you can provide more context on what you are trying to do here?

tobychui avatar Jul 20 '25 04:07 tobychui

I'm still a beginner/mid in the whole homelab thing and I would like to avoid as much as possible to need to run my own CA as it would complexify my network even more especially since I run most of my stuff on a raspberry pi.

Some apps like Vaultwarden really do not like to be without a certificate and don't like self-signed. If I remember correctly we can't use the pc or phone apps without a proper certificate.

The reason why I suggested this was because I think I'm not the only one who would benefit from this feature, a one click way to handle domains and SSL for local only proxy would make the life easier of all the newbies. Especially if it means we don't need to pay attention to certificate expiration. I think Zoraxy is one of the best reverse proxy for beginners and it would also help to simplify network management instead of needing to type a lot of command lines and managing 2-3 services in parallel.

I'm not too technically aware of how the feature could be implemented but I thought it could be a kind of toggle who block all incoming traffic from WAN to a specific proxy but let the ACME challenge pass through when the renewal is in progress. If it's using an address like sub.domain.com/challenge.php , let traffic go to that challenge.php file but if something try to access any other URL on that (sub)domain it blocks it.

I don't know the whole DNS challenge thing so I will look into it. It's not just a wildcard right? I almost did a huge mistake with that in the beginning, I had a wildcard in my DNS provider as a A record and in Zoraxy to handle the certificate renewal of the wildcard and I noticed it was opening all my services to the web... At that time I was protecting my local only services by deleting the corresponding A record on my DNS provider after generating the certificate.

(sorry for my definitely broken english I'm not a native speaker and I'm self taught...)

amau05 avatar Jul 20 '25 12:07 amau05

Image

AnthonyMichaelTDM avatar Jul 20 '25 21:07 AnthonyMichaelTDM