A production-ready, all-in-one reverse proxy OCI image designed for Proxmox LXC deployment. This image consolidates multiple networking and security tools into a single, manageable container with an interactive TUI management console.
| Service | Description | Default Port |
|---|---|---|
| Traefik | Primary reverse proxy with auto-discovery and Let's Encrypt | 80, 443 |
| HAProxy | High-performance TCP/HTTP load balancer | Configurable |
| Cloudflared | Cloudflare Tunnel client for secure remote access | N/A |
| DDNS Updater | Dynamic DNS updates for Cloudflare (supports IPv4/IPv6) | 8000 |
| CrowdSec Bouncer | Web Application Firewall integration | N/A |
| Certs Dumper | Automatic SSL certificate extraction from Traefik | N/A |
| DockFlare | Automated Cloudflare Tunnels via Docker Labels | 8001 |
- Proxmox VE 7.x or later
- Internet connectivity for pulling the OCI image
- Basic familiarity with LXC containers
# Update package database
pveam update
# Download from GitHub Container Registry
pveam download local ghcr.io/harshsinghmp/reverse-proxy:latestCreate a new unprivileged container with the following recommended settings:
| Setting | Recommended Value |
|---|---|
| Template | ghcr.io/harshsinghmp/reverse-proxy:latest |
| Unprivileged | Yes (recommended for security) |
| Memory | 512 MB minimum, 1 GB recommended |
| Swap | 256 MB |
| Disk | 4 GB minimum |
| Network | DHCP or Static IP with IPv6 enabled |
| Features | Nesting, Keyctl (for Docker/Podman discovery) |
After starting the container, access the management console locally:
# Enter the LXC container
pct enter <LXC_ID>
# Run the management console
rp-manage
# Connect to LXC shell and run management console
lxc exec <container_name> rp-manageThe management console allows you to enable/disable services, edit environment variables (using the included nano editor), and manage your entire reverse proxy stack interactively.
On first boot, the setup wizard will automatically launch. Services (Traefik, HAProxy, etc.) will start only after you finish the setup and exit the management console (press 'q').
Once the services are started, you can access the web interfaces using your LXC's IP address (e.g., 192.168.1.100). All services are configured to listen on all interfaces (0.0.0.0).
| Interface | Port | Access |
|---|---|---|
| DockFlare UI | 8001 | http://<LXC_IP>:8001 |
| DDNS Dashboard | 8000 | http://<LXC_IP>:8000 |
The rp-manage command provides an interactive TUI for managing all aspects of the reverse proxy stack.
- Enable/Disable Services: Toggle individual services on or off
- Edit Environment: Configure API tokens, domains, and secrets
- Configuration Editor: Quick access to all service config files
- Service Status: View current state of all applications
# From Proxmox host
pct enter <LXC_ID>
rp-manage
# Or using lxc-attach
lxc-attach -n <LXC_ID> -- rp-manageAccess service dashboards directly via the LXC's IP address:
| Service | URL | Description |
|---|---|---|
| DockFlare UI | http://<LXC_IP>:8001 |
Cloudflare Tunnel & DNS management |
All configurations follow a standardized structure under /opt:
/opt/
βββ traefik/
β βββ traefik.yml # Static configuration
β βββ dynamic.yml # Dynamic routing rules
β βββ acme.json # Let's Encrypt certificates
β βββ logs/ # Access and error logs
β βββ certs/ # Extracted SSL certificates
βββ cloudflared/
β βββ config.yml # Tunnel configuration
βββ ddns/
β βββ config.json # DDNS provider settings
βββ haproxy/
β βββ haproxy.cfg # HAProxy configuration
βββ dockflare/
β βββ config.json # DockFlare configuration
β βββ data/ # DockFlare persistent state
βββ configs/
βββ .env # Environment variables (secrets)
βββ apps.state # Service enable/disable state
Edit the .env file via the management console or directly:
vi /opt/configs/.envRequired Variables:
| Variable | Description |
|---|---|
CF_API_TOKEN |
Cloudflare API token for DNS challenges |
CF_EMAIL |
Cloudflare account email |
CF_ZONE_ID |
Cloudflare Zone ID for your domain |
MAIN_DOMAIN |
Primary domain (e.g., example.com) |
TUNNEL_TOKEN |
Cloudflare Tunnel token |
Optional Variables:
| Variable | Description |
|---|---|
CROWDSEC_BOUNCER_API_KEY |
CrowdSec bouncer API key |
CROWDSEC_AGENT_HOST |
CrowdSec LAPI address |
LOG_LEVEL |
Logging verbosity (DEBUG, INFO, WARN, ERROR) |
GIN_MODE |
Bouncer mode (debug, release) |
| Service | Config Path | Format |
|---|---|---|
| Traefik | /opt/traefik/config/traefik.yml |
YAML |
| HAProxy | /opt/haproxy/config/haproxy.cfg |
HAProxy config |
| Cloudflared | /opt/cloudflared/config/config.yml |
YAML |
| DDNS | /opt/ddns/config/config.json |
JSON |
Edit /opt/traefik/config/dynamic.yml:
http:
routers:
my-service:
rule: "Host(`myapp.example.com`)"
service: my-service
entryPoints:
- websecure
tls:
certResolver: cloudflare
services:
my-service:
loadBalancer:
servers:
- url: "http://192.168.1.100:8080"If running containers on other hosts, use Traefik labels:
labels:
- "traefik.enable=true"
- "traefik.http.routers.myapp.rule=Host(`myapp.example.com`)"
- "traefik.http.services.myapp.loadbalancer.server.port=8080"# Clone the repository
git clone https://github.com/harshsinghmp/reverse-proxy.git
cd reverse-proxy
# Build the image
docker build -t reverse-proxy:local .
# Run for testing
docker run -d --name rp-test \
-p 80:80 -p 443:443 -p 8080:8080 \
reverse-proxy:local| Argument | Default | Description |
|---|---|---|
TRAEFIK_VERSION |
3.6.5 |
Traefik version to install |
- Unprivileged Container: Always run as unprivileged LXC
- Secrets Management: Store sensitive values in
/opt/configs/.env - CrowdSec Integration: Enable the bouncer for WAF protection
- Cloudflare Tunnel: Avoid exposing ports directly; use tunnels
- SSL/TLS: Automatic certificate management via Let's Encrypt
# Traefik logs
tail -f /opt/traefik/logs/traefik.log
tail -f /opt/traefik/logs/access.log
# Container logs (from Proxmox host)
pct console <LXC_ID># Restart the entire LXC
pct restart <LXC_ID>
# Or restart just the entrypoint
pkill -f entrypoint.sh && /usr/local/bin/entrypoint.sh &| Issue | Solution |
|---|---|
| Services not starting | Check /opt/configs/apps.state for enabled status |
| SSL certificates failing | Verify Cloudflare API token has DNS edit permissions |
| DDNS not updating | Check /opt/ddns/config/config.json and API credentials |
This project is licensed under the MIT License - see the LICENSE file for details.
Contributions are welcome! Please feel free to submit a Pull Request.
- Fork the repository
- Create your feature branch (
git checkout -b feature/AmazingFeature) - Commit your changes (
git commit -m 'Add some AmazingFeature') - Push to the branch (
git push origin feature/AmazingFeature) - Open a Pull Request
One of the most powerful features of this stack is the integration with DockFlare. It allows you to automatically manage Cloudflare DNS and Tunnels by simply adding labels to any container on any node in your network.
The DockFlare Master runs automatically inside this LXC. It manages the Cloudflare API and provides the Web UI for configuration.
To discover containers on other Proxmox nodes, LXCs, or VMs, deploy the lightweight DockFlare Agent on each host:
docker run -d \
--name dockflare-agent \
--restart always \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
-e MASTER_URL=http://<REVERSE_PROXY_IP>:8001 \
-e MASTER_KEY=your_master_key \
alplat/dockflare:stable-agentOnce the agent is running, simply add these labels to any container:
labels:
- "dockflare.enable=true"
- "dockflare.hostname=myapp.example.com"
- "dockflare.service=http://<CONTAINER_IP>:<PORT>"DockFlare will automatically:
- Create a Cloudflare Tunnel (or use an existing one).
- Create the DNS CNAME record.
- Configure Zero Trust Access policies (optional).