How NyxGuard Manager works

A single Docker container bundles nginx at the edge, a Node.js REST API, a React SPA, and MariaDB — with s6-overlay managing the process tree and persistent volumes for all data.

Request flow & component layout

:80 HTTP · :443 HTTPS
:8443 HTTPS · LAN-only optional
all requests enter here
nginx — Edge & Security Layer :80 · :443 · :8443
Every request hits nginx first. Security checks run here — before any application code executes. Blocked requests never reach the backend.
WAF rules per-host Rate limiting GeoIP country filter Bot blocking TLS termination LAN access control ↔ Reverse proxy to upstreams Serves React SPA (port 8443)
proxied to internal API
Node.js API — Business Logic :3000 internal
Express REST API that handles everything the frontend needs — config management, security monitoring, certificate lifecycle, integrations, and the web terminal. Never exposed directly to the internet.
JWT RS256 auth on all routes WebSocket terminal (node-pty) Attack & threat monitor nginx config generator Certbot / SSL lifecycle Prometheus metrics endpoint SSO / OIDC callback Webhook · Slack · Email notifications
reads & writes
MariaDB Knex ORM
All application state. Runs as a separate nyxguard-db container.
Proxy host config Users & roles Attack events Audit log WAF rules Settings
Docker Volumes persistent
All data survives container restarts and updates. Never overwritten by the update process.
nyxguard_data → /data/ nyxguard_letsencrypt nyxguard_db certbot pip plugins
external integrations
Prometheus / Grafana
scrape /integrations/metrics
Authentik SSO
OIDC → /api/auth/sso/callback
MaxMind GeoIP2
.mmdb — local lookup only
Notifications
Webhook · Slack · Email

Frontend

  • React 18 + TypeScript
  • Vite build system
  • Mantine UI components
  • React Query (data fetching)
  • xterm.js (web terminal)
  • FormatJS ICU i18n (6 langs)
  • 12 built-in themes

Backend API

  • Node.js + Express
  • Knex ORM (MariaDB)
  • JWT RS256 auth middleware
  • WebSocket server (ws)
  • node-pty (terminal)
  • Prometheus metrics
  • Biome linter/formatter

Proxy Engine

  • nginx (latest stable)
  • Let's Encrypt via Certbot
  • Dynamic config generation
  • WAF via nginx map/if rules
  • GeoIP2 module
  • Rate limit zones
  • LAN access include

Container / Init

  • Docker + Compose
  • s6-overlay process supervisor
  • Ordered startup scripts
  • Certbot site-packages persist
  • IPv6 disable stamp
  • Exponential backoff on start
  • Health check endpoint

What happens when a request arrives

1

TCP connection arrives at nginx (:80 / :443)

nginx accepts the connection. For HTTPS, TLS handshake completes using the configured certificate. For HTTP, a redirect to HTTPS is issued if forced HTTPS is enabled on the proxy host.

2

GeoIP & network access checks

nginx evaluates the client IP against GeoIP2 country rules and GlobalGate CIDR/IP rules. If the client is in a blocked region or blocklisted IP, a 403 is returned immediately.

3

Rate limiting evaluation

The client IP is checked against the nginx limit zone for this proxy host. If the request rate exceeds the configured threshold, the burst queue fills and subsequent requests receive 429 responses.

4

WAF rule evaluation

Request URI, headers, and body are evaluated against the WAF rules for this proxy host. Matching patterns result in a 403 block and an attack event logged to the database.

5

Bot / user-agent check

The User-Agent header is checked against the bot signature list. Known bad bots are blocked. SEO-safe allowlisted bots (Googlebot, etc.) bypass this check regardless of other bot rules.

6

Proxy to backend

If all checks pass, nginx proxies the request to the configured upstream (your backend service). Response headers and body are forwarded back to the client through nginx.


What happens when the container starts

s6-overlay runs a set of ordered shell scripts before any service starts. Each script has one job — they run sequentially, and each one depends on the previous completing successfully.

Filesystem preparation
00-all.sh Global init

Sources the shared environment file so all subsequent scripts inherit the same variables and base paths. This is the very first script that runs — everything else depends on it.

20-paths.sh Directory layout

Creates the required directory tree inside /data/ for nginx config, SSL certificates, logs, and access lists.

30-ownership.sh File ownership

Corrects file ownership on /data/ so the backend process can read and write its files.

35-certbot-persist.sh Certbot plugin persistence

Ensures Certbot DNS plugins installed via pip are stored in the persistent data volume at /data/certbot-site-packages/. This means plugins installed once remain available across container restarts without any manual reinstallation.

nginx configuration
50-ipv6.sh IPv6 config

Configures nginx for the correct network stack based on whether IPv6 is enabled or disabled.

65-access-portal-migration.sh Access portal migration

Migrates the nginx access portal configuration to the current per-host include structure used by all proxy hosts.

70-generate-ssl.sh Admin panel SSL

Generates a self-signed TLS certificate for the admin panel on port 8443 using openssl, so the admin UI is immediately accessible over HTTPS.

Services
s6 · backend Node.js API

Starts the Express backend, connects to the database, and launches the security monitoring services that power the dashboard.

s6 · frontend nginx + React SPA

Starts nginx to serve the admin UI on port 8443 and begin accepting proxy traffic on ports 80 and 443.


Full dependency overview

ComponentTechnologyPurpose
Proxy Enginenginx (latest)Reverse proxy, SSL termination, WAF rules, rate limiting, GeoIP
SSL / TLSCertbot + Let's EncryptAutomatic certificate provisioning and renewal
GeoIPMaxMind GeoIP2Country-based access control, evaluated locally
Backend APINode.js + ExpressREST API, WebSocket, business logic, nginx config generation
DatabaseMariaDB (Knex ORM)Configuration, users, audit log, attack events, settings
AuthenticationJWT (RS256) + bcryptToken auth, password hashing, 2FA TOTP
Terminalnode-pty + wsWebSocket-based pseudo-terminal for the web terminal feature
FrontendReact 18 + Vite + TypeScriptAdmin SPA, all UI pages and forms
UI LibraryMantineComponent library for the React UI
i18nFormatJS (react-intl)ICU-format translations in 6 languages
MetricsPrometheus (custom endpoint)Attack counts, traffic stats, system health gauges
Container Inits6-overlayProcess supervisor, ordered startup scripts
DeploymentDocker + Docker ComposeContainer packaging and orchestration