A single Docker container bundles nginx at the edge, a Node.js REST API, a React SPA, and MariaDB — with s6-overlay managing the process tree and persistent volumes for all data.
nginx accepts the connection. For HTTPS, TLS handshake completes using the configured certificate. For HTTP, a redirect to HTTPS is issued if forced HTTPS is enabled on the proxy host.
nginx evaluates the client IP against GeoIP2 country rules and GlobalGate CIDR/IP rules. If the client is in a blocked region or blocklisted IP, a 403 is returned immediately.
The client IP is checked against the nginx limit zone for this proxy host. If the request rate exceeds the configured threshold, the burst queue fills and subsequent requests receive 429 responses.
Request URI, headers, and body are evaluated against the WAF rules for this proxy host. Matching patterns result in a 403 block and an attack event logged to the database.
The User-Agent header is checked against the bot signature list. Known bad bots are blocked. SEO-safe allowlisted bots (Googlebot, etc.) bypass this check regardless of other bot rules.
If all checks pass, nginx proxies the request to the configured upstream (your backend service). Response headers and body are forwarded back to the client through nginx.
s6-overlay runs a set of ordered shell scripts before any service starts. Each script has one job — they run sequentially, and each one depends on the previous completing successfully.
Sources the shared environment file so all subsequent scripts inherit the same variables and base paths. This is the very first script that runs — everything else depends on it.
Creates the required directory tree inside /data/ for nginx config, SSL certificates, logs, and access lists.
Corrects file ownership on /data/ so the backend process can read and write its files.
Ensures Certbot DNS plugins installed via pip are stored in the persistent data volume at /data/certbot-site-packages/. This means plugins installed once remain available across container restarts without any manual reinstallation.
Configures nginx for the correct network stack based on whether IPv6 is enabled or disabled.
Migrates the nginx access portal configuration to the current per-host include structure used by all proxy hosts.
Generates a self-signed TLS certificate for the admin panel on port 8443 using openssl, so the admin UI is immediately accessible over HTTPS.
Starts the Express backend, connects to the database, and launches the security monitoring services that power the dashboard.
Starts nginx to serve the admin UI on port 8443 and begin accepting proxy traffic on ports 80 and 443.
| Component | Technology | Purpose |
|---|---|---|
| Proxy Engine | nginx (latest) | Reverse proxy, SSL termination, WAF rules, rate limiting, GeoIP |
| SSL / TLS | Certbot + Let's Encrypt | Automatic certificate provisioning and renewal |
| GeoIP | MaxMind GeoIP2 | Country-based access control, evaluated locally |
| Backend API | Node.js + Express | REST API, WebSocket, business logic, nginx config generation |
| Database | MariaDB (Knex ORM) | Configuration, users, audit log, attack events, settings |
| Authentication | JWT (RS256) + bcrypt | Token auth, password hashing, 2FA TOTP |
| Terminal | node-pty + ws | WebSocket-based pseudo-terminal for the web terminal feature |
| Frontend | React 18 + Vite + TypeScript | Admin SPA, all UI pages and forms |
| UI Library | Mantine | Component library for the React UI |
| i18n | FormatJS (react-intl) | ICU-format translations in 6 languages |
| Metrics | Prometheus (custom endpoint) | Attack counts, traffic stats, system health gauges |
| Container Init | s6-overlay | Process supervisor, ordered startup scripts |
| Deployment | Docker + Docker Compose | Container packaging and orchestration |