Zoraxy is a general purpose HTTP reverse proxy and forwarding tool written in Go, with a modern web interface and built in Let's Encrypt automation. It fills the same niche as Nginx Proxy Manager but ships as a single static binary with no external database or runtime dependencies, which makes it a clean fit for a lightweight RamNode VPS.
This deployment uses the native binary rather than a container, runs it under a dedicated system user, fronts TLS with Zoraxy's own ACME client, and keeps the management panel off the public internet. Nothing here requires a mail service. Zoraxy removed its deprecated SMTP feature in a recent release, and the ACME email address is only what Let's Encrypt keeps on file for expiry notices, so the setup stays inside RamNode's acceptable use policy.
Prerequisites
- A RamNode VPS running Ubuntu 24.04 LTS (Debian 12 works with minor path differences)
- Root or a sudo-enabled user
- One or more domains or subdomains with A records (and AAAA for IPv6) pointing at your VPS
- Backend services to proxy, typically apps listening on
127.0.0.1ports
Replace app.example.com and the trusted admin IP placeholder with your real values throughout.
1. Prepare the system
sudo apt update && sudo apt upgrade -y
sudo apt install -y wget ca-certificatesCreate a dedicated system user and the install directory. Zoraxy writes its config, database, and logs relative to its working directory, so give it a home under /opt:
sudo useradd --system --no-create-home --shell /usr/sbin/nologin zoraxy
sudo mkdir -p /opt/zoraxy
sudo chown -R zoraxy:zoraxy /opt/zoraxy2. Install the Zoraxy binary
Confirm your architecture, then download the matching release. The latest URL always resolves to the current stable build:
uname -m # x86_64 -> amd64, aarch64 -> arm64
cd /opt/zoraxy
sudo -u zoraxy wget -O zoraxy \
https://github.com/tobychui/zoraxy/releases/latest/download/zoraxy_linux_amd64
sudo chmod +x /opt/zoraxy/zoraxyFor ARM boards use zoraxy_linux_arm64. If you prefer a pinned version for reproducible deployments, download from a specific tag on the releases page instead of latest.
3. Create the systemd service
Zoraxy needs to serve on ports 80 and 443 for inbound proxying and ACME, and it hosts its management panel on port 8000. Run it unprivileged with only the capability needed to bind low ports:
sudo tee /etc/systemd/system/zoraxy.service >/dev/null <<'EOF'
[Unit]
Description=Zoraxy Reverse Proxy
After=network-online.target
Wants=network-online.target
[Service]
User=zoraxy
Group=zoraxy
WorkingDirectory=/opt/zoraxy
AmbientCapabilities=CAP_NET_BIND_SERVICE
ExecStart=/opt/zoraxy/zoraxy -port :8000
Restart=on-failure
RestartSec=3
LimitNOFILE=65535
[Install]
WantedBy=multi-user.target
EOF
sudo systemctl daemon-reload
sudo systemctl enable --now zoraxy
sudo systemctl status zoraxy --no-pagerThe -port :8000 flag sets the management panel port. The proxied sites are served on 80 and 443 by default and configured later from the web UI.
4. Configure the firewall
Open SSH and the two public web ports. Do not open the management port to the world. Restrict it to your own address, or better, keep it closed entirely and reach it over an SSH tunnel.
sudo apt install -y ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable
sudo ufw status verbosePick one approach for the management panel on port 8000.
Option A, restrict to a trusted static IP:
sudo ufw allow from YOUR.TRUSTED.IP.ADDR to any port 8000 proto tcpOption B, keep 8000 closed and tunnel over SSH from your workstation:
ssh -L 8000:127.0.0.1:8000 youruser@your-vps-ipThen browse to http://127.0.0.1:8000. Option B is the stronger default because the panel is never reachable from the internet at all.
5. Create the admin account
With the tunnel open (or from your allowed IP), visit the panel:
http://127.0.0.1:8000Zoraxy prompts you to create the first administrator account on initial launch. Choose a strong unique password. This account controls all routing and certificate operations, so treat it as a privileged credential.
6. Set up ACME and your first proxy host
Zoraxy has a built in ACME client for Let's Encrypt, so TLS needs no external tooling.
- In the panel, open TLS / SSL certificates and then Open ACME Tool.
- Enter the email address Let's Encrypt should keep on file for expiry reminders, and enable auto renewal. This is a notification contact only, no mail service runs on your VPS.
- For a single host, HTTP-01 validation works out of the box because Zoraxy already holds port 80. For wildcards or when you would rather not expose port 80, use a DNS-01 challenge with one of the supported DNS providers (Cloudflare among them).
Then create the reverse proxy host:
- Go to HTTP Proxy and add a new proxy rule.
- Set the matching domain, for example
app.example.com. - Set the upstream target, for example
127.0.0.1:8080. - Enable HTTPS for the host and let the wizard request or attach the certificate.
- Enable HTTP to HTTPS redirect (often labelled the green lock or force HTTPS toggle) so plain HTTP requests are upgraded automatically.
WebSocket upgrades are handled transparently, so applications that need them work without extra configuration.
7. Verify
curl -I http://app.example.com # expect a redirect to https
curl -I https://app.example.com # expect your backend response over TLSCheck the certificate details and confirm the expiry date is roughly 90 days out and that auto renewal is enabled in the panel.
8. Backups
Everything Zoraxy needs to rebuild is in its working directory: the conf folder holds proxy rules and access rules, sys.db holds system state, and the certificate store lives under conf. Back up the whole directory:
sudo tee /usr/local/bin/backup-zoraxy.sh >/dev/null <<'EOF'
#!/bin/bash
STAMP=$(date +%F)
DEST=/var/backups/zoraxy
mkdir -p "$DEST"
systemctl stop zoraxy
tar czf "$DEST/zoraxy-${STAMP}.tar.gz" -C /opt zoraxy
systemctl start zoraxy
find "$DEST" -name 'zoraxy-*.tar.gz' -mtime +14 -delete
EOF
sudo chmod +x /usr/local/bin/backup-zoraxy.sh
echo "0 3 * * * root /usr/local/bin/backup-zoraxy.sh" | sudo tee /etc/cron.d/backup-zoraxyStopping the service during the archive guarantees a consistent copy of sys.db. The pause is a couple of seconds once a day. Push /var/backups/zoraxy offsite to RamNode S3 storage or another remote target with rclone or restic.
9. Updating Zoraxy
Zoraxy has an in panel updater, but for a service managed install the binary swap is predictable and easy to script. Always back up first, since some releases change config format:
sudo /usr/local/bin/backup-zoraxy.sh
sudo systemctl stop zoraxy
cd /opt/zoraxy
sudo -u zoraxy mv ./zoraxy ./zoraxy.backup
sudo -u zoraxy wget -O zoraxy \
https://github.com/tobychui/zoraxy/releases/latest/download/zoraxy_linux_amd64
sudo chmod +x /opt/zoraxy/zoraxy
sudo systemctl start zoraxyReview the release notes before upgrading, because startup flags occasionally change between versions. If a start fails, restore zoraxy.backup and your latest archive.
Security checklist
- Management panel on port 8000 never exposed to the internet, reached by SSH tunnel or restricted to a trusted IP
- Zoraxy runs as an unprivileged system user with only
CAP_NET_BIND_SERVICE - Strong unique admin password on the panel
- Auto renewing Let's Encrypt certificates with HTTP to HTTPS redirects on every host
- Config and database backed up daily with a consistent snapshot
- Binary updated deliberately with release notes reviewed for breaking changes
- No mail services involved, consistent with RamNode's AUP
Where to go next
Zoraxy also covers access rules and geo-IP filtering, an uptime monitor with custom health check URIs, load balancing across multiple upstreams, a plugin system (including a WebDAV server plugin that replaced the old file manager), and trusted proxy settings for when Zoraxy sits behind another edge layer. Each is configured from the same panel, and every change is written into the conf directory that your backup already captures.
