Reverse Proxy
    Auto TLS

    Deploy Zoraxy on a VPS

    Run Zoraxy, a Go-based reverse proxy with a modern web UI and built-in Let's Encrypt, on a RamNode VPS as a hardened systemd service.

    Zoraxy is a general purpose HTTP reverse proxy and forwarding tool written in Go, with a modern web interface and built in Let's Encrypt automation. It fills the same niche as Nginx Proxy Manager but ships as a single static binary with no external database or runtime dependencies, which makes it a clean fit for a lightweight RamNode VPS.

    This deployment uses the native binary rather than a container, runs it under a dedicated system user, fronts TLS with Zoraxy's own ACME client, and keeps the management panel off the public internet. Nothing here requires a mail service. Zoraxy removed its deprecated SMTP feature in a recent release, and the ACME email address is only what Let's Encrypt keeps on file for expiry notices, so the setup stays inside RamNode's acceptable use policy.

    Prerequisites

    • A RamNode VPS running Ubuntu 24.04 LTS (Debian 12 works with minor path differences)
    • Root or a sudo-enabled user
    • One or more domains or subdomains with A records (and AAAA for IPv6) pointing at your VPS
    • Backend services to proxy, typically apps listening on 127.0.0.1 ports

    Replace app.example.com and the trusted admin IP placeholder with your real values throughout.

    1. Prepare the system

    shell
    sudo apt update && sudo apt upgrade -y
    sudo apt install -y wget ca-certificates

    Create a dedicated system user and the install directory. Zoraxy writes its config, database, and logs relative to its working directory, so give it a home under /opt:

    shell
    sudo useradd --system --no-create-home --shell /usr/sbin/nologin zoraxy
    sudo mkdir -p /opt/zoraxy
    sudo chown -R zoraxy:zoraxy /opt/zoraxy

    2. Install the Zoraxy binary

    Confirm your architecture, then download the matching release. The latest URL always resolves to the current stable build:

    shell
    uname -m   # x86_64 -> amd64, aarch64 -> arm64
    
    cd /opt/zoraxy
    sudo -u zoraxy wget -O zoraxy \
      https://github.com/tobychui/zoraxy/releases/latest/download/zoraxy_linux_amd64
    sudo chmod +x /opt/zoraxy/zoraxy

    For ARM boards use zoraxy_linux_arm64. If you prefer a pinned version for reproducible deployments, download from a specific tag on the releases page instead of latest.

    3. Create the systemd service

    Zoraxy needs to serve on ports 80 and 443 for inbound proxying and ACME, and it hosts its management panel on port 8000. Run it unprivileged with only the capability needed to bind low ports:

    shell
    sudo tee /etc/systemd/system/zoraxy.service >/dev/null <<'EOF'
    [Unit]
    Description=Zoraxy Reverse Proxy
    After=network-online.target
    Wants=network-online.target
    
    [Service]
    User=zoraxy
    Group=zoraxy
    WorkingDirectory=/opt/zoraxy
    AmbientCapabilities=CAP_NET_BIND_SERVICE
    ExecStart=/opt/zoraxy/zoraxy -port :8000
    Restart=on-failure
    RestartSec=3
    LimitNOFILE=65535
    
    [Install]
    WantedBy=multi-user.target
    EOF
    
    sudo systemctl daemon-reload
    sudo systemctl enable --now zoraxy
    sudo systemctl status zoraxy --no-pager

    The -port :8000 flag sets the management panel port. The proxied sites are served on 80 and 443 by default and configured later from the web UI.

    4. Configure the firewall

    Open SSH and the two public web ports. Do not open the management port to the world. Restrict it to your own address, or better, keep it closed entirely and reach it over an SSH tunnel.

    shell
    sudo apt install -y ufw
    sudo ufw default deny incoming
    sudo ufw default allow outgoing
    sudo ufw allow 22/tcp
    sudo ufw allow 80/tcp
    sudo ufw allow 443/tcp
    sudo ufw enable
    sudo ufw status verbose

    Pick one approach for the management panel on port 8000.

    Option A, restrict to a trusted static IP:

    shell
    sudo ufw allow from YOUR.TRUSTED.IP.ADDR to any port 8000 proto tcp

    Option B, keep 8000 closed and tunnel over SSH from your workstation:

    shell
    ssh -L 8000:127.0.0.1:8000 youruser@your-vps-ip

    Then browse to http://127.0.0.1:8000. Option B is the stronger default because the panel is never reachable from the internet at all.

    5. Create the admin account

    With the tunnel open (or from your allowed IP), visit the panel:

    shell
    http://127.0.0.1:8000

    Zoraxy prompts you to create the first administrator account on initial launch. Choose a strong unique password. This account controls all routing and certificate operations, so treat it as a privileged credential.

    6. Set up ACME and your first proxy host

    Zoraxy has a built in ACME client for Let's Encrypt, so TLS needs no external tooling.

    1. In the panel, open TLS / SSL certificates and then Open ACME Tool.
    2. Enter the email address Let's Encrypt should keep on file for expiry reminders, and enable auto renewal. This is a notification contact only, no mail service runs on your VPS.
    3. For a single host, HTTP-01 validation works out of the box because Zoraxy already holds port 80. For wildcards or when you would rather not expose port 80, use a DNS-01 challenge with one of the supported DNS providers (Cloudflare among them).

    Then create the reverse proxy host:

    1. Go to HTTP Proxy and add a new proxy rule.
    2. Set the matching domain, for example app.example.com.
    3. Set the upstream target, for example 127.0.0.1:8080.
    4. Enable HTTPS for the host and let the wizard request or attach the certificate.
    5. Enable HTTP to HTTPS redirect (often labelled the green lock or force HTTPS toggle) so plain HTTP requests are upgraded automatically.

    WebSocket upgrades are handled transparently, so applications that need them work without extra configuration.

    7. Verify

    shell
    curl -I http://app.example.com     # expect a redirect to https
    curl -I https://app.example.com    # expect your backend response over TLS

    Check the certificate details and confirm the expiry date is roughly 90 days out and that auto renewal is enabled in the panel.

    8. Backups

    Everything Zoraxy needs to rebuild is in its working directory: the conf folder holds proxy rules and access rules, sys.db holds system state, and the certificate store lives under conf. Back up the whole directory:

    shell
    sudo tee /usr/local/bin/backup-zoraxy.sh >/dev/null <<'EOF'
    #!/bin/bash
    STAMP=$(date +%F)
    DEST=/var/backups/zoraxy
    mkdir -p "$DEST"
    systemctl stop zoraxy
    tar czf "$DEST/zoraxy-${STAMP}.tar.gz" -C /opt zoraxy
    systemctl start zoraxy
    find "$DEST" -name 'zoraxy-*.tar.gz' -mtime +14 -delete
    EOF
    sudo chmod +x /usr/local/bin/backup-zoraxy.sh
    echo "0 3 * * * root /usr/local/bin/backup-zoraxy.sh" | sudo tee /etc/cron.d/backup-zoraxy

    Stopping the service during the archive guarantees a consistent copy of sys.db. The pause is a couple of seconds once a day. Push /var/backups/zoraxy offsite to RamNode S3 storage or another remote target with rclone or restic.

    9. Updating Zoraxy

    Zoraxy has an in panel updater, but for a service managed install the binary swap is predictable and easy to script. Always back up first, since some releases change config format:

    shell
    sudo /usr/local/bin/backup-zoraxy.sh
    sudo systemctl stop zoraxy
    cd /opt/zoraxy
    sudo -u zoraxy mv ./zoraxy ./zoraxy.backup
    sudo -u zoraxy wget -O zoraxy \
      https://github.com/tobychui/zoraxy/releases/latest/download/zoraxy_linux_amd64
    sudo chmod +x /opt/zoraxy/zoraxy
    sudo systemctl start zoraxy

    Review the release notes before upgrading, because startup flags occasionally change between versions. If a start fails, restore zoraxy.backup and your latest archive.

    Security checklist

    • Management panel on port 8000 never exposed to the internet, reached by SSH tunnel or restricted to a trusted IP
    • Zoraxy runs as an unprivileged system user with only CAP_NET_BIND_SERVICE
    • Strong unique admin password on the panel
    • Auto renewing Let's Encrypt certificates with HTTP to HTTPS redirects on every host
    • Config and database backed up daily with a consistent snapshot
    • Binary updated deliberately with release notes reviewed for breaking changes
    • No mail services involved, consistent with RamNode's AUP

    Where to go next

    Zoraxy also covers access rules and geo-IP filtering, an uptime monitor with custom health check URIs, load balancing across multiple upstreams, a plugin system (including a WebDAV server plugin that replaced the old file manager), and trusted proxy settings for when Zoraxy sits behind another edge layer. Each is configured from the same panel, and every change is written into the conf directory that your backup already captures.