Lets see here… configuration information:
- TrueNAS 25.04.2.3
- Zoraxy App Version: v3.2.5
- Zoraxy Version: v1.0.1
I’m looking to try this out as a possible replacement to Nginx Proxy Manager which I currently have running on 192.168.1.8. I did install this app in 192.168.1.7 so that I can utilize ports 80/443 and provide access to certain docker containers.
I did have issues installing this container, but after I set the IP address to 192.168.1.7 and unchecking Host Network, this container was finally able to install.
Now, I’m having configuration issues with the ACME Tool to generate Let’s Encrypt certificates. I’m using Cloudflare as my DNS provider. I see the following screen:
Now, based upon some guessing and looking at other configurations (DDNS Updater), I’m guessing the following:
- AuthEmail - This is my login email at CloudFlare
- AuthKey - I thought this was my Cloudflare Account ID
- AuthToken - I thought this was my CloudFlare API Token with the Edit zone DNS privilege
- ZoneToken - I thought this was my Zone ID
Somehow, it isn’t working. I ran out of tries and am on a three-hour timeout, so looking for suggestions.
Okay, figured this one out after some more searching…
- AuthEmail - This is my login email at CloudFlare
- AuthKey - Leave blank
- AuthToken - CloudFlare API Token with the Edit zone DNS privilege
- ZoneToken - Leave blank
It turns out that several port mappings have to be created in the networking section.
This should give you this:
Which matches up with the working Nginx Proxy Manager:
Hi! I’m doing the same thing here to experiment.
Did you left Host Network checked or unchecked? By default the installation has the flag checked but in your screenshot is unchecked, I’m wondering why.
Thank you!
When I had the host network checked, the Docker instance got stuch on deploying on my system:
2025-09-11 01:36:02.822697+00:00Updating CA certificates...
2025-09-11 01:36:03.276056+00:00Updating GeoIP data...
2025-09-11 01:36:03.623120+00:002025/09/11 01:36:03 Downloading IPv4 database update...
2025-09-11 01:36:03.849853+00:002025/09/11 01:36:03 Downloading IPv6 database update...
2025-09-11 01:36:03.968539+00:002025/09/11 01:36:03 GeoDB update stored at: ./conf/geodb
2025-09-11 01:36:03.968564+00:002025/09/11 01:36:03 Exiting...
2025-09-11 01:36:03.971082+00:00Starting Zoraxy...
2025-09-11 01:36:04.035204+00:00Checking required config update
2025-09-11 01:36:04.035439+00:00[2025-09-11 01:36:04.035360] [database] [system:info] Using BoltDB as the database backend
2025-09-11 01:36:04.097035+00:00[2025-09-11 01:36:04.096948] [auth] [system:info] Authentication session key loaded from database
2025-09-11 01:36:04.141253+00:00[2025-09-11 01:36:04.141216] [GeoDB] [system:info] External GeoDB data found, using external IPv4 GeoIP data
2025-09-11 01:36:04.142386+00:00[2025-09-11 01:36:04.142244] [GeoDB] [system:info] External GeoDB data found, using external IPv6 GeoIP data
2025-09-11 01:36:05.454793+00:00[2025-09-11 01:36:05.454627] [LoadBalancer] [system:info] Upstream state cache ticker started
2025-09-11 01:36:05.569016+00:00[2025-09-11 01:36:05.568747] [access] [system:info] Public IP address updated to: 69.239.142.170
2025-09-11 01:36:05.571113+00:002025/09/11 01:36:05 [zeroconf] no suitable IPv4 interface: listen udp4 224.0.0.0:5353: bind: address already in use
2025-09-11 01:36:05.571646+00:002025/09/11 01:36:05 [ERR] zeroconf: failed to send probe: dns: string exceeded 255 bytes in txt
2025-09-11 01:36:05.572753+00:002025/09/11 01:36:05 Failed to initialize resolver: listen udp4 224.0.0.0:5353: bind: address already in use
Unchecking the Host Network allowed the Docker container to deploy.
I should note that I’m intentionally running my reverse proxy on it’s own IP address within my network. I have set up some DNS rewrite rules on my DNS server (Adguard Home) so that if my Internet goes out, my apps remain accessible under fully qualified domain names (Like Audiobookshelf).
I should note that I’m still researching the part about integrating Forward Proxy authentication with Authentik. For now, I’ve implemented a workaround where I’m using basic authentication.
Same thing here, don’t know if happens because there is an instance of NPM running, I didn’t try to solve it.
This reverse proxy looks very good, I’ll give it a try.
Not sure what are DNS rewrites, I’ll search for it. If my connection goes down I wait to come back 
!
I’m looking to implement something more secure too, like 2FA as I’m really concerned about the security of the services I’m running, especially after the Plex breach.
It’s a bit more complex and I’m doing it in my very rare spare time so for now I’ve set a port knock sequence to add the “knocking” IP to a secured address list (I’m on Mikrotik router) so that the forward rule is working only for the secured IPs. For example, if I want to access immich from my smartphone when I’m not home, I do the port knock sequence and then I’m able to access the server for 30 minutes, then I have to re knock.
As previously stated, I’ve set up Adguard Home as my DNS server for all of my DHCP clients. Adguard is mainly designed to block URLs that are serving up advertising, but there are some additional functionality such as adding DNS rewrite which can speed up DNS resolution in my local network. For instance, I set up a rule that says that *.example.tld points to my reverse proxy server at 192.168.1.8 so when my device is within the network, it accesses the reverse proxy directly. When I’m off network, it falls back to the DNS entry which points to my WAN address. Likewise, since I’m running a Web Developer server, I have entries set up so that the domain name is testsite.test points to that server while testsite.tld is the production server outside my network.
The password for both Nginx Proxy Manager and Zoraxy are both stored locally, not in a centralized server like Plex uses. The management interface for your reverse proxy should NOT be exposed to the outside world, but I do agree about having 2FA or, better yet, integration with a identity provider such as Authentik.
