From 0f69e8508224e87d637a7932a0a7dd29aba9a206 Mon Sep 17 00:00:00 2001
From: Meir Lazar <meirlazar@gmail.com>
Date: Wed, 26 Nov 2025 19:12:37 -0500
Subject: [PATCH 1/8] Add Home Assistant configuration to YAML file

---
 examples/route_providers/homeassistant.yml | 8 ++++++++
 1 file changed, 8 insertions(+)
 create mode 100644 examples/route_providers/homeassistant.yml

diff --git a/examples/route_providers/homeassistant.yml b/examples/route_providers/homeassistant.yml
new file mode 100644
index 00000000..a48c5b8a
--- /dev/null
+++ b/examples/route_providers/homeassistant.yml
@@ -0,0 +1,8 @@
+hass:
+  host: 192.168.1.10    # ip address of Homeassistant Server
+  port: 8123            # port
+  homepage:
+    name: hass
+    description: Home Assistant - Home Automation
+    icon: @selfhst/home-assistant.svg
+    category: Automation

From debf5ceeef2a26b8f088ca6a00ff8e495707c9ed Mon Sep 17 00:00:00 2001
From: Meir Lazar <meirlazar@gmail.com>
Date: Wed, 26 Nov 2025 19:29:00 -0500
Subject: [PATCH 2/8] Add AdGuard Home service to docker-compose

---
 examples/docker-compose/adguardhome.yml | 135 ++++++++++++++++++++++++
 1 file changed, 135 insertions(+)
 create mode 100644 examples/docker-compose/adguardhome.yml

diff --git a/examples/docker-compose/adguardhome.yml b/examples/docker-compose/adguardhome.yml
new file mode 100644
index 00000000..8911c390
--- /dev/null
+++ b/examples/docker-compose/adguardhome.yml
@@ -0,0 +1,135 @@
+services:
+  adguard:
+    image: adguard/adguardhome:edge
+    container_name: adguard
+    network_mode: "host"
+
+    cap_add:
+      - NET_ADMIN
+    privileged: true
+
+    labels:
+      # -------------------------------------------------------
+      # GoDoxy Reverse Proxy Configuration
+      # -------------------------------------------------------
+      proxy.enable: true
+
+      # Aliases -> URLs GoDoxy will expose for this service
+      # Examples:
+      #   https://adguard.yourdomain
+      #   https://dns.yourdomain
+      #   https://adguardhome.yourdomain
+      proxy.aliases: |
+        adguard
+        dns
+        adguardhome
+
+      # Web UI port (AdGuard’s dashboard runs on port 3000)
+      proxy.port: "3000"
+
+      # Enable TLS termination (GoDoxy handles SSL)
+      proxy.ssl: true
+
+      # -------------------------------------------------------
+      # Homepage Dashboard Metadata (shown in Homepage UI)
+      # -------------------------------------------------------
+      proxy.homepage: |
+        name: AdGuard Home
+        description: DNS + DHCP Server
+        category: Networking
+        icon: "@selfhst/adguard-home.svg"
+
+
+      # =======================================================
+      # OPTIONAL: PASSWORD-PROTECT THE ADGUARD WEB UI
+      # =======================================================
+      # → IF YOU WANT TO LOCK THE DASHBOARD BEHIND A LOGIN
+      #   - Uncomment these 3 lines
+      #   - Replace username/password with your values
+      #
+      # Explanation:
+      #   This adds GoDoxy’s built-in basic auth middleware.
+      #   Anyone accessing https://adguard.<domain> will be
+      #   given a login popup BEFORE reaching AdGuard’s UI.
+      #
+      #   NOTE: This is SEPARATE from AdGuard’s internal login.
+      #
+      #proxy.auth.enable: true
+      #proxy.auth.username: "admin"
+      #proxy.auth.password: "CHANGEME"
+
+      # =======================================================
+      # OPTIONAL: CUSTOM MIDDLEWARES
+      # =======================================================
+      # Middlewares allow you to:
+      #   - rewrite URLs
+      #   - add headers
+      #   - restrict access by IP
+      #   - enforce security headers
+      #   - throttle requests
+      #
+      # Syntax:
+      #   proxy.middleware.<name>: "<config>"
+      #
+      # You can apply multiple; GoDoxy chains them automatically.
+      #
+      # ---------------------------
+      # Example 1: IP Whitelist
+      # ---------------------------
+      #   Only allow specific LAN subnets to load the UI:
+      #
+      #proxy.middleware.ipwhitelist: |
+      #  allow:
+      #    - 192.168.1.0/24
+      #    - 192.168.10.0/24
+      #  deny:
+      #    - 0.0.0.0/0
+      #
+      # ---------------------------
+      # Example 2: Add Secure Headers
+      # ---------------------------
+      #proxy.middleware.securityheaders: |
+      #  X-Frame-Options: DENY
+      #  X-Content-Type-Options: nosniff
+      #  Referrer-Policy: no-referrer
+      #  Permissions-Policy: accelerometer=()
+      #
+      # ---------------------------
+      # Example 3: Rate Limiting
+      # ---------------------------
+      #   Prevent brute-force attempts / UI abuse:
+      #
+      #proxy.middleware.ratelimit: |
+      #  average: 50
+      #  burst: 25
+      #
+      # Enable one or all depending on what you need.
+      # =======================================================
+
+    # Host mode → ports are unnecessary (and ignored)
+    # ports:
+    #   - 53:53/udp
+    #   - 53:53/tcp
+    #   - 67:67/udp
+    #   - 68:68/tcp
+    #   - 68:68/udp
+    #   - 3000:3000/tcp
+
+    volumes:
+      - ./workdir:/opt/adguardhome/work
+      - ./confdir:/opt/adguardhome/conf
+      - ./adguard_hostsfile.txt:/etc/hosts:ro
+      - /etc/localtime:/etc/localtime:ro
+      - /etc/timezone:/etc/timezone:ro
+
+    # Healthcheck to ensure WebUI is up before marking healthy
+    healthcheck:
+      test: ["CMD-SHELL", "wget --timeout=5 -nv -t1 --spider http://127.0.0.1:3000 || exit 1"]
+      interval: 10m
+      timeout: 5s
+      start_period: 60s
+      retries: 3
+
+    restart: unless-stopped
+    mem_limit: 2048m
+    cpus: "3.0"

From 6c0964769cdbae93bd1d6a03588feb2e95873e0f Mon Sep 17 00:00:00 2001
From: Meir Lazar <meirlazar@gmail.com>
Date: Wed, 26 Nov 2025 19:43:54 -0500
Subject: [PATCH 3/8] Add Docker Compose configuration for wg-easy VPN

---
 examples/docker-compose/wg-easy_wireguard_vpn | 168 ++++++++++++++++++
 1 file changed, 168 insertions(+)
 create mode 100644 examples/docker-compose/wg-easy_wireguard_vpn

diff --git a/examples/docker-compose/wg-easy_wireguard_vpn b/examples/docker-compose/wg-easy_wireguard_vpn
new file mode 100644
index 00000000..dd6da7a9
--- /dev/null
+++ b/examples/docker-compose/wg-easy_wireguard_vpn
@@ -0,0 +1,168 @@
+services:
+  wg-easy:
+    image: ghcr.io/wg-easy/wg-easy:latest
+    container_name: wg-easy
+
+    # -------------------------------------------------------
+    # Networking:
+    # - WireGuard tunnel uses UDP 51820 → EXPOSED (required)
+    # - Web UI is TCP 51821 but ONLY proxied through GoDoxy
+    #
+    # IMPORTANT:
+    #   Do NOT use network_mode: host for VPNs unless needed.
+    #   This keeps UI isolated and prevents leaking ports.
+    # -------------------------------------------------------
+    ports:
+      - "51820:51820/udp"   # Required for WireGuard
+      # WebUI NOT exposed directly — handled by GoDoxy only
+      # - "51821:51821/tcp"  # ❌ REMOVE (GoDoxy handles proxying)
+
+    environment:
+      - LANG=en
+      - WG_HOST=vpn.mydomain.com
+      - PASSWORD_HASH=${HASHED_PASS}
+      # Optional:
+      # - WG_PORT=51820
+      # - PORT=51821       (UI internal port, do not expose)
+      # - WG_CONFIG_PORT=92820
+
+      - UI_TRAFFIC_STATS=true
+      - UI_CHART_TYPE=2
+      - WG_ENABLE_ONE_TIME_LINKS=true
+      - UI_ENABLE_SORT_CLIENTS=true
+      - WG_DEFAULT_ADDRESS=192.168.33.x
+      - WG_DEFAULT_DNS=1.1.1.1
+
+    volumes:
+      - ./etc_wireguard:/etc/wireguard
+
+    restart: unless-stopped
+
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+
+    sysctls:
+      - net.ipv4.ip_forward=1
+      - net.ipv4.conf.all.src_valid_mark=1
+
+    mem_limit: 1024m
+    cpus: "2.0"
+
+    security_opt:
+      - no-new-privileges:true   # Hardening
+
+    # -------------------------------------------------------
+    # GoDoxy Integration
+    # -------------------------------------------------------
+    labels:
+      # Enable reverse proxy for Web UI ONLY
+      proxy.enable: true
+
+      # The aliases/domains you want to access the dashboard on
+      proxy.aliases: |
+        vpn
+        wireguard
+        wgeasy
+
+      # Internal WebUI port
+      proxy.port: "51821"
+
+      # SSL termination via GoDoxy
+      proxy.ssl: true
+
+      # Homepage metadata
+      proxy.homepage: |
+        name: WG Easy VPN
+        description: Fast Easy VPN Server
+        category: Utilities
+        icon: "@selfhst/wireguard.svg"
+
+      # =====================================================
+      # OPTIONAL: PASSWORD-PROTECT WEB UI
+      # -----------------------------------------------------
+      # This protects the UI BEFORE reaching WG-Easy's own login
+      #
+      #proxy.auth.enable: true
+      #proxy.auth.username: "admin"
+      #proxy.auth.password: "CHANGEME"
+      #
+      # =====================================================
+
+
+      # =====================================================
+      # OPTIONAL: CUSTOM MIDDLEWARES
+      # =====================================================
+
+      # ---------------------------
+      # 1) IP Whitelist (OPTIONAL)
+      # ---------------------------
+      # Only allow access to the UI from a specific subnet(s):
+      #
+      #proxy.middleware.ipwhitelist: |
+      #  allow:
+      #    - 192.168.1.0/24
+      #    - 10.0.0.0/8
+      #  deny:
+      #    - 0.0.0.0/0
+
+      # ---------------------------
+      # 2) Security Headers (OPTIONAL HARDENING)
+      # ---------------------------
+      # Helps with Cloudflare Zero-Trust, browser hardening, etc.
+      #
+      #proxy.middleware.securityheaders: |
+      #  X-Frame-Options: DENY
+      #  X-Content-Type-Options: nosniff
+      #  Referrer-Policy: no-referrer
+      #  Permissions-Policy: accelerometer=()
+      #  CF-Access-Client-ID: ${CF_ID}
+      #  CF-Access-Client-Secret: ${CF_SECRET}
+
+      # ---------------------------
+      # 3) Rate Limiting (OPTIONAL HARDENING)
+      # ---------------------------
+      # Protects the login page against brute force attacks
+      #
+      #proxy.middleware.ratelimit: |
+      #  average: 30
+      #  burst: 15
+
+      # ---------------------------
+      # 4) Audit Logging (OPTIONAL LOGGING)
+      # ---------------------------
+      # Every UI access logs to stdout (GoDoxy → Loki optional)
+      #
+      #proxy.middleware.auditlog: |
+      #  enabled: true
+      #  format: "$remote_addr accessed WG-Easy UI"
+
+      # ---------------------------
+      # 5) Geo/IP Restriction (OPTIONAL GEO-LOC HARDENING)
+      # ---------------------------
+      # Requires GoDoxy GeoIP plugin (if installed)
+      #
+      #proxy.middleware.geoipblock: |
+      #  allow:
+      #    - US
+      #    - CA
+      #  deny:
+      #    - CN
+      #    - RU
+      #    - KP
+
+      # =====================================================
+
+
+    # Healthcheck for UI (OPTIONAL)
+    healthcheck:
+      test: ["CMD-SHELL", "wget --timeout=5 -nv -t1 --spider http://127.0.0.1:51821 || exit 1"]
+      interval: 10m
+      timeout: 10s
+      start_period: 60s
+
+networks:
+  default:
+    external: true
+    name: SHARED
+

From 241935bd5ad9cc0bb09e7d67b3c13e6436ed7f28 Mon Sep 17 00:00:00 2001
From: Meir Lazar <meirlazar@gmail.com>
Date: Thu, 27 Nov 2025 22:48:38 -0500
Subject: [PATCH 4/8] Refactor AdGuard Home proxy settings and rate limits

Updated proxy configuration to use wildcard syntax for multiple settings and adjusted rate limiting parameters.
---
 examples/docker-compose/adguardhome.yml | 28 ++++++++-----------------
 1 file changed, 9 insertions(+), 19 deletions(-)

diff --git a/examples/docker-compose/adguardhome.yml b/examples/docker-compose/adguardhome.yml
index 8911c390..814c008d 100644
--- a/examples/docker-compose/adguardhome.yml
+++ b/examples/docker-compose/adguardhome.yml
@@ -12,8 +12,6 @@ services:
       # -------------------------------------------------------
       # GoDoxy Reverse Proxy Configuration
       # -------------------------------------------------------
-      proxy.enable: true
-
       # Aliases -> URLs GoDoxy will expose for this service
       # Examples:
       #   https://adguard.yourdomain
@@ -23,17 +21,10 @@ services:
         adguard
         dns
         adguardhome
-
-      # Web UI port (AdGuard’s dashboard runs on port 3000)
-      proxy.port: "3000"
-
-      # Enable TLS termination (GoDoxy handles SSL)
-      proxy.ssl: true
-
       # -------------------------------------------------------
       # Homepage Dashboard Metadata (shown in Homepage UI)
       # -------------------------------------------------------
-      proxy.homepage: |
+      proxy.*.homepage: |
         name: AdGuard Home
         description: DNS + DHCP Server
         category: Networking
@@ -54,9 +45,9 @@ services:
       #
       #   NOTE: This is SEPARATE from AdGuard’s internal login.
       #
-      #proxy.auth.enable: true
-      #proxy.auth.username: "admin"
-      #proxy.auth.password: "CHANGEME"
+      proxy.*.auth.enable: true
+      proxy.*.auth.username: "admin"
+      proxy.*.auth.password: "CHANGEME"
 
       # =======================================================
       # OPTIONAL: CUSTOM MIDDLEWARES
@@ -82,13 +73,11 @@ services:
       #  allow:
       #    - 192.168.1.0/24
       #    - 192.168.10.0/24
-      #  deny:
-      #    - 0.0.0.0/0
       #
       # ---------------------------
       # Example 2: Add Secure Headers
       # ---------------------------
-      #proxy.middleware.securityheaders: |
+      #proxy.*.middleware.securityheaders: |
       #  X-Frame-Options: DENY
       #  X-Content-Type-Options: nosniff
       #  Referrer-Policy: no-referrer
@@ -99,9 +88,10 @@ services:
       # ---------------------------
       #   Prevent brute-force attempts / UI abuse:
       #
-      #proxy.middleware.ratelimit: |
-      #  average: 50
-      #  burst: 25
+      proxy.*.middleware.ratelimit: |
+        average: 10
+        burst: 20
+        period: 1s
       #
       # Enable one or all depending on what you need.
       # =======================================================

From 711f88ec612fcaec62776eccc96a0684ec045a45 Mon Sep 17 00:00:00 2001
From: Meir Lazar <meirlazar@gmail.com>
Date: Thu, 27 Nov 2025 22:51:02 -0500
Subject: [PATCH 5/8] Add initial config.yml for application settings

WORKING CONFIG.YML WITH REAL WORLD USAGE. TESTED AND WORKS CORRECTLY
---
 examples/config/config.yml | 97 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 97 insertions(+)
 create mode 100644 examples/config/config.yml

diff --git a/examples/config/config.yml b/examples/config/config.yml
new file mode 100644
index 00000000..637d7b6c
--- /dev/null
+++ b/examples/config/config.yml
@@ -0,0 +1,97 @@
+autocert:
+  provider: cloudflare
+  email: ${CLOUDFLARE_EMAIL}
+  domains:   # this has to match whats in the match domains section
+    - ${MYWILDCARD_DOMAIN}
+    - ${MY_DOMAIN}
+  options:
+    auth_token: ${CLOUDFLARE_TOKEN}
+  resolvers:
+    - 1.1.1.1:53
+    - ${MY_INTERNAL_DNS1}
+    - ${MY_INTERNAL_DNS2}
+acl:
+  default: deny    # by default no one is allowed in except fo the allow list
+  allow_local: true
+  log:
+    stdout: true
+    log_allowed: true
+    keep: 7 days
+    retention: 7 days
+  allow:
+    - cidr:192.168.0.0/16
+    - ip:YOUREXTERNALIP
+    - ip:127.0.0.1
+    - cidr:172.16.0.0/12
+entrypoint:
+  support_proxy_protocol: false  # this should be false
+  middlewares:
+    - use: real_ip                    # use the real ip of the origin
+      header: X-Real-IP
+      from:
+        - 127.0.0.1
+        - 192.168.0.0/16
+        - 10.0.0.0/8
+        - 172.16.0.0/12
+        - ${MY_EXTERNAL_CIDR}
+      recursive: true
+    - use: cidr_whitelist
+      allow:
+        - 127.0.0.1/8
+        - 192.168.0.0/16
+        - 10.0.0.0/8
+        - 172.16.0.0/12
+        - ${MY_EXTERNAL_CIDR}
+      status: 403
+      message: "Forbidden - your IP is not allowed"
+    - use: RedirectHTTP
+    - use: ModifyResponse
+      set_headers:
+        Access-Control-Allow-Methods: GET, POST, PUT, PATCH, DELETE, OPTIONS, HEAD
+        Access-Control-Allow-Headers: "*"
+        Access-Control-Allow-Origin: "*"
+        Access-Control-Max-Age: 180
+        Vary: "*"
+        X-XSS-Protection: 1; mode=block
+        Content-Security-Policy: object-src 'self'; frame-ancestors 'self' ${MY_WILDCARD_ADDRESS};
+        X-Content-Type-Options: nosniff
+        Permissions-Policy: vibrate=(self); geolocation=(self); midi=(self);
+          notifications=(self); push=(self); vibrate=(self); fullscreen=(self);
+          microphone=(); camera=(); magnetometer=(); gyroscope=(); speaker=();
+        X-Frame-Options: SAMEORIGIN
+        Referrer-Policy: same-origin
+        Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
+    - use: rate_limit
+      average: 10
+      burst: 20
+      period: 5s
+    - use: custom_error_page
+      bypass: []
+  access_log:
+    format: combined
+    path: /app/logs/entrypoint.log
+    stdout: true
+    keep: 30 days
+providers:
+  include:
+    - hass.yml                    # my hass routing file for home assistant
+  docker:
+    local: ${DOCKER_HOST}
+
+      # notification providers
+  notification:
+    - name: gotify
+      provider: gotify
+      token: ${GOTIFY_TOKEN}
+      url: ${GOTIFY_URL}
+  maxmind:
+    account_id: ${GODOXY_MAXMIND_ACCOUNT_ID}
+    license_key: ${GODOXY_MAXMIND_LICENSE_KEY}
+    database: "geolite"
+  agents:
+    - ${REMOTESERVER1}
+    - ${REMOTESERVER2}
+homepage:
+  use_default_categories: true
+match_domains:
+  - ${MY_DOMAIN} 

From eceaaff3a5d688b015ccb187a8fa73b5f6f1ac93 Mon Sep 17 00:00:00 2001
From: Meir Lazar <meirlazar@gmail.com>
Date: Thu, 27 Nov 2025 22:54:14 -0500
Subject: [PATCH 6/8] Refactor proxy settings with wildcard properties

Updated proxy configuration to use wildcard properties for easier management.
---
 examples/docker-compose/wg-easy_wireguard_vpn | 27 +++++++++----------
 1 file changed, 12 insertions(+), 15 deletions(-)

diff --git a/examples/docker-compose/wg-easy_wireguard_vpn b/examples/docker-compose/wg-easy_wireguard_vpn
index dd6da7a9..796d6a00 100644
--- a/examples/docker-compose/wg-easy_wireguard_vpn
+++ b/examples/docker-compose/wg-easy_wireguard_vpn
@@ -57,8 +57,6 @@ services:
     # -------------------------------------------------------
     labels:
       # Enable reverse proxy for Web UI ONLY
-      proxy.enable: true
-
       # The aliases/domains you want to access the dashboard on
       proxy.aliases: |
         vpn
@@ -66,13 +64,13 @@ services:
         wgeasy
 
       # Internal WebUI port
-      proxy.port: "51821"
+      proxy.*.port: "51821"
 
       # SSL termination via GoDoxy
-      proxy.ssl: true
+      proxy.*.scheme: https
 
       # Homepage metadata
-      proxy.homepage: |
+      proxy.*.homepage: |
         name: WG Easy VPN
         description: Fast Easy VPN Server
         category: Utilities
@@ -83,9 +81,9 @@ services:
       # -----------------------------------------------------
       # This protects the UI BEFORE reaching WG-Easy's own login
       #
-      #proxy.auth.enable: true
-      #proxy.auth.username: "admin"
-      #proxy.auth.password: "CHANGEME"
+      #proxy.*.auth.enable: true
+      #proxy.*.auth.username: "admin"
+      #proxy.*.auth.password: "CHANGEME"
       #
       # =====================================================
 
@@ -99,19 +97,17 @@ services:
       # ---------------------------
       # Only allow access to the UI from a specific subnet(s):
       #
-      #proxy.middleware.ipwhitelist: |
+      #proxy.*.middleware.ipwhitelist: |
       #  allow:
       #    - 192.168.1.0/24
       #    - 10.0.0.0/8
-      #  deny:
-      #    - 0.0.0.0/0
 
       # ---------------------------
       # 2) Security Headers (OPTIONAL HARDENING)
       # ---------------------------
       # Helps with Cloudflare Zero-Trust, browser hardening, etc.
       #
-      #proxy.middleware.securityheaders: |
+      #proxy.*.middleware.securityheaders: |
       #  X-Frame-Options: DENY
       #  X-Content-Type-Options: nosniff
       #  Referrer-Policy: no-referrer
@@ -124,16 +120,17 @@ services:
       # ---------------------------
       # Protects the login page against brute force attacks
       #
-      #proxy.middleware.ratelimit: |
+      #proxy.*.middleware.ratelimit: |
       #  average: 30
       #  burst: 15
+      #  period: 5s
 
       # ---------------------------
       # 4) Audit Logging (OPTIONAL LOGGING)
       # ---------------------------
       # Every UI access logs to stdout (GoDoxy → Loki optional)
       #
-      #proxy.middleware.auditlog: |
+      #proxy.*.middleware.auditlog: |
       #  enabled: true
       #  format: "$remote_addr accessed WG-Easy UI"
 
@@ -142,7 +139,7 @@ services:
       # ---------------------------
       # Requires GoDoxy GeoIP plugin (if installed)
       #
-      #proxy.middleware.geoipblock: |
+      #proxy.*.middleware.geoipblock: |
       #  allow:
       #    - US
       #    - CA

From eb4eaeef6f006f5dcd959b5dcd84eb02b4f18171 Mon Sep 17 00:00:00 2001
From: Meir Lazar <meirlazar@gmail.com>
Date: Thu, 27 Nov 2025 23:25:45 -0500
Subject: [PATCH 7/8] Refactor AdGuard Home configuration for clarity

---
 examples/docker-compose/adguardhome.yml | 32 ++++++++++++-------------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/examples/docker-compose/adguardhome.yml b/examples/docker-compose/adguardhome.yml
index 814c008d..4644b6e7 100644
--- a/examples/docker-compose/adguardhome.yml
+++ b/examples/docker-compose/adguardhome.yml
@@ -17,25 +17,19 @@ services:
       #   https://adguard.yourdomain
       #   https://dns.yourdomain
       #   https://adguardhome.yourdomain
-      proxy.aliases: |
-        adguard
-        dns
-        adguardhome
+      proxy.aliases: adguard,dns,adguardhome
       # -------------------------------------------------------
       # Homepage Dashboard Metadata (shown in Homepage UI)
       # -------------------------------------------------------
-      proxy.*.homepage: |
+      proxy.#*.homepage: |
         name: AdGuard Home
         description: DNS + DHCP Server
         category: Networking
         icon: "@selfhst/adguard-home.svg"
-
-
       # =======================================================
       # OPTIONAL: PASSWORD-PROTECT THE ADGUARD WEB UI
       # =======================================================
       # → IF YOU WANT TO LOCK THE DASHBOARD BEHIND A LOGIN
-      #   - Uncomment these 3 lines
       #   - Replace username/password with your values
       #
       # Explanation:
@@ -44,10 +38,16 @@ services:
       #   given a login popup BEFORE reaching AdGuard’s UI.
       #
       #   NOTE: This is SEPARATE from AdGuard’s internal login.
-      #
-      proxy.*.auth.enable: true
-      proxy.*.auth.username: "admin"
-      proxy.*.auth.password: "CHANGEME"
+      #   For basic_auth conditions, the password must be bcrypt hashed. Generate the hash using:
+      #    htpasswd -nbB '' your-password | cut -c 2-
+      #   make suer to escape any $ by writing $ twice ($$) to make it a literal $
+
+      proxy.#*.rules: |
+        - name: default
+          do: require_basic_auth "Restricted Area"
+        - name: authenticated users
+          on: basic_auth admin1 "$$2y$$05$$x1WyUkhoPPKlbttLe9JC7uLTr60iRnubg08l7KvhJk.5xJxgRTmi2" | basic_auth admin2 "$$2y$$05$$x1WyUkhoPPKlbttLe9JC7uLTr60iRnubg08l7KvhJk.5xJxgRTmi2"
+          do: pass
 
       # =======================================================
       # OPTIONAL: CUSTOM MIDDLEWARES
@@ -88,10 +88,10 @@ services:
       # ---------------------------
       #   Prevent brute-force attempts / UI abuse:
       #
-      proxy.*.middleware.ratelimit: |
-        average: 10
-        burst: 20
-        period: 1s
+      #proxy.#*.middleware.ratelimit: |
+      #  average: 40
+      #  burst: 30
+      #  period: 1s
       #
       # Enable one or all depending on what you need.
       # =======================================================

From 3aa73588026d0a43f8594258106fa5e21ef96c6f Mon Sep 17 00:00:00 2001
From: Meir Lazar <meirlazar@gmail.com>
Date: Thu, 27 Nov 2025 23:27:20 -0500
Subject: [PATCH 8/8] Refactor proxy configuration syntax in WireGuard VPN

Updated proxy configuration syntax for compatibility.
---
 examples/docker-compose/wg-easy_wireguard_vpn | 27 ++++++-------------
 1 file changed, 8 insertions(+), 19 deletions(-)

diff --git a/examples/docker-compose/wg-easy_wireguard_vpn b/examples/docker-compose/wg-easy_wireguard_vpn
index 796d6a00..2460bb66 100644
--- a/examples/docker-compose/wg-easy_wireguard_vpn
+++ b/examples/docker-compose/wg-easy_wireguard_vpn
@@ -64,29 +64,18 @@ services:
         wgeasy
 
       # Internal WebUI port
-      proxy.*.port: "51821"
+      proxy.#*.port: "51821"
 
       # SSL termination via GoDoxy
-      proxy.*.scheme: https
+      proxy.#*.scheme: https
 
       # Homepage metadata
-      proxy.*.homepage: |
+      proxy.#*.homepage: |
         name: WG Easy VPN
         description: Fast Easy VPN Server
         category: Utilities
         icon: "@selfhst/wireguard.svg"
 
-      # =====================================================
-      # OPTIONAL: PASSWORD-PROTECT WEB UI
-      # -----------------------------------------------------
-      # This protects the UI BEFORE reaching WG-Easy's own login
-      #
-      #proxy.*.auth.enable: true
-      #proxy.*.auth.username: "admin"
-      #proxy.*.auth.password: "CHANGEME"
-      #
-      # =====================================================
-
 
       # =====================================================
       # OPTIONAL: CUSTOM MIDDLEWARES
@@ -97,7 +86,7 @@ services:
       # ---------------------------
       # Only allow access to the UI from a specific subnet(s):
       #
-      #proxy.*.middleware.ipwhitelist: |
+      #proxy.#*.middleware.ipwhitelist: |
       #  allow:
       #    - 192.168.1.0/24
       #    - 10.0.0.0/8
@@ -107,7 +96,7 @@ services:
       # ---------------------------
       # Helps with Cloudflare Zero-Trust, browser hardening, etc.
       #
-      #proxy.*.middleware.securityheaders: |
+      #proxy.#*.middleware.securityheaders: |
       #  X-Frame-Options: DENY
       #  X-Content-Type-Options: nosniff
       #  Referrer-Policy: no-referrer
@@ -120,7 +109,7 @@ services:
       # ---------------------------
       # Protects the login page against brute force attacks
       #
-      #proxy.*.middleware.ratelimit: |
+      #proxy.#*.middleware.ratelimit: |
       #  average: 30
       #  burst: 15
       #  period: 5s
@@ -130,7 +119,7 @@ services:
       # ---------------------------
       # Every UI access logs to stdout (GoDoxy → Loki optional)
       #
-      #proxy.*.middleware.auditlog: |
+      #proxy.#*.middleware.auditlog: |
       #  enabled: true
       #  format: "$remote_addr accessed WG-Easy UI"
 
@@ -139,7 +128,7 @@ services:
       # ---------------------------
       # Requires GoDoxy GeoIP plugin (if installed)
       #
-      #proxy.*.middleware.geoipblock: |
+      #proxy.#*.middleware.geoipblock: |
       #  allow:
       #    - US
       #    - CA