Added additional examples

examples/config/config.yml

@@ -0,0 +1,97 @@
+autocert:
+  provider: cloudflare
+  email: ${CLOUDFLARE_EMAIL}
+  domains:   # this has to match whats in the match domains section
+    - ${MYWILDCARD_DOMAIN}
+    - ${MY_DOMAIN}
+  options:
+    auth_token: ${CLOUDFLARE_TOKEN}
+  resolvers:
+    - 1.1.1.1:53
+    - ${MY_INTERNAL_DNS1}
+    - ${MY_INTERNAL_DNS2}
+acl:
+  default: deny    # by default no one is allowed in except fo the allow list
+  allow_local: true
+  log:
+    stdout: true
+    log_allowed: true
+    keep: 7 days
+    retention: 7 days
+  allow:
+    - cidr:192.168.0.0/16
+    - ip:YOUREXTERNALIP
+    - ip:127.0.0.1
+    - cidr:172.16.0.0/12
+entrypoint:
+  support_proxy_protocol: false  # this should be false
+  middlewares:
+    - use: real_ip                    # use the real ip of the origin
+      header: X-Real-IP
+      from:
+        - 127.0.0.1
+        - 192.168.0.0/16
+        - 10.0.0.0/8
+        - 172.16.0.0/12
+        - ${MY_EXTERNAL_CIDR}
+      recursive: true
+    - use: cidr_whitelist
+      allow:
+        - 127.0.0.1/8
+        - 192.168.0.0/16
+        - 10.0.0.0/8
+        - 172.16.0.0/12
+        - ${MY_EXTERNAL_CIDR}
+      status: 403
+      message: "Forbidden - your IP is not allowed"
+    - use: RedirectHTTP
+    - use: ModifyResponse
+      set_headers:
+        Access-Control-Allow-Methods: GET, POST, PUT, PATCH, DELETE, OPTIONS, HEAD
+        Access-Control-Allow-Headers: "*"
+        Access-Control-Allow-Origin: "*"
+        Access-Control-Max-Age: 180
+        Vary: "*"
+        X-XSS-Protection: 1; mode=block
+        Content-Security-Policy: object-src 'self'; frame-ancestors 'self' ${MY_WILDCARD_ADDRESS};
+        X-Content-Type-Options: nosniff
+        Permissions-Policy: vibrate=(self); geolocation=(self); midi=(self);
+          notifications=(self); push=(self); vibrate=(self); fullscreen=(self);
+          microphone=(); camera=(); magnetometer=(); gyroscope=(); speaker=();
+        X-Frame-Options: SAMEORIGIN
+        Referrer-Policy: same-origin
+        Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
+    - use: rate_limit
+      average: 10
+      burst: 20
+      period: 5s
+    - use: custom_error_page
+      bypass: []
+  access_log:
+    format: combined
+    path: /app/logs/entrypoint.log
+    stdout: true
+    keep: 30 days
+providers:
+  include:
+    - hass.yml                    # my hass routing file for home assistant
+  docker:
+    local: ${DOCKER_HOST}
+
+      # notification providers
+  notification:
+    - name: gotify
+      provider: gotify
+      token: ${GOTIFY_TOKEN}
+      url: ${GOTIFY_URL}
+  maxmind:
+    account_id: ${GODOXY_MAXMIND_ACCOUNT_ID}
+    license_key: ${GODOXY_MAXMIND_LICENSE_KEY}
+    database: "geolite"
+  agents:
+    - ${REMOTESERVER1}
+    - ${REMOTESERVER2}
+homepage:
+  use_default_categories: true
+match_domains:
+  - ${MY_DOMAIN} 

examples/docker-compose/adguardhome.yml

@@ -0,0 +1,125 @@
+services:
+  adguard:
+    image: adguard/adguardhome:edge
+    container_name: adguard
+    network_mode: "host"
+
+    cap_add:
+      - NET_ADMIN
+    privileged: true
+
+    labels:
+      # -------------------------------------------------------
+      # GoDoxy Reverse Proxy Configuration
+      # -------------------------------------------------------
+      # Aliases -> URLs GoDoxy will expose for this service
+      # Examples:
+      #   https://adguard.yourdomain
+      #   https://dns.yourdomain
+      #   https://adguardhome.yourdomain
+      proxy.aliases: adguard,dns,adguardhome
+      # -------------------------------------------------------
+      # Homepage Dashboard Metadata (shown in Homepage UI)
+      # -------------------------------------------------------
+      proxy.#*.homepage: |
+        name: AdGuard Home
+        description: DNS + DHCP Server
+        category: Networking
+        icon: "@selfhst/adguard-home.svg"
+      # =======================================================
+      # OPTIONAL: PASSWORD-PROTECT THE ADGUARD WEB UI
+      # =======================================================
+      # → IF YOU WANT TO LOCK THE DASHBOARD BEHIND A LOGIN
+      #   - Replace username/password with your values
+      #
+      # Explanation:
+      #   This adds GoDoxy’s built-in basic auth middleware.
+      #   Anyone accessing https://adguard.<domain> will be
+      #   given a login popup BEFORE reaching AdGuard’s UI.
+      #
+      #   NOTE: This is SEPARATE from AdGuard’s internal login.
+      #   For basic_auth conditions, the password must be bcrypt hashed. Generate the hash using:
+      #    htpasswd -nbB '' your-password | cut -c 2-
+      #   make suer to escape any $ by writing $ twice ($$) to make it a literal $
+
+      proxy.#*.rules: |
+        - name: default
+          do: require_basic_auth "Restricted Area"
+        - name: authenticated users
+          on: basic_auth admin1 "$$2y$$05$$x1WyUkhoPPKlbttLe9JC7uLTr60iRnubg08l7KvhJk.5xJxgRTmi2" | basic_auth admin2 "$$2y$$05$$x1WyUkhoPPKlbttLe9JC7uLTr60iRnubg08l7KvhJk.5xJxgRTmi2"
+          do: pass
+
+      # =======================================================
+      # OPTIONAL: CUSTOM MIDDLEWARES
+      # =======================================================
+      # Middlewares allow you to:
+      #   - rewrite URLs
+      #   - add headers
+      #   - restrict access by IP
+      #   - enforce security headers
+      #   - throttle requests
+      #
+      # Syntax:
+      #   proxy.middleware.<name>: "<config>"
+      #
+      # You can apply multiple; GoDoxy chains them automatically.
+      #
+      # ---------------------------
+      # Example 1: IP Whitelist
+      # ---------------------------
+      #   Only allow specific LAN subnets to load the UI:
+      #
+      #proxy.middleware.ipwhitelist: |
+      #  allow:
+      #    - 192.168.1.0/24
+      #    - 192.168.10.0/24
+      #
+      # ---------------------------
+      # Example 2: Add Secure Headers
+      # ---------------------------
+      #proxy.*.middleware.securityheaders: |
+      #  X-Frame-Options: DENY
+      #  X-Content-Type-Options: nosniff
+      #  Referrer-Policy: no-referrer
+      #  Permissions-Policy: accelerometer=()
+      #
+      # ---------------------------
+      # Example 3: Rate Limiting
+      # ---------------------------
+      #   Prevent brute-force attempts / UI abuse:
+      #
+      #proxy.#*.middleware.ratelimit: |
+      #  average: 40
+      #  burst: 30
+      #  period: 1s
+      #
+      # Enable one or all depending on what you need.
+      # =======================================================
+
+    # Host mode → ports are unnecessary (and ignored)
+    # ports:
+    #   - 53:53/udp
+    #   - 53:53/tcp
+    #   - 67:67/udp
+    #   - 68:68/tcp
+    #   - 68:68/udp
+    #   - 3000:3000/tcp
+
+    volumes:
+      - ./workdir:/opt/adguardhome/work
+      - ./confdir:/opt/adguardhome/conf
+      - ./adguard_hostsfile.txt:/etc/hosts:ro
+      - /etc/localtime:/etc/localtime:ro
+      - /etc/timezone:/etc/timezone:ro
+
+    # Healthcheck to ensure WebUI is up before marking healthy
+    healthcheck:
+      test: ["CMD-SHELL", "wget --timeout=5 -nv -t1 --spider http://127.0.0.1:3000 || exit 1"]
+      interval: 10m
+      timeout: 5s
+      start_period: 60s
+      retries: 3
+
+    restart: unless-stopped
+    mem_limit: 2048m
+    cpus: "3.0"

examples/docker-compose/wg-easy_wireguard_vpn

@@ -0,0 +1,154 @@
+services:
+  wg-easy:
+    image: ghcr.io/wg-easy/wg-easy:latest
+    container_name: wg-easy
+
+    # -------------------------------------------------------
+    # Networking:
+    # - WireGuard tunnel uses UDP 51820 → EXPOSED (required)
+    # - Web UI is TCP 51821 but ONLY proxied through GoDoxy
+    #
+    # IMPORTANT:
+    #   Do NOT use network_mode: host for VPNs unless needed.
+    #   This keeps UI isolated and prevents leaking ports.
+    # -------------------------------------------------------
+    ports:
+      - "51820:51820/udp"   # Required for WireGuard
+      # WebUI NOT exposed directly — handled by GoDoxy only
+      # - "51821:51821/tcp"  # ❌ REMOVE (GoDoxy handles proxying)
+
+    environment:
+      - LANG=en
+      - WG_HOST=vpn.mydomain.com
+      - PASSWORD_HASH=${HASHED_PASS}
+      # Optional:
+      # - WG_PORT=51820
+      # - PORT=51821       (UI internal port, do not expose)
+      # - WG_CONFIG_PORT=92820
+
+      - UI_TRAFFIC_STATS=true
+      - UI_CHART_TYPE=2
+      - WG_ENABLE_ONE_TIME_LINKS=true
+      - UI_ENABLE_SORT_CLIENTS=true
+      - WG_DEFAULT_ADDRESS=192.168.33.x
+      - WG_DEFAULT_DNS=1.1.1.1
+
+    volumes:
+      - ./etc_wireguard:/etc/wireguard
+
+    restart: unless-stopped
+
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+
+    sysctls:
+      - net.ipv4.ip_forward=1
+      - net.ipv4.conf.all.src_valid_mark=1
+
+    mem_limit: 1024m
+    cpus: "2.0"
+
+    security_opt:
+      - no-new-privileges:true   # Hardening
+
+    # -------------------------------------------------------
+    # GoDoxy Integration
+    # -------------------------------------------------------
+    labels:
+      # Enable reverse proxy for Web UI ONLY
+      # The aliases/domains you want to access the dashboard on
+      proxy.aliases: |
+        vpn
+        wireguard
+        wgeasy
+
+      # Internal WebUI port
+      proxy.#*.port: "51821"
+
+      # SSL termination via GoDoxy
+      proxy.#*.scheme: https
+
+      # Homepage metadata
+      proxy.#*.homepage: |
+        name: WG Easy VPN
+        description: Fast Easy VPN Server
+        category: Utilities
+        icon: "@selfhst/wireguard.svg"
+
+
+      # =====================================================
+      # OPTIONAL: CUSTOM MIDDLEWARES
+      # =====================================================
+
+      # ---------------------------
+      # 1) IP Whitelist (OPTIONAL)
+      # ---------------------------
+      # Only allow access to the UI from a specific subnet(s):
+      #
+      #proxy.#*.middleware.ipwhitelist: |
+      #  allow:
+      #    - 192.168.1.0/24
+      #    - 10.0.0.0/8
+
+      # ---------------------------
+      # 2) Security Headers (OPTIONAL HARDENING)
+      # ---------------------------
+      # Helps with Cloudflare Zero-Trust, browser hardening, etc.
+      #
+      #proxy.#*.middleware.securityheaders: |
+      #  X-Frame-Options: DENY
+      #  X-Content-Type-Options: nosniff
+      #  Referrer-Policy: no-referrer
+      #  Permissions-Policy: accelerometer=()
+      #  CF-Access-Client-ID: ${CF_ID}
+      #  CF-Access-Client-Secret: ${CF_SECRET}
+
+      # ---------------------------
+      # 3) Rate Limiting (OPTIONAL HARDENING)
+      # ---------------------------
+      # Protects the login page against brute force attacks
+      #
+      #proxy.#*.middleware.ratelimit: |
+      #  average: 30
+      #  burst: 15
+      #  period: 5s
+
+      # ---------------------------
+      # 4) Audit Logging (OPTIONAL LOGGING)
+      # ---------------------------
+      # Every UI access logs to stdout (GoDoxy → Loki optional)
+      #
+      #proxy.#*.middleware.auditlog: |
+      #  enabled: true
+      #  format: "$remote_addr accessed WG-Easy UI"
+
+      # ---------------------------
+      # 5) Geo/IP Restriction (OPTIONAL GEO-LOC HARDENING)
+      # ---------------------------
+      # Requires GoDoxy GeoIP plugin (if installed)
+      #
+      #proxy.#*.middleware.geoipblock: |
+      #  allow:
+      #    - US
+      #    - CA
+      #  deny:
+      #    - CN
+      #    - RU
+      #    - KP
+
+      # =====================================================
+
+
+    # Healthcheck for UI (OPTIONAL)
+    healthcheck:
+      test: ["CMD-SHELL", "wget --timeout=5 -nv -t1 --spider http://127.0.0.1:51821 || exit 1"]
+      interval: 10m
+      timeout: 10s
+      start_period: 60s
+
+networks:
+  default:
+    external: true
+    name: SHARED
+

examples/route_providers/homeassistant.yml

@@ -0,0 +1,8 @@
+hass:
+  host: 192.168.1.10    # ip address of Homeassistant Server
+  port: 8123            # port
+  homepage:
+    name: hass
+    description: Home Assistant - Home Automation
+    icon: @selfhst/home-assistant.svg
+    category: Automation