From 798266d977f7d56f3282cf04baf2fe4439644c41 Mon Sep 17 00:00:00 2001 From: Lucas Bremgartner Date: Mon, 10 Nov 2025 22:16:39 +0100 Subject: [PATCH 1/4] Dockerfile with httpjail from release --- Dockerfile | 69 +++++++++++++++++++++++ README.md | 161 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 230 insertions(+) create mode 100644 Dockerfile diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..72a145f --- /dev/null +++ b/Dockerfile @@ -0,0 +1,69 @@ +FROM debian:13-slim + +LABEL org.opencontainers.image.title="httpjail" \ + org.opencontainers.image.description="HTTP/HTTPS proxy with JavaScript-based request filtering" \ + org.opencontainers.image.version="0.6.0" \ + org.opencontainers.image.source="https://github.com/coder/httpjail" \ + org.opencontainers.image.licenses="CC0-1.0" + +# Install CA certificates for TLS connections +RUN apt-get update && \ + apt-get install -y --no-install-recommends ca-certificates wget && \ + rm -rf /var/lib/apt/lists/* + +# Create non-root user +RUN useradd -u 1000 -m -s /bin/bash httpjail + +# Download and install httpjail binary from GitHub releases +RUN wget -q https://github.com/coder/httpjail/releases/download/v0.5.1/httpjail-0.5.1-linux-x86_64.tar.gz && \ + tar -xzf httpjail-0.5.1-linux-x86_64.tar.gz && \ + mv httpjail-0.5.1-linux-x86_64/httpjail /usr/local/bin/httpjail && \ + chmod +x /usr/local/bin/httpjail && \ + rm -rf httpjail-0.5.1-linux-x86_64.tar.gz httpjail-0.5.1-linux-x86_64 + +# Create directory for rules +RUN mkdir -p /rules && \ + chown -R httpjail:httpjail /rules + +# Create default allow-all rule example +# This can be overridden by bind-mounting a custom rule file +RUN echo '// Default allow-all rule\n\ +// The request object (r) has these properties:\n\ +// r.url - Full URL\n\ +// r.method - HTTP method (GET, POST, etc.)\n\ +// r.host - Hostname\n\ +// r.scheme - URL scheme (http/https)\n\ +// r.path - URL path\n\ +//\n\ +// Return true to allow, false to deny\n\ +// Or return {allow: false, deny_message: "Custom message"}\n\ +// Or return {allow: {max_tx_bytes: 1024}} for size limits\n\ +\n\ +(function() {\n\ + // Your custom rules here\n\ + return true;\n\ +})();\n\ +' > /rules/rules.js && \ + chown httpjail:httpjail /rules/rules.js + +# Switch to non-root user +USER httpjail + +# Create config directory for certificates (will be auto-generated if not mounted) +RUN mkdir -p /home/httpjail/.config/httpjail + +# Environment variables for server mode +# Bind to all interfaces (0.0.0.0) for Docker accessibility +ENV HTTPJAIL_HTTP_BIND=0.0.0.0:8080 \ + HTTPJAIL_HTTPS_BIND=0.0.0.0:8443 + +# Expose proxy ports +EXPOSE 8080/tcp 8443/tcp + +# Declare volumes for certificates and rules +# Certificates are stored at /home/httpjail/.config/httpjail/ +VOLUME ["/home/httpjail/.config/httpjail", "/rules"] + +# Set entrypoint and default command +ENTRYPOINT ["httpjail"] +CMD ["--server", "--js-file", "/rules/rules.js", "--request-log", "/dev/stdout"] diff --git a/README.md b/README.md index 619c87e..ead193e 100644 --- a/README.md +++ b/README.md @@ -63,6 +63,167 @@ httpjail --server --js "true" httpjail --js "r.host === 'api.github.com'" --docker-run -- --rm alpine:latest wget -qO- https://api.github.com ``` +## Docker + +httpjail can run as a standalone proxy server in a Docker container, perfect for team-wide policy enforcement or testing. + +### Building the Image + +```bash +docker build -t httpjail:latest . +``` + +The Dockerfile downloads httpjail v0.5.1 from GitHub releases and runs as a non-root user (UID 1000). + +### Running the Container + +**Basic usage with default allow all rule:** + +```bash +docker run -d --name httpjail \ + -p 8080:8080 -p 8443:8443 \ + httpjail:latest +``` + +**With persistent certificates:** + +```bash +mkdir -p ./httpjail-certs +docker run -d --name httpjail \ + -p 8080:8080 -p 8443:8443 \ + -v ./httpjail-certs:/home/httpjail/.config/httpjail \ + httpjail:latest +``` + +**With custom rules:** + +```bash +# Create your custom rule file +cat > my-rules.js <<'EOF' +// Allow only specific domains +const allowed = ['github.com', 'api.github.com', 'npmjs.org']; +allowed.includes(r.host) +EOF + +# Run with custom rules (overrides default rules.js) +docker run -d --name httpjail \ + -p 8080:8080 -p 8443:8443 \ + -v ./httpjail-certs:/home/httpjail/.config/httpjail \ + -v ./my-rules.js:/rules/rules.js:ro \ + httpjail:latest +``` + +**With additional verbosity:** + +```bash +docker run -d --name httpjail \ + -p 8080:8080 -p 8443:8443 \ + httpjail:latest --server --js-file /rules/rules.js -vv --request-log /dev/stderr +``` + +### Configuring Clients + +After starting the container, configure your applications to use the proxy: + +```bash +export HTTP_PROXY=http://localhost:8080 +export HTTPS_PROXY=http://localhost:8443 +``` + +For HTTPS to work, clients need to trust the CA certificate. Extract it from the container: + +```bash +# Extract CA certificate +docker cp httpjail:/home/httpjail/.config/httpjail/ca-cert.pem ./ca-cert.pem + +# Configure client +export SSL_CERT_FILE=$PWD/ca-cert.pem + +# Test +curl https://github.com +``` + +Alternatively, install the certificate system-wide: + +```bash +# Linux +sudo cp ca-cert.pem /usr/local/share/ca-certificates/httpjail.crt +sudo update-ca-certificates + +# macOS +sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ca-cert.pem +``` + +### Viewing Logs + +Request logs are sent to stderr (visible in `docker logs`): + +```bash +docker logs -f httpjail +``` + +Log format: ` <+/-> ` where `+` means allowed and `-` means blocked. + +### JavaScript Rule Examples + +The default rule (`true`) allows all traffic. Here are more useful examples: + +**Allowlist specific domains:** + +```javascript +const allowed = ['github.com', 'api.github.com', 'npmjs.org']; +allowed.includes(r.host) +``` + +**Block specific paths:** + +```javascript +// Allow all except admin paths +!r.path.startsWith('/admin') +``` + +**Size limits:** + +```javascript +// Allow GET requests under 10MB +if (r.method === 'GET') { + ({allow: {max_tx_bytes: 10 * 1024 * 1024}}) +} else { + false // Block non-GET +} +``` + +**Custom deny messages:** + +```javascript +if (r.host === 'malicious.com') { + ({allow: false, deny_message: 'Blocked: Known malicious domain'}) +} else { + true +} +``` + +**Complex policies:** + +```javascript +// Allow GitHub and NPM GET requests, deny everything else +const trustedDomains = ['github.com', 'api.github.com', 'npmjs.org', 'registry.npmjs.org']; +const isTrusted = trustedDomains.includes(r.host); +const isSafeMethod = ['GET', 'HEAD'].includes(r.method); + +isTrusted && isSafeMethod +``` + +See the [JavaScript rule engine docs](https://coder.github.io/httpjail/guide/rule-engines/javascript.html) for complete reference. + +### Security Notes + +- The container runs as non-root user (UID 1000) +- Server mode does NOT provide network isolation (no namespaces) +- Applications must be configured to use the proxy (HTTP_PROXY/HTTPS_PROXY) +- The Docker image is built for x86_64 architecture only +- Certificates are auto-generated on first run if not provided via volume mount + ## Documentation Docs are stored in the `docs/` directory and served From 9ac08bc2755b4dc78c8c9ac7605ac7f25d70ac40 Mon Sep 17 00:00:00 2001 From: Lucas Bremgartner Date: Mon, 10 Nov 2025 22:21:52 +0100 Subject: [PATCH 2/4] Support multiple architectures --- Dockerfile | 16 ++++++++++++---- README.md | 35 +++++++++++++++++++++++++++++++++-- 2 files changed, 45 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index 72a145f..f2aef69 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,11 +15,19 @@ RUN apt-get update && \ RUN useradd -u 1000 -m -s /bin/bash httpjail # Download and install httpjail binary from GitHub releases -RUN wget -q https://github.com/coder/httpjail/releases/download/v0.5.1/httpjail-0.5.1-linux-x86_64.tar.gz && \ - tar -xzf httpjail-0.5.1-linux-x86_64.tar.gz && \ - mv httpjail-0.5.1-linux-x86_64/httpjail /usr/local/bin/httpjail && \ +# Supports multi-arch builds (amd64 and arm64) +ARG TARGETARCH +RUN set -ex; \ + case "${TARGETARCH}" in \ + amd64) HTTPJAIL_ARCH="x86_64" ;; \ + arm64) HTTPJAIL_ARCH="aarch64" ;; \ + *) echo "Unsupported architecture: ${TARGETARCH}" && exit 1 ;; \ + esac; \ + wget -q https://github.com/coder/httpjail/releases/download/v0.5.1/httpjail-0.5.1-linux-${HTTPJAIL_ARCH}.tar.gz && \ + tar -xzf httpjail-0.5.1-linux-${HTTPJAIL_ARCH}.tar.gz && \ + mv httpjail-0.5.1-linux-${HTTPJAIL_ARCH}/httpjail /usr/local/bin/httpjail && \ chmod +x /usr/local/bin/httpjail && \ - rm -rf httpjail-0.5.1-linux-x86_64.tar.gz httpjail-0.5.1-linux-x86_64 + rm -rf httpjail-0.5.1-linux-${HTTPJAIL_ARCH}.tar.gz httpjail-0.5.1-linux-${HTTPJAIL_ARCH} # Create directory for rules RUN mkdir -p /rules && \ diff --git a/README.md b/README.md index ead193e..e909e46 100644 --- a/README.md +++ b/README.md @@ -69,11 +69,42 @@ httpjail can run as a standalone proxy server in a Docker container, perfect for ### Building the Image +The Dockerfile downloads httpjail v0.5.1 from GitHub releases and runs as a non-root user (UID 1000). Multi-arch builds are supported for `linux/amd64` and `linux/arm64`. + +**Build for your current platform:** + ```bash docker build -t httpjail:latest . ``` -The Dockerfile downloads httpjail v0.5.1 from GitHub releases and runs as a non-root user (UID 1000). +**Build for a specific platform:** + +```bash +# For amd64 (x86_64) +docker build --platform linux/amd64 -t httpjail:amd64 . + +# For arm64 (aarch64) +docker build --platform linux/arm64 -t httpjail:arm64 . +``` + +**Build and push multi-arch image to a registry:** + +```bash +# Create and use a new buildx builder (one-time setup) +docker buildx create --name multiarch --use + +# Build and push for both architectures +docker buildx build --platform linux/amd64,linux/arm64 \ + -t your-registry/httpjail:latest \ + --push . + +# Or build and load locally (single platform only) +docker buildx build --platform linux/amd64 \ + -t httpjail:latest \ + --load . +``` + +Note: Multi-arch builds require [Docker Buildx](https://docs.docker.com/build/buildx/). The `--load` flag only works with single-platform builds; use `--push` for multi-platform images. ### Running the Container @@ -221,7 +252,7 @@ See the [JavaScript rule engine docs](https://coder.github.io/httpjail/guide/rul - The container runs as non-root user (UID 1000) - Server mode does NOT provide network isolation (no namespaces) - Applications must be configured to use the proxy (HTTP_PROXY/HTTPS_PROXY) -- The Docker image is built for x86_64 architecture only +- The Docker image supports both `linux/amd64` (x86_64) and `linux/arm64` (aarch64) architectures - Certificates are auto-generated on first run if not provided via volume mount ## Documentation From 670d525c38be537cb70611246c8e0fc06de0ad2e Mon Sep 17 00:00:00 2001 From: Ammar Date: Wed, 12 Nov 2025 16:46:19 +0000 Subject: [PATCH 3/4] docs: Move Dockerfile to examples/ and add comprehensive documentation - Move Dockerfile from root to examples/ directory - Add docs/advanced/docker.md with full usage guide - Update SUMMARY.md to include Docker documentation - Cover building, running, client configuration, and examples --- docs/SUMMARY.md | 1 + docs/advanced/docker.md | 192 ++++++++++++++++++++++++++++++ Dockerfile => examples/Dockerfile | 0 3 files changed, 193 insertions(+) create mode 100644 docs/advanced/docker.md rename Dockerfile => examples/Dockerfile (100%) diff --git a/docs/SUMMARY.md b/docs/SUMMARY.md index 92a3d24..10dd670 100644 --- a/docs/SUMMARY.md +++ b/docs/SUMMARY.md @@ -20,6 +20,7 @@ - [TLS Interception](./advanced/tls-interception.md) - [DNS Exfiltration](./advanced/dns-exfiltration.md) - [Server Mode](./advanced/server-mode.md) +- [Docker](./advanced/docker.md) --- diff --git a/docs/advanced/docker.md b/docs/advanced/docker.md new file mode 100644 index 0000000..724dcf1 --- /dev/null +++ b/docs/advanced/docker.md @@ -0,0 +1,192 @@ +# Docker + +httpjail can run as a standalone proxy server in a Docker container, perfect for team-wide policy enforcement or testing. An example Dockerfile is provided in the [`examples/`](https://github.com/coder/httpjail/tree/main/examples) directory. + +## Building the Image + +The example Dockerfile downloads httpjail from GitHub releases and runs as a non-root user (UID 1000). Multi-arch builds are supported for `linux/amd64` and `linux/arm64`. + +**Build for your current platform:** + +```bash +cd examples/ +docker build -t httpjail:latest . +``` + +**Build for a specific platform:** + +```bash +# For amd64 (x86_64) +docker build --platform linux/amd64 -t httpjail:amd64 . + +# For arm64 (aarch64) +docker build --platform linux/arm64 -t httpjail:arm64 . +``` + +**Build and push multi-arch image to a registry:** + +```bash +# Create and use a new buildx builder (one-time setup) +docker buildx create --name multiarch --use + +# Build and push for both architectures +docker buildx build --platform linux/amd64,linux/arm64 \ + -t your-registry/httpjail:latest \ + --push . + +# Or build and load locally (single platform only) +docker buildx build --platform linux/amd64 \ + -t httpjail:latest \ + --load . +``` + +> **Note:** Multi-arch builds require [Docker Buildx](https://docs.docker.com/build/buildx/). The `--load` flag only works with single-platform builds; use `--push` for multi-platform images. + +## Running the Container + +**Basic usage with default allow-all rule:** + +```bash +docker run -d --name httpjail \ + -p 8080:8080 -p 8443:8443 \ + httpjail:latest +``` + +**With persistent certificates:** + +```bash +mkdir -p ./httpjail-certs +docker run -d --name httpjail \ + -p 8080:8080 -p 8443:8443 \ + -v ./httpjail-certs:/home/httpjail/.config/httpjail \ + httpjail:latest +``` + +**With custom rules:** + +```bash +# Create your custom rule file +cat > my-rules.js <<'EOF' +// Allow only specific domains +const allowed = ['github.com', 'api.github.com', 'npmjs.org']; +allowed.includes(r.host) +EOF + +# Run with custom rules (overrides default rules.js) +docker run -d --name httpjail \ + -p 8080:8080 -p 8443:8443 \ + -v ./httpjail-certs:/home/httpjail/.config/httpjail \ + -v ./my-rules.js:/rules/rules.js:ro \ + httpjail:latest +``` + +**With additional verbosity:** + +```bash +docker run -d --name httpjail \ + -p 8080:8080 -p 8443:8443 \ + httpjail:latest --server --js-file /rules/rules.js -vv --request-log /dev/stderr +``` + +## Configuring Clients + +After starting the container, configure your applications to use the proxy: + +```bash +export HTTP_PROXY=http://localhost:8080 +export HTTPS_PROXY=http://localhost:8443 +``` + +For HTTPS to work, clients need to trust the CA certificate. Extract it from the container: + +```bash +# Extract CA certificate +docker cp httpjail:/home/httpjail/.config/httpjail/ca-cert.pem ./ca-cert.pem + +# Configure client +export SSL_CERT_FILE=$PWD/ca-cert.pem + +# Test +curl https://github.com +``` + +Alternatively, install the certificate system-wide: + +```bash +# Linux +sudo cp ca-cert.pem /usr/local/share/ca-certificates/httpjail.crt +sudo update-ca-certificates + +# macOS +sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ca-cert.pem +``` + +## Viewing Logs + +Request logs are sent to stdout by default (visible in `docker logs`): + +```bash +docker logs -f httpjail +``` + +Log format: ` <+/-> ` where `+` means allowed and `-` means blocked. + +## JavaScript Rule Examples + +The default rule (`true`) allows all traffic. Here are more useful examples: + +**Allowlist specific domains:** + +```javascript +const allowed = ['github.com', 'api.github.com', 'npmjs.org']; +allowed.includes(r.host) +``` + +**Block specific paths:** + +```javascript +// Allow all except admin paths +!r.path.startsWith('/admin') +``` + +**Size limits:** + +```javascript +// Allow GET requests under 10MB +if (r.method === 'GET') { + ({allow: {max_tx_bytes: 10 * 1024 * 1024}}) +} else { + false // Block non-GET +} +``` + +**Custom deny messages:** + +```javascript +if (r.host === 'malicious.com') { + ({allow: false, deny_message: 'Blocked: Known malicious domain'}) +} else { + true +} +``` + +**Complex policies:** + +```javascript +// Allow GitHub and NPM GET requests, deny everything else +const trustedDomains = ['github.com', 'api.github.com', 'npmjs.org', 'registry.npmjs.org']; +const isTrusted = trustedDomains.includes(r.host); +const isSafeMethod = ['GET', 'HEAD'].includes(r.method); + +isTrusted && isSafeMethod +``` + +See the [JavaScript rule engine](../guide/rule-engines/javascript.md) documentation for complete reference. + +## Security Notes + +- The container runs as non-root user (UID 1000) +- Server mode does NOT provide network isolation (no namespaces) +- Applications must be configured to use the proxy (HTTP_PROXY/HTTPS_PROXY) +- The Docker image supports both `linux/amd64` (x86_64) and `linux/arm64` (aarch64) architectures +- Certificates are auto-generated on first run if not provided via volume mount diff --git a/Dockerfile b/examples/Dockerfile similarity index 100% rename from Dockerfile rename to examples/Dockerfile From ae467db7da1b82f09ed594823ca4f06f6cb9daba Mon Sep 17 00:00:00 2001 From: Ammar Date: Wed, 12 Nov 2025 16:46:57 +0000 Subject: [PATCH 4/4] docs: Add simple Docker reference to README without duplication Instead of duplicating all Docker documentation in README, add a brief reference pointing to the comprehensive docs. --- README.md | 193 +----------------------------------------------------- 1 file changed, 3 insertions(+), 190 deletions(-) diff --git a/README.md b/README.md index e909e46..ecd7614 100644 --- a/README.md +++ b/README.md @@ -61,200 +61,13 @@ httpjail --server --js "true" # Run Docker containers with network isolation (Linux only) httpjail --js "r.host === 'api.github.com'" --docker-run -- --rm alpine:latest wget -qO- https://api.github.com -``` - -## Docker - -httpjail can run as a standalone proxy server in a Docker container, perfect for team-wide policy enforcement or testing. - -### Building the Image - -The Dockerfile downloads httpjail v0.5.1 from GitHub releases and runs as a non-root user (UID 1000). Multi-arch builds are supported for `linux/amd64` and `linux/arm64`. -**Build for your current platform:** - -```bash +# Or run httpjail itself as a standalone proxy in Docker (see docs/advanced/docker.md) +cd examples/ docker build -t httpjail:latest . +docker run -d -p 8080:8080 -p 8443:8443 httpjail:latest ``` -**Build for a specific platform:** - -```bash -# For amd64 (x86_64) -docker build --platform linux/amd64 -t httpjail:amd64 . - -# For arm64 (aarch64) -docker build --platform linux/arm64 -t httpjail:arm64 . -``` - -**Build and push multi-arch image to a registry:** - -```bash -# Create and use a new buildx builder (one-time setup) -docker buildx create --name multiarch --use - -# Build and push for both architectures -docker buildx build --platform linux/amd64,linux/arm64 \ - -t your-registry/httpjail:latest \ - --push . - -# Or build and load locally (single platform only) -docker buildx build --platform linux/amd64 \ - -t httpjail:latest \ - --load . -``` - -Note: Multi-arch builds require [Docker Buildx](https://docs.docker.com/build/buildx/). The `--load` flag only works with single-platform builds; use `--push` for multi-platform images. - -### Running the Container - -**Basic usage with default allow all rule:** - -```bash -docker run -d --name httpjail \ - -p 8080:8080 -p 8443:8443 \ - httpjail:latest -``` - -**With persistent certificates:** - -```bash -mkdir -p ./httpjail-certs -docker run -d --name httpjail \ - -p 8080:8080 -p 8443:8443 \ - -v ./httpjail-certs:/home/httpjail/.config/httpjail \ - httpjail:latest -``` - -**With custom rules:** - -```bash -# Create your custom rule file -cat > my-rules.js <<'EOF' -// Allow only specific domains -const allowed = ['github.com', 'api.github.com', 'npmjs.org']; -allowed.includes(r.host) -EOF - -# Run with custom rules (overrides default rules.js) -docker run -d --name httpjail \ - -p 8080:8080 -p 8443:8443 \ - -v ./httpjail-certs:/home/httpjail/.config/httpjail \ - -v ./my-rules.js:/rules/rules.js:ro \ - httpjail:latest -``` - -**With additional verbosity:** - -```bash -docker run -d --name httpjail \ - -p 8080:8080 -p 8443:8443 \ - httpjail:latest --server --js-file /rules/rules.js -vv --request-log /dev/stderr -``` - -### Configuring Clients - -After starting the container, configure your applications to use the proxy: - -```bash -export HTTP_PROXY=http://localhost:8080 -export HTTPS_PROXY=http://localhost:8443 -``` - -For HTTPS to work, clients need to trust the CA certificate. Extract it from the container: - -```bash -# Extract CA certificate -docker cp httpjail:/home/httpjail/.config/httpjail/ca-cert.pem ./ca-cert.pem - -# Configure client -export SSL_CERT_FILE=$PWD/ca-cert.pem - -# Test -curl https://github.com -``` - -Alternatively, install the certificate system-wide: - -```bash -# Linux -sudo cp ca-cert.pem /usr/local/share/ca-certificates/httpjail.crt -sudo update-ca-certificates - -# macOS -sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ca-cert.pem -``` - -### Viewing Logs - -Request logs are sent to stderr (visible in `docker logs`): - -```bash -docker logs -f httpjail -``` - -Log format: ` <+/-> ` where `+` means allowed and `-` means blocked. - -### JavaScript Rule Examples - -The default rule (`true`) allows all traffic. Here are more useful examples: - -**Allowlist specific domains:** - -```javascript -const allowed = ['github.com', 'api.github.com', 'npmjs.org']; -allowed.includes(r.host) -``` - -**Block specific paths:** - -```javascript -// Allow all except admin paths -!r.path.startsWith('/admin') -``` - -**Size limits:** - -```javascript -// Allow GET requests under 10MB -if (r.method === 'GET') { - ({allow: {max_tx_bytes: 10 * 1024 * 1024}}) -} else { - false // Block non-GET -} -``` - -**Custom deny messages:** - -```javascript -if (r.host === 'malicious.com') { - ({allow: false, deny_message: 'Blocked: Known malicious domain'}) -} else { - true -} -``` - -**Complex policies:** - -```javascript -// Allow GitHub and NPM GET requests, deny everything else -const trustedDomains = ['github.com', 'api.github.com', 'npmjs.org', 'registry.npmjs.org']; -const isTrusted = trustedDomains.includes(r.host); -const isSafeMethod = ['GET', 'HEAD'].includes(r.method); - -isTrusted && isSafeMethod -``` - -See the [JavaScript rule engine docs](https://coder.github.io/httpjail/guide/rule-engines/javascript.html) for complete reference. - -### Security Notes - -- The container runs as non-root user (UID 1000) -- Server mode does NOT provide network isolation (no namespaces) -- Applications must be configured to use the proxy (HTTP_PROXY/HTTPS_PROXY) -- The Docker image supports both `linux/amd64` (x86_64) and `linux/arm64` (aarch64) architectures -- Certificates are auto-generated on first run if not provided via volume mount - ## Documentation Docs are stored in the `docs/` directory and served