Zoraxy

Self-hosted reverse proxy, honestly reviewed. No marketing fluff, just what you get when you point your domains at it.

TL;DR

• What it is: Open-source (AGPL-3.0) HTTP reverse proxy and homelab networking toolbox, written in Go, managed entirely through a web UI — no config files required [1].
• Who it’s for: Non-technical homelab owners and small self-hosters who want Nginx Proxy Manager’s simplicity but with OAuth2, SSO, built-in uptime monitoring, geo-blocking, and a plugin system baked in [1][5].
• Cost savings: Zero licensing cost. Runs on a $5–10/month VPS or a Raspberry Pi already sitting on your shelf. Commercial reverse proxy and load balancer services easily run $20–$200/month [1].
• Key strength: Ships more features out of the box than Nginx Proxy Manager — including forward-auth support (Authelia, Authentik), OAuth2, WebSocket proxying without any configuration, geo-based IP blocking, and an integrated uptime monitor with history graphs — while staying beginner-friendly [1][README].
• Key weakness: AGPL-3.0 license (not MIT) makes commercial embedding legally complicated. Single-admin mode only in standalone deployment. Smaller community than Nginx or Traefik. No managed cloud option — you run it yourself or you don’t run it [README][1].

---

What is Zoraxy

Zoraxy is a reverse proxy written in Go. It sits in front of your self-hosted services and routes incoming traffic to the right container or server based on domain name and path rules — no Nginx config syntax, no rule files, no terminal after setup. The entire thing is managed through a browser [README][1].

The author, Toby Chui, describes it as “a general purpose HTTP reverse proxy and forwarding tool” in the GitHub README, which is an accurate and usefully plain description. The project’s website leads with “the ultimate homelab networking toolbox,” which is less accurate but at least points at the real positioning: this is not a production-grade Kubernetes ingress controller. It is a thoughtfully built tool for the person running Jellyfin, Nextcloud, Immich, and a handful of other containers on a home server and wanting a clean way to expose them on custom domains with HTTPS [1][5].

Zoraxy has 5,050 GitHub stars. It runs on Linux, Windows, Raspberry Pi, and any ARM SBC; there are pre-compiled binaries for amd64, arm64, armv6/7, and RISC-V, plus a Docker image. The core is licensed AGPL-3.0 [README].

The “written in Go” detail matters practically. It’s a single binary with no runtime dependencies — no PHP, no Node, no Python. On a Raspberry Pi 4 or a $5 VPS, the memory footprint is genuinely low. Brandon Lee at Virtualization Howto specifically cites the Go foundation as a differentiator over Nginx Proxy Manager, which is a Node.js wrapper around a running Nginx process [1].

---

Why people choose it over Nginx Proxy Manager, Caddy, and Traefik

Nginx Proxy Manager (NPM) has been the de facto starting point for homelab reverse proxies for years, and Zoraxy’s primary competition is clearly there. The reviews synthesize into roughly the same conclusion: Zoraxy wins on feature density and interface quality, NPM wins on absolute simplicity and community size.

Versus Nginx Proxy Manager. The Virtualization Howto comparison [1] is the most detailed third-party analysis available. Key findings: Zoraxy has SSO and OAuth2 built in where NPM has neither. Zoraxy’s uptime monitor shows historical reachability graphs; NPM shows only up/down for current proxy hosts. Zoraxy works with ZeroSSL, custom CAs, and other ACME providers; NPM is primarily tied to Let’s Encrypt. Zoraxy handles WebSocket proxying automatically with no additional setup; NPM sometimes requires manual tweaks. Both are beginner-friendly, but Zoraxy has a slightly steeper initial curve because it has more options to navigate [1].

The verdict from Lee’s comparison table: NPM remains the simplest possible interface and is still a strong recommendation for absolute beginners. Zoraxy is the better recommendation once you’ve outgrown NPM’s limited feature set and want SSO or forward-auth without adding a separate tool [1].

Versus Traefik. Traefik is the power-user’s choice — deep Docker label integration, dynamic config, Kubernetes-native, enterprise features. But Traefik’s configuration is YAML and labels, not a web UI, and the mental model requires understanding middlewares, entrypoints, and routers. Zoraxy explicitly targets the user who doesn’t want to learn any of that [1][5].

Versus Caddy. Caddy is the most elegant minimal option — a Caddyfile is readable plain English, and the automatic HTTPS story is excellent. But Caddy is a web server first and a reverse proxy second; there is no management UI. Zoraxy wins for users who want to point and click rather than edit text files [4][5].

The XDA “9 reverse proxies” roundup [5] places Zoraxy in the same tier as NPM for home network use — practical, accessible, GUI-driven — while distinguishing it from enterprise-grade options like Envoy that are designed for microservices architectures. The roundup underscores the consistent theme: you pick your reverse proxy based on how much complexity you’re willing to manage and what features you need without configuration overhead.

---

Features

Based on the GitHub README and website:

Core proxy:

• HTTP/2 reverse proxy with virtual directories
• WebSocket proxying — automatic, no configuration required [README]
• Basic auth on proxy hosts
• Alias hostnames
• Custom headers injection
• Load balancing across multiple upstreams [README]
• Redirection rules engine
• Path-based routing [README]

TLS and certificates:

• ACME integration (Let’s Encrypt and other providers) with auto-renew [README]
• DNS challenge support for Let’s Encrypt (via go-acme/lego DNS providers list) [README]
• SNI support and SAN certificates
• Configurable early-renewal window (default 30 days before expiry) [README]

Access control:

• Geo-based IP blocking/allowlisting by country [README]
• CIDR, single IP, and wildcard IP rules for blocklist and whitelist
• Forward-Auth support (Authelia, Authentik) — community-contributed [README]
• OAuth2 proxy support — community-contributed [README]
• reCAPTCHA integration [README]

Networking utilities (built-in):

• Stream proxy for TCP and UDP traffic [README]
• mDNS scanner and transponder
• Wake-on-LAN
• Web-SSH terminal
• CIDR IP calculator
• IP scanner and port scanner
• Debug forward proxy [README]

Monitoring:

• Integrated uptime monitor with history graphs [1]
• Real-time visitor statistics and network utilization overview [website]
• No-reload access control — changes apply live [website]

Operations:

• Plugin system — community plugins available [README][website]
• Single-binary deployment; Docker-compatible with docker-compose
• External permission management system for integrations
• SMTP config for password reset [README]
• Dark mode [README]
• Config auto-upgrade on breaking changes [README]

---

Pricing: self-hosted math

Zoraxy has no SaaS tier. There is no cloud offering, no paid plan, no commercial license — it’s free software you download and run. The relevant cost comparison is not “Zoraxy Cloud vs self-hosted Zoraxy” but rather “what does a managed reverse proxy or edge service cost?”

Zoraxy self-hosted:

• Software: $0 (AGPL-3.0)
• Compute: runs on a Raspberry Pi you already own, or $5–10/month on a Hetzner or Contabo VPS
• Your time for setup: roughly 30–60 minutes if you follow a guide [1]

Commercial alternatives for context:

• Cloudflare Tunnel + Zero Trust: free tier exists, but $7/user/month for Teams access policies
• Nginx commercial (F5): $0 open source, but no UI; the managed Nginx Plus product starts at several hundred dollars per instance per year
• Traefik Enterprise: custom pricing, starts around $2,500/year for small teams
• AWS Application Load Balancer: $0.008 per LCU-hour plus $16.20/month baseline — meaningful cost at any scale

For a homelab operator running 10–20 services, Zoraxy on a $6 VPS or a spare Raspberry Pi is a zero-dollar operational cost compared to any managed edge service. The AGPL-3.0 license means commercial use and embedding in proprietary products requires either compliance with AGPL’s copyleft terms or a separate commercial arrangement with the author — which matters if you’re building a product, not if you’re running personal infrastructure [README].

---

Deployment reality check

Installation is a single binary or docker-compose, and the website provides ready-to-paste wget commands for Linux, ARM SBCs, and Windows. After download:

chmod +x ./zoraxy_linux_amd64
sudo ./zoraxy_linux_amd64

Navigate to http://localhost:8000, complete account setup in the browser, and you’re routing traffic. The Getting Started wiki is well-linked from the homepage and project README [README][website].

What you actually need:

• A Linux VPS or home server (Raspberry Pi 2GB+ works fine for typical homelab scale)
• A domain name with DNS pointed at your server
• Port 80 and 443 open (Zoraxy handles ACME HTTP challenge by default)
• Docker if you prefer the containerized path; not required if you run the binary directly

What can go sideways:

• The AGPL license is a real concern if you’re building a commercial product on top. For personal homelab use it’s irrelevant, but read the license if your situation is more complex [README].
• Single-admin mode is the default in standalone deployment. There’s an “external permission management system” for multi-user setups, but it’s not a polished RBAC panel — it’s an integration hook for embedding Zoraxy in a larger system [README]. If you need multi-user administration with roles, NPM or Traefik Enterprise is better suited.
• The plugin ecosystem is nascent. The official plugin list exists, but it is not the mature marketplace of something like Traefik’s middleware ecosystem. If you need a highly specific behavior, you may be writing it yourself [website][README].
• The GIGAZINE review corpus includes a brief mention of Zoraxy as context in a Caddy article [4], which signals it has reached the “casually referenced” tier of coverage — notable but not yet as thoroughly documented in English as NPM or Caddy.
• mDNS scanning and transponder are enabled by default and can interfere with other mDNS services on the network. The -mdns=false flag disables it [README].

Realistic setup time for a technically comfortable user following the Getting Started guide: 20–40 minutes to a working instance with HTTPS on a custom domain. For someone entirely new to reverse proxies, budget an afternoon — but the VirtualizationHowto tutorial [1] specifically targets beginners and walks through Docker Compose configuration step by step.

---

Pros and cons

Pros

• More features out of the box than NPM. OAuth2, forward-auth, geo-blocking, TCP/UDP stream proxy, built-in uptime monitor with history, Web-SSH terminal — these are separate tools or manual Nginx config exercises on NPM [1][README].
• Single binary, low resource footprint. Written in Go, minimal dependencies, runs cleanly on a Raspberry Pi or a $5 VPS [1][README].
• WebSocket proxy is automatic. No configuration required — it just works for services that need WebSocket [README]. This is a meaningful practical advantage over proxies that require per-host WebSocket flags.
• ACME with multiple CAs. Supports ZeroSSL, custom ACME providers, and DNS challenge — not just Let’s Encrypt [1][README]. Relevant for operators with rate-limit concerns or internal CA requirements.
• GUI-first, no config files. Changes apply live without restarting the proxy service [1][website]. Meaningfully reduces the operational friction compared to Caddy or Traefik.
• Cross-platform binaries. Linux (amd64, arm64, armv6/7, RISC-V), Windows, Docker — covers the full homelab hardware spread including older Pis [README][website].
• Plugin system. Community-contributed extensions exist, including OAuth2 and reCAPTCHA support [README].

Cons

• AGPL-3.0 license, not MIT. The copyleft terms matter if you distribute software that incorporates Zoraxy. For pure homelab use this is irrelevant, but it’s a real differentiator from Caddy (Apache 2.0) or Traefik’s open-source core (MIT) [README].
• Single-admin standalone mode. No built-in multi-user RBAC for teams. If multiple people need to manage the proxy with separate accounts and permissions, you’re engineering around this rather than with it [README].
• Smaller community than NPM or Traefik. 5,050 GitHub stars versus NPM’s ~24,000. Fewer StackOverflow answers, fewer pre-written community guides, less “I’ve definitely seen this error before” coverage online [merged profile][1].
• Plugin ecosystem is early-stage. The plugin system exists and has some community contributions, but it’s not a mature marketplace. Power users who rely on specific middleware behaviors will find the ecosystem thinner than Traefik [README][website].
• No managed cloud option. Self-hosting is the only path. If your home internet goes down or your VPS loses power, your reverse proxy is down. No fallback. For critical services, this matters [2].
• The “homelab toolbox” framing is accurate but limiting. The built-in IP scanner, port scanner, Wake-on-LAN, and mDNS scanner are useful extras but also signal the product scope: this is personal infrastructure software, not a production-grade ingress for a business serving real customers.

---

Who should use this / who shouldn’t

Use Zoraxy if:

• You’re running NPM and hitting its ceiling: no SSO, no OAuth2, no historical uptime data, no geo-blocking.
• You want a GUI-managed reverse proxy that’s significantly more capable than NPM without crossing into Traefik’s YAML-and-labels complexity.
• You’re on a Raspberry Pi, old NAS, or a $6 VPS and want a lightweight, single-binary solution.
• You want WebSocket proxying to just work without setting flags per-host.
• DNS challenge and multi-CA ACME support matter for your certificate setup.
• Personal homelab or small team where single-admin mode is fine.

Skip it (use Nginx Proxy Manager instead) if:

• You’re an absolute beginner and want the path of least resistance. NPM has more tutorials, more StackOverflow coverage, and a slightly more familiar UI for its target audience [1][5].
• You need multi-user management with roles and permissions.

Skip it (use Traefik instead) if:

• You’re running Docker Compose or Kubernetes at any scale and want config-as-code with labels.
• You need a mature middleware ecosystem and enterprise support options.
• Dynamic service discovery matters more than a management UI.

Skip it (use Caddy instead) if:

• You’re comfortable editing a simple config file and want the most minimal, highest-quality automatic HTTPS story with an Apache 2.0 license [4].

Skip it (avoid self-hosting a reverse proxy entirely) if:

• Your home internet connection is unreliable or has carrier-grade NAT — a self-hosted reverse proxy on a home connection adds fragility to anything externally accessible [2].

---

Alternatives worth considering

• Nginx Proxy Manager — the incumbent. Simpler for beginners, massive community, fewer features. No OAuth2, no SSO, no uptime history [1][5].
• Traefik — config-as-code, Docker-label-driven, Kubernetes-native, mature middleware ecosystem. Steeper learning curve, no GUI [5].
• Caddy — minimal, excellent automatic HTTPS, Apache 2.0 license. No UI, config-file driven [4][5].
• Pangolin — newer entrant mentioned in the same homelab context as Zoraxy [1]. Less community coverage.
• Envoy Proxy — built for microservices and service mesh. Overkill for homelab, but powerful for engineering teams [5].
• Authelia / Authentik — not reverse proxies themselves, but forward-auth providers that Zoraxy integrates with for SSO. Often paired with NPM or Traefik as a separate layer; Zoraxy’s built-in OAuth2 support can replace or complement these [README].

For a homelab owner choosing their first or second reverse proxy, the realistic shortlist is Zoraxy vs NPM. NPM if you want maximum simplicity and community coverage. Zoraxy if you want SSO, forward-auth, geo-blocking, and uptime monitoring without setting up a second tool.

---

Bottom line

Zoraxy is what Nginx Proxy Manager would be if the authors decided features mattered as much as beginner-friendliness. The Go binary is genuinely lightweight, the WebSocket and ACME story is clean, and having OAuth2, forward-auth, geo-blocking, TCP/UDP stream proxying, and a Web-SSH terminal in one GUI-managed tool removes four to six separate pieces from the average homelab stack. The trade-offs are real: AGPL-3.0 limits commercial embedding, the community is smaller than NPM or Traefik, and single-admin mode is a ceiling for multi-user setups. But for the target audience — a homelab operator who has outgrown NPM and doesn’t want to learn Traefik’s config model — Zoraxy is a well-executed, honest tool that covers almost everything you’d need in one binary.

If getting it deployed is the blocker, that’s the kind of one-time setup that upready.dev handles for clients. One afternoon, done, you own the stack.

---

Sources

1. Brandon Lee, Virtualization Howto — “Why Zoraxy Might Be the Best Reverse Proxy for Home Labs” (December 25, 2025). https://www.virtualizationhowto.com/2025/12/why-zoraxy-might-be-the-best-reverse-proxy-for-home-labs/
2. Brandon Lee, Virtualization Howto — “Things I Stopped Self-Hosting (And Why Cloud or Managed Won)” (December 26, 2025). https://www.virtualizationhowto.com/2025/12/things-i-stopped-self-hosting-and-why-cloud-or-managed-won/
3. GIGAZINE — “A Go web server ‘Caddy’ that can easily acquire an SSL certificate” (May 10, 2020) — mentions Zoraxy review in related posts. https://gigazine.net/gsc_news/en/20200510-caddy
4. Joe Rice-Jones, XDA Developers — “9 reverse proxies you should check out for your home network” (January 14, 2025). https://www.xda-developers.com/reverse-proxies-you-should-check-out-for-your-home-network/

Primary sources:

• GitHub repository and README: https://github.com/tobychui/zoraxy (5,050 stars, AGPL-3.0 license)
• Official website: https://zoraxy.aroz.org
• Zoraxy Wiki Getting Started: https://github.com/tobychui/zoraxy/wiki/Getting-Started