be60f6ccbc
Two-container deploy: Caddy terminates TLS (auto-provisions Let's Encrypt via ACME) and reverse-proxies to a Numa relay on an internal Docker network. The relay never reads sealed payloads; Caddy's access log is discarded so per-request observability doesn't defeat the oblivious property. Validated against Hetzner CX22 + DNS at odoh-relay.numa.rs: - TLS-ALPN-01 challenge succeeded on first attempt - /health returned the relay's counter block - End-to-end ODoH client → relay → Cloudflare works Operators only need to: set a DNS A record, edit Caddyfile's hostname, docker compose up -d. README walks through the steps and the DNSCrypt v3/odoh-relays.md submission to claim a public listing.
1.4 KiB
Numa ODoH Relay — Docker deploy
Two-container deploy: Caddy terminates TLS (auto-provisioning a Let's Encrypt cert via ACME) and reverse-proxies to a Numa relay running on an internal Docker network. The relay never reads sealed payloads; Caddy never logs them.
Prerequisites
- A host with public 80/443 reachable from the internet.
- A DNS record (
AorAAAA) pointing your chosen hostname at the host. - Docker + Docker Compose v2.
Configure
Edit Caddyfile and replace odoh-relay.example.com with your hostname.
That hostname is what ACME validates against and what ODoH clients will
configure as their relay URL: https://<hostname>/relay.
Deploy
docker compose up -d
docker compose logs -f caddy # watch ACME provisioning
First boot takes a few seconds while Caddy obtains the cert. Subsequent
restarts reuse the cached cert from the caddy_data volume.
Verify
curl https://<hostname>/health
# ok
# total 0
# forwarded_ok 0
# forwarded_err 0
# rejected_bad_request 0
Then point any ODoH client at https://<hostname>/relay and watch the
counters tick.
Listing on the public ecosystem
DNSCrypt's v3/odoh-relays.md is the canonical list. The pruned 2025-09-16 commit shows one public ODoH relay survived the cull — running this compose file doubles global supply. Open a PR there once your relay has been up for ~24 hours.