be60f6ccbc
Two-container deploy: Caddy terminates TLS (auto-provisions Let's Encrypt via ACME) and reverse-proxies to a Numa relay on an internal Docker network. The relay never reads sealed payloads; Caddy's access log is discarded so per-request observability doesn't defeat the oblivious property. Validated against Hetzner CX22 + DNS at odoh-relay.numa.rs: - TLS-ALPN-01 challenge succeeded on first attempt - /health returned the relay's counter block - End-to-end ODoH client → relay → Cloudflare works Operators only need to: set a DNS A record, edit Caddyfile's hostname, docker compose up -d. README walks through the steps and the DNSCrypt v3/odoh-relays.md submission to claim a public listing.
16 lines
351 B
Caddyfile
16 lines
351 B
Caddyfile
odoh-relay.example.com {
|
|
handle /relay {
|
|
reverse_proxy numa-relay:8443
|
|
}
|
|
handle /health {
|
|
reverse_proxy numa-relay:8443
|
|
}
|
|
respond 404
|
|
|
|
# Per-request access logs defeat the point of an oblivious relay.
|
|
# Aggregate counters are exposed at /health on the relay itself.
|
|
log {
|
|
output discard
|
|
}
|
|
}
|