siphon/docker-compose.yml at main · RemiKalbe/siphon · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
# Siphon Server Docker Compose Example
#
# Usage:
#   1. Copy this file and customize environment variables
#   2. Mount your certificates or set them via environment
#   3. Run: docker-compose up -d
#
# For production, use secrets management (Docker Swarm secrets, Kubernetes secrets, etc.)

version: '3.8'

services:
  siphon-server:
    build: .
    # Or use pre-built image:
    # image: ghcr.io/your-org/siphon-server:latest

    container_name: siphon-server
    restart: unless-stopped

    ports:
      # Control plane - mTLS connections from tunnel clients
      - "4443:4443"
      # HTTP plane - receives traffic from Cloudflare
      - "8080:8080"
      # TCP tunnel port range (adjust as needed)
      - "30000-30100:30000-30100"

    environment:
      # Required configuration
      SIPHON_BASE_DOMAIN: "tunnel.example.com"
      SIPHON_CLOUDFLARE_ZONE_ID: "your-zone-id"

      # DNS target (optional - auto-detects IP if neither is set)
      # For VPS with static IP (creates A records):
      # SIPHON_SERVER_IP: "1.2.3.4"
      # For platforms like Railway/Render/Fly.io (creates CNAME records):
      # SIPHON_SERVER_CNAME: "myapp.up.railway.app"

      # Secrets - use Docker secrets or mount files in production
      # Option 1: File paths (mount certificates as volumes)
      SIPHON_CERT: "file:///app/certs/server.crt"
      SIPHON_KEY: "file:///app/certs/server.key"
      SIPHON_CA_CERT: "file:///app/certs/ca.crt"

      # Option 2: Base64-encoded (use with K8s secrets or CI/CD)
      # SIPHON_CERT: "base64://${SERVER_CERT_B64}"
      # SIPHON_KEY: "base64://${SERVER_KEY_B64}"
      # SIPHON_CA_CERT: "base64://${CA_CERT_B64}"

      # Cloudflare API token (required)
      SIPHON_CLOUDFLARE_API_TOKEN: ${CLOUDFLARE_API_TOKEN}

      # Optional: Override default ports
      # SIPHON_CONTROL_PORT: 4443
      # SIPHON_HTTP_PORT: 8080
      # SIPHON_TCP_PORT_START: 30000
      # SIPHON_TCP_PORT_END: 40000

      # Optional: HTTP plane TLS for Cloudflare Full (Strict) mode
      # SIPHON_HTTP_CERT: "file:///app/certs/origin.crt"
      # SIPHON_HTTP_KEY: "file:///app/certs/origin.key"

      # Logging
      RUST_LOG: "siphon_server=info,siphon_common=info"

    volumes:
      # Mount certificates directory
      - ./certs:/app/certs:ro

    # Health check
    healthcheck:
      test: ["CMD", "nc", "-z", "localhost", "4443"]
      interval: 30s
      timeout: 5s
      retries: 3
      start_period: 10s

    # Resource limits (adjust based on expected load)
    deploy:
      resources:
        limits:
          cpus: '2'
          memory: 512M
        reservations:
          cpus: '0.5'
          memory: 128M

# For Docker Swarm with secrets:
# secrets:
#   server_cert:
#     external: true
#   server_key:
#     external: true
#   ca_cert:
#     external: true
#   cloudflare_token:
#     external: true