| title | Features |
|---|---|
| description | Discover what makes Charon the easiest way to manage your reverse proxy. Explore automatic HTTPS, Docker integration, enterprise security, and more. |
Charon makes managing your web applications simple. No command lines, no config files—just a clean interface that lets you focus on what matters: running your apps.
Say goodbye to editing configuration files and memorizing commands. Charon gives you a beautiful web interface where you simply type your domain name, select your backend service, and click save. If you can browse the web, you can manage a reverse proxy.
Whether you're setting up your first website or managing dozens of services, everything happens through intuitive forms and buttons. No terminal required.
Every website deserves the green padlock. Charon automatically obtains free SSL certificates from Let's Encrypt or ZeroSSL, installs them, and renews them before they expire—all without you lifting a finger.
Your visitors get secure connections, search engines reward you with better rankings, and you never have to think about certificate management again.
Need to secure *.example.com with a single certificate? Charon now supports DNS challenge authentication, letting you obtain wildcard certificates that cover all your subdomains at once.
Supported Providers:
- Cloudflare, AWS Route53, DigitalOcean, Google Cloud DNS
- Namecheap, GoDaddy, Hetzner, OVH, Linode
- And 10+ more DNS providers
Your credentials are stored securely with encryption and automatic key rotation. A plugin architecture means new providers can be added easily.
Enterprise-grade protection that "just works." Cerberus bundles multiple security layers into one easy-to-manage system.
Control your security modules with a single click. The Security Dashboard provides instant toggles for each security layer:
- ACL Toggle — Enable/disable Access Control Lists without editing config files
- WAF Toggle — Turn the Web Application Firewall on/off in real-time
- Rate Limiting Toggle — Activate or deactivate request rate limits instantly
Key Features:
- Instant Updates — Changes take effect immediately with automatic Caddy config reload
- Persistent State — Toggle settings persist across page reloads and container restarts
- Optimistic UI — Toggle changes reflect instantly with automatic rollback on failure
- Performance Optimized — 60-second cache layer minimizes database queries in middleware
Protect your applications using behavior-based threat detection powered by a global community of security data. Bad actors get blocked automatically before they can cause harm.
See your security posture at a glance. The CrowdSec Dashboard shows attack trends, active bans, top offenders, and scenario breakdowns—all from within Charon's Security section.
Highlights:
- Summary Cards — Total bans, active bans, unique IPs, and top scenario at a glance
- Interactive Charts — Ban timeline, top attacking IPs, and attack type breakdown
- Alerts Feed — Live view of CrowdSec alerts with pagination
- Time Range Selector — Filter data by 1 hour, 6 hours, 24 hours, 7 days, or 30 days
- Export — Download decisions as CSV or JSON for external analysis
No SSH required. No CLI commands. Just open the Dashboard tab and see what's happening.
Define exactly who can access what. Block specific countries, allow only certain IP ranges, or require authentication for sensitive applications. Fine-grained rules give you complete control.
Stop common attacks like SQL injection, cross-site scripting (XSS), and path traversal before they reach your applications. Powered by Coraza, the WAF protects your apps from the OWASP Top 10 vulnerabilities.
Prevent abuse by limiting how many requests a user or IP address can make. Stop brute-force attacks, API abuse, and resource exhaustion with simple, configurable limits.
Automated static analysis that detects GORM security issues and common mistakes before they reach production. The scanner identifies ID leak vulnerabilities, exposed secrets, and enforces GORM best practices.
Key Features:
- 6 Detection Patterns — ID leaks, exposed secrets, DTO embedding issues, and more
- 3 Operating Modes — Report, check, and enforce modes for different workflows
- Fast Performance — Scans entire codebase in 2.1 seconds
- Zero False Positives — Smart GORM model detection prevents incorrect warnings
- Lefthook Integration — Catches issues before they're committed
- VS Code Task — Run security scans from the Command Palette
Detects:
- Numeric ID exposure in JSON (
json:"id"onuint/intfields) - Exposed API keys, tokens, and passwords
- Response DTOs that inherit model ID fields
- Missing primary key tags and foreign key indexes
Usage:
# Run via VS Code: Command Palette → "Lint: GORM Security Scan"
# Or via lefthook:
lefthook run pre-commitTime is valuable. Charon's development workflows are tuned for efficiency, ensuring that security verifications only run when valid artifacts exist.
- Smart Triggers — Supply chain checks wait for successful builds
- Zero Redundancy — Eliminates wasted runs on push/PR events
- Stable Feedback — Reduces false negatives for contributors
Modern browsers expect specific security headers to protect your users. Charon automatically adds industry-standard headers including:
- Content-Security-Policy (CSP) — Prevents code injection attacks
- Strict-Transport-Security (HSTS) — Enforces HTTPS connections
- X-Frame-Options — Stops clickjacking attacks
- X-Content-Type-Options — Prevents MIME-type sniffing
One toggle gives your application the same security posture as major websites.
Your backend applications need to know the real client IP address, not Charon's. Standard headers like X-Real-IP, X-Forwarded-For, and X-Forwarded-Proto are added automatically, ensuring accurate logging and proper HTTPS enforcement.
Already running apps in Docker? Charon automatically finds your containers and offers one-click proxy setup. No manual configuration, no port hunting—just select a container and go.
Supports both local Docker installations and remote Docker servers, perfect for managing multiple machines from a single dashboard.
Your HomeLab is behind a firewall? Orthrus is a small agent you install on any remote machine. It dials outward to Charon over a secure connection — no open inbound ports required. Once connected, Charon can discover and proxy Docker containers on that machine just like local ones.
Connect remote servers that sit behind firewalls or NAT routers—no open inbound ports required. Choose how each remote server reaches Charon from three simple connection modes, all managed from the Remote Servers page.
Connection Modes:
- Direct — Type in a hostname or IP address manually
- Agent — Pick an Orthrus agent; Charon figures out the address automatically based on the agent's network assignment
- Provider — Pick a VPN/tunnel network and a specific device on it directly, without needing an agent
Provider Management:
Each tunnel provider (Tailscale, Cloudflare, NetBird, ZeroTier) shows its configured tunnels directly on the provider card. Click the settings icon next to any tunnel to edit it without leaving the page.
Orthrus Agent + Provider Assignment:
Each Orthrus agent can be assigned a provider tunnel and a specific device (or public hostname for Cloudflare). Once assigned, Charon remembers the address—so when you add a Remote Server using that agent, the connection details fill in automatically.
A step-by-step install wizard walks you through deploying the Orthrus agent (Docker Compose, systemd, Kubernetes, or standalone binary). Each remote server shows a live status badge so you can see connection health at a glance.
Migrating from another Caddy setup? Import your existing Caddyfile configurations with one click. Your existing work transfers seamlessly—no need to start from scratch.
Migrating from Nginx Proxy Manager? Import your proxy host configurations directly from NPM export files. Charon parses your domains, upstream servers, SSL settings, and access lists, giving you a preview before committing.
Import configurations from generic JSON exports or Charon backup files. Supports both Charon's native export format and Nginx Proxy Manager format with automatic detection. Perfect for restoring backups or migrating between Charon instances.
Real-time applications like chat servers, live dashboards, and collaborative tools work out of the box. Charon handles WebSocket connections automatically with no special configuration needed.
Know immediately when something goes wrong. Charon continuously monitors your applications and alerts you when a service becomes unavailable. View uptime history, response times, and availability statistics at a glance.
Watch requests flow through your proxy in real-time. Filter by domain, status code, or time range to troubleshoot issues quickly. All the visibility you need without diving into container logs.
Get alerted when it matters. Charon sends notifications through Discord, Gotify, Ntfy, Pushover, Slack, Email, and Custom Webhook providers. Choose a built-in JSON template or write your own to control exactly what your alerts look like.
Your configuration is valuable. Charon makes it easy to backup your entire setup and restore it when needed—whether you're migrating to new hardware or recovering from a problem.
Make changes without interrupting your users. Update domains, modify security rules, or add new services instantly. Your sites stay up while you work—no container restarts needed.*
*Initial CrowdSec security engine setup requires a one-time restart.
Charon speaks your language. The interface is available in English, Spanish, French, German, and Chinese. Switch languages instantly in settings—no reload required.
Easy on the eyes, day or night. Toggle between light and dark themes to match your preference. The clean, modern interface makes managing complex setups feel simple.
Found a bug or have an idea? The feedback button sits in the corner of every page—click it to report a bug or request a feature on GitHub without leaving Charon. No copy-pasting URLs, no digging through bookmarks—just click and go.
Automate everything. Charon's comprehensive REST API lets you manage hosts, certificates, security rules, and settings programmatically. Perfect for CI/CD pipelines, Infrastructure as Code, or custom integrations.
Know exactly what you're running. Every Charon release includes:
- Cryptographic signatures — Verify the image hasn't been tampered with
- SLSA provenance attestation — Transparent build process documentation
- Software Bill of Materials (SBOM) — Complete list of included components
Enterprise-grade supply chain security for everyone.
One container. No external databases. No extra services. Just pull the image and run. Charon includes everything it needs, making deployment as simple as it gets.
No premium tiers. No feature paywalls. No usage limits. Everything you see here is yours to use forever, backed by the MIT license.
Ready to get started? Check out our Quick Start Guide to have Charon running in minutes.
Have questions? Visit our Documentation or open an issue on GitHub.