> You only access Dokploy through https, removing a whole class of attacks
Words such as the above on the blog post send shivers through my spine each time I read them.
They are, for example, a common sight on websites description of their security. "we use https so everything is ok" says the fluffy website description, carefully omitting to mention any of the stuff that really matters. Instead they just stop abruptly at the mention of the magical https. Shrug.
Or another classic example is all those people who think a dumb pass-through nginx/caddy https proxy infront of their backend suddenly makes the backend secure !
Coming back to this specific wording, I'm not sure what "whole class of attacks" they are expecting to suddenly thwart just because they are running over https ? I would suggest its a bit of a bold statement, to put it kindly.
I assume they are referring to the low-hanging-fruit like MITM etc, but as everyone knows that's not really where the real security concerns are in 2025 ...
Not to mention situations where I specifically don't want security. Like:
> your password must be at least 20 characters long, contain mixed-case letters, digits, five kanji, and at least one byte that isn't a valid UTF-8 codepoint
> but I'm setting up a small VM on my private PC to run a script that scrapes porn
Weird though that their installation page says to navigate to http://IP:3000 (specifically noting http and not https). Perhaps part of the setup will create a cert for your chosen domain and then from then on have you use https://domain:3000 ?
Actually you have to manually remove port 3000 from container forwarding (which will also override whatever fierwall you have)
If you don't, it's going to be accessible via :3000 AND whatever domain you choose over https:// (provided it can use let's encrypt cert). So it's a bit of a gotcha.
Dokploy ergonomics I found just a bit lacking, and switched to Coolify instead. I daresay the feature that swayed me was force “pull latest images” button on coolify (convenient way to update any app), that was weirdly not available on Dokploy.
What’s missing in both, and would liked to hear from hn, is docker-native backup solutions, for backing up select docker volumes. Currently I’m using some tricks with duplicati, but I wonder if there’s anything better.
Also this is the first I’ve heard of coreOS, the author says nothing about it, though it’s in the title. I wonder why someone choose it over Debian.
I actually use Dokploy in production, you have to literally press just one button to redeploy using the latest version of your app, straight from the repo.
I really love a workflow where the host OS is as stock as possible (I just run Debian) and everything else runs in Docker.
A while ago I created Harbormaster[1] a very simple and opinionated single-host container Orchestrator, and run everything on there. It just needs a Compose file, and that's it. Harbormaster takes care of the pulling from git repos/updating, restarting containers, etc, as well as provides a centralised config file for what's running on a machine. It's ideal for me.
I tried it a few months ago. It had some rough edges that made me move away (to Debian and then most recently NixOS), but I might swing back the way of Bluefin at some point.
I was running k3s locally for all home infra stuff because I too enjoy containers (and some of the things that Kubernetes provides.) Recently I found NixOS and am greatly enjoying that. The container dance gets tiring after a while and having a declarative system is extremely powerful.
Yes, I run Caddy in a container with host networking, just like any other app. Harbormaster won't do anything magical with it, but that's a plus for me (much simpler to understand).
I'm glad there's options but once I got one working I feel like I'd be stuck so feedback beforehand from those who've tried multiple is escpecially valuable, especially the monetization aspect for sustainability.
This seems like an unfair comparison for Dokku. I haven’t used the rest, but I have used Dokploy and Dokku. Dokku has had every single feature I could want or need, even accounting for weird edge cases. It just doesn’t have a UI.
With Dokploy, on the other hand, I found the UI difficult to navigate, which would be fine if the documentation was good but it was lacking.
But for many of the features their comparison claims Dokku doesn’t have, it actually does: database support, scheduled jobs, docker compose support. It has some form of monitoring. Overall Dokku has been a pretty robust solution for me and anything it might be missing, like in monitoring for instance, I can just add at the system level.
To be clear, I’m not anti-Dokploy and I think the more these tools improve the better. Just wanted to share my experience in defense of Dokku. Being able to spin up your apps on a cheap VPS is incredibly empowering over having to pay 10x more for managed services like Heroku or Render.
I've been using Dokploy and it is lovely. Solid and stable for the last 12 months running production apps. First time in ages I got the Heroku vibe again.
Breaks when you use anything but bash as root user shell. Breaks if you have images in private registries with swarm. Breaks if you wanna restrict the API key access to just one project (the key can access all projects lol).
It's a great piece of software, I use it myself. But calling it polished in any way is a bit of a stretch.
Exactly, I do not have any other experience but with Heroku but I was taken aback how easy was to setup and since then just deploy and almost everything work as expected.
I also love their template gallery of pre-existing projects, managed to setup auxiliary stuff like Plausible and Ghost which I wouldn't have done if it wasn't for the one-click install.
Readit News
[1] https://isitreallyfoss.com/projects/dokploy/
[2] https://github.com/Dokploy/dokploy/discussions/3
Intellectual Property law is a real thing. Writing code doesn't make you an expert at writing license agreements.
Words such as the above on the blog post send shivers through my spine each time I read them.
They are, for example, a common sight on websites description of their security. "we use https so everything is ok" says the fluffy website description, carefully omitting to mention any of the stuff that really matters. Instead they just stop abruptly at the mention of the magical https. Shrug.
Or another classic example is all those people who think a dumb pass-through nginx/caddy https proxy infront of their backend suddenly makes the backend secure !
Coming back to this specific wording, I'm not sure what "whole class of attacks" they are expecting to suddenly thwart just because they are running over https ? I would suggest its a bit of a bold statement, to put it kindly.
I assume they are referring to the low-hanging-fruit like MITM etc, but as everyone knows that's not really where the real security concerns are in 2025 ...
> your password must be at least 20 characters long, contain mixed-case letters, digits, five kanji, and at least one byte that isn't a valid UTF-8 codepoint
> but I'm setting up a small VM on my private PC to run a script that scrapes porn
> DID I FUCKING STUTTER
> ok ok I'm sorry calm down
Deleted Comment
If you don't, it's going to be accessible via :3000 AND whatever domain you choose over https:// (provided it can use let's encrypt cert). So it's a bit of a gotcha.
What’s missing in both, and would liked to hear from hn, is docker-native backup solutions, for backing up select docker volumes. Currently I’m using some tricks with duplicati, but I wonder if there’s anything better.
Also this is the first I’ve heard of coreOS, the author says nothing about it, though it’s in the title. I wonder why someone choose it over Debian.
Only once in a while I get a weird gateway timeout error on some services since my server is behind a vpn and firewall.
But other than that it's a great setup.
A while ago I created Harbormaster[1] a very simple and opinionated single-host container Orchestrator, and run everything on there. It just needs a Compose file, and that's it. Harbormaster takes care of the pulling from git repos/updating, restarting containers, etc, as well as provides a centralised config file for what's running on a machine. It's ideal for me.
[1] https://harbormaster.readthedocs.io/en/latest/
I feel like you should love something like https://projectbluefin.io/ then?
I tried it a few months ago. It had some rough edges that made me move away (to Debian and then most recently NixOS), but I might swing back the way of Bluefin at some point.
Dead Comment
coolify, dokku, dockploy, swiftwave; and K8s-based: cozystack, kubero, plural
related: https://news.ycombinator.com/item?id=41358020 (+271 comments; 2024) Dokku: My favorite personal serverless platform
I'm glad there's options but once I got one working I feel like I'd be stuck so feedback beforehand from those who've tried multiple is escpecially valuable, especially the monetization aspect for sustainability.
Dokploy vs. CapRover, Dokku, Coolify
With Dokploy, on the other hand, I found the UI difficult to navigate, which would be fine if the documentation was good but it was lacking.
But for many of the features their comparison claims Dokku doesn’t have, it actually does: database support, scheduled jobs, docker compose support. It has some form of monitoring. Overall Dokku has been a pretty robust solution for me and anything it might be missing, like in monitoring for instance, I can just add at the system level.
To be clear, I’m not anti-Dokploy and I think the more these tools improve the better. Just wanted to share my experience in defense of Dokku. Being able to spin up your apps on a cheap VPS is incredibly empowering over having to pay 10x more for managed services like Heroku or Render.
Breaks when you use anything but bash as root user shell. Breaks if you have images in private registries with swarm. Breaks if you wanna restrict the API key access to just one project (the key can access all projects lol).
It's a great piece of software, I use it myself. But calling it polished in any way is a bit of a stretch.
I also love their template gallery of pre-existing projects, managed to setup auxiliary stuff like Plausible and Ghost which I wouldn't have done if it wasn't for the one-click install.