> You only access Dokploy through https, removing a whole class of attacks
Words such as the above on the blog post send shivers through my spine each time I read them.
They are, for example, a common sight on websites description of their security. "we use https so everything is ok" says the fluffy website description, carefully omitting to mention any of the stuff that really matters. Instead they just stop abruptly at the mention of the magical https. Shrug.
Or another classic example is all those people who think a dumb pass-through nginx/caddy https proxy infront of their backend suddenly makes the backend secure !
Coming back to this specific wording, I'm not sure what "whole class of attacks" they are expecting to suddenly thwart just because they are running over https ? I would suggest its a bit of a bold statement, to put it kindly.
I assume they are referring to the low-hanging-fruit like MITM etc, but as everyone knows that's not really where the real security concerns are in 2025 ...
Not to mention situations where I specifically don't want security. Like:
> your password must be at least 20 characters long, contain mixed-case letters, digits, five kanji, and at least one byte that isn't a valid UTF-8 codepoint
> but I'm setting up a small VM on my private PC to run a script that scrapes porn
Just in the last year I've had several conversations with several developers that assumed that their web app was secure because it was deployed behind a WAF.
"The WAF is configured in audit-only mode. It's stopping precisely nothing."
"What!? Why isn't it enabled?"
"Because your code uses raw SQL in query strings... and form fields... and cookies. On purpose. As a feature. If we turned the WAF on, it would break every part of your app."
It's one of those calls you want to do with cameras on, so you can see their reaction.
I've been using Dokploy and it is lovely. Solid and stable for the last 12 months running production apps. First time in ages I got the Heroku vibe again.
Exactly, I do not have any other experience but with Heroku but I was taken aback how easy was to setup and since then just deploy and almost everything work as expected.
I also love their template gallery of pre-existing projects, managed to setup auxiliary stuff like Plausible and Ghost which I wouldn't have done if it wasn't for the one-click install.
Breaks when you use anything but bash as root user shell. Breaks if you have images in private registries with swarm. Breaks if you wanna restrict the API key access to just one project (the key can access all projects lol).
It's a great piece of software, I use it myself. But calling it polished in any way is a bit of a stretch.
Another very similar one is https://dokku.com, have been using it for years and I like that it's a very thin layer on top of Docker. So even if you uninstall it everything keeps running and you can just manage it manually.
Just as a warning the licensing of Dokploy is a little complex/questionable, which I've documented here [1] and queried with the project here [2].
[1] https://isitreallyfoss.com/projects/dokploy/
[2] https://github.com/Dokploy/dokploy/discussions/3
> You only access Dokploy through https, removing a whole class of attacks
Words such as the above on the blog post send shivers through my spine each time I read them.
They are, for example, a common sight on websites description of their security. "we use https so everything is ok" says the fluffy website description, carefully omitting to mention any of the stuff that really matters. Instead they just stop abruptly at the mention of the magical https. Shrug.
Or another classic example is all those people who think a dumb pass-through nginx/caddy https proxy infront of their backend suddenly makes the backend secure !
Coming back to this specific wording, I'm not sure what "whole class of attacks" they are expecting to suddenly thwart just because they are running over https ? I would suggest its a bit of a bold statement, to put it kindly.
I assume they are referring to the low-hanging-fruit like MITM etc, but as everyone knows that's not really where the real security concerns are in 2025 ...
Not to mention situations where I specifically don't want security. Like:
> your password must be at least 20 characters long, contain mixed-case letters, digits, five kanji, and at least one byte that isn't a valid UTF-8 codepoint
> but I'm setting up a small VM on my private PC to run a script that scrapes porn
> DID I FUCKING STUTTER
> ok ok I'm sorry calm down
Just in the last year I've had several conversations with several developers that assumed that their web app was secure because it was deployed behind a WAF.
"The WAF is configured in audit-only mode. It's stopping precisely nothing."
"What!? Why isn't it enabled?"
"Because your code uses raw SQL in query strings... and form fields... and cookies. On purpose. As a feature. If we turned the WAF on, it would break every part of your app."
It's one of those calls you want to do with cameras on, so you can see their reaction.
The Web services of https://cartes.app run on Dokploy.
Nextjs website deployed here to avoid crazy Vercel and netlify pricing. Uptime kuma and Umami deployed in 2 minutes.
Be sure to check disk space. Activate the Docker auto-clean option.
https://docs.dokploy.com/docs/core/comparison
Dokploy vs. CapRover, Dokku, Coolify
Interesting. It looks very similar to Coolify (https://coolify.io/)
I've been using Dokploy and it is lovely. Solid and stable for the last 12 months running production apps. First time in ages I got the Heroku vibe again.
This is exactly how I felt too. I was using portainer before, but the polish on Dokploy is insane.
Exactly, I do not have any other experience but with Heroku but I was taken aback how easy was to setup and since then just deploy and almost everything work as expected.
I also love their template gallery of pre-existing projects, managed to setup auxiliary stuff like Plausible and Ghost which I wouldn't have done if it wasn't for the one-click install.
On the contrary, to me it seemed bare-bones.
Breaks when you use anything but bash as root user shell. Breaks if you have images in private registries with swarm. Breaks if you wanna restrict the API key access to just one project (the key can access all projects lol).
It's a great piece of software, I use it myself. But calling it polished in any way is a bit of a stretch.
Does it support wildcard domains for the running apps? I couldn't find it clearly stated in the docs
It has good flexibility. If it won't support them through UI, you can manually define labels for Traefik to pick up in the app config.
Another very similar one is https://dokku.com, have been using it for years and I like that it's a very thin layer on top of Docker. So even if you uninstall it everything keeps running and you can just manage it manually.