23 Repos
Systems that handle the lifecycle of TLS certificates, including issuance, renewal, and installation without manual intervention.
Explore 23 awesome GitHub repositories matching security & cryptography · Automated Certificate Management. Refine with filters or upvote what's useful.
Caddy is an extensible, modular web server platform designed for high-performance traffic management and automated security. At its core, it functions as a dynamic HTTP gateway that handles request routing, static asset delivery, and reverse proxying through a chain of configurable handler modules. The system is built on a modular architecture that allows developers to extend server functionality by registering custom components, all managed through a unified lifecycle and provisioning framework. What distinguishes Caddy is its focus on automated infrastructure and zero-downtime operations. I
Handles the full lifecycle of certificates, including automated issuance, renewal, and HTTP-to-HTTPS redirection.
Traefik is a cloud-native load balancer and dynamic reverse proxy designed for microservices traffic routing. It automatically discovers services and generates network routes by listening to infrastructure changes in orchestrators and service registries. The project distinguishes itself through auto-configuring service routing, which eliminates manual configuration by updating routing rules in real time as infrastructure scales. It also provides automated SSL certificate management, utilizing ACME-based automation to request and renew certificates from remote authorities. Additional capabili
Automates the complete lifecycle of TLS certificates, including issuance and renewal, via the ACME protocol.
V2Ray-agent is a shell-based orchestration tool designed to automate the deployment, configuration, and lifecycle management of network proxy services. It provides a structured framework for setting up encrypted tunnels and managing proxy processes as persistent background services through system initialization managers. The project distinguishes itself through a modular architecture that integrates automated security certificate management and multi-user access control into the deployment workflow. By utilizing template-driven configuration generation and reverse proxy traffic multiplexing,
Automates the lifecycle of TLS certificates for network proxies without manual intervention.
VictoriaMetrics is a high-performance, scalable time series database and observability platform designed for long-term storage and analysis of metric, log, and trace data. It functions as a unified backend for monitoring ecosystems, offering full compatibility with industry-standard protocols and query languages. The system is built to handle massive data volumes through a distributed architecture that supports horizontal scaling and efficient data lifecycle management. The platform distinguishes itself through a storage engine that utilizes consistent hashing for data sharding and log-struct
Automates the lifecycle of TLS certificates to maintain secure encrypted connections without manual intervention.
CapRover is a self-hosted platform-as-a-service that provides a centralized dashboard for managing containerized applications and databases. It functions as a container orchestration platform, simplifying the deployment, scaling, and networking of services across server environments. By leveraging a reverse-proxy-based architecture, the platform handles domain mapping, traffic routing, and automated SSL certificate lifecycle management to ensure secure, encrypted access for hosted web services. The platform distinguishes itself through its integrated automation capabilities, which include aut
Automates the issuance, renewal, and installation of TLS certificates for hosted web applications.
Evilginx2 is a man-in-the-middle phishing framework designed to proxy authentication traffic between a user and a target web service. By acting as a reverse proxy, the tool intercepts and relays web requests to capture credentials and session tokens in real time, enabling the bypass of multi-factor authentication mechanisms through session cookie hijacking. The platform distinguishes itself by integrating infrastructure orchestration with modular template-driven content injection. It automates the deployment of proxy servers, manages the lifecycle of encryption certificates, and applies conte
Handles the automatic generation and renewal of encryption certificates to maintain secure connections for proxied domains without manual intervention.
Duplicati is a self-hosted backup server designed to perform encrypted, incremental, and compressed backups to a wide range of local, network, and cloud-based storage providers. It functions as a background service that automates recurring data protection tasks, ensuring that only changed data blocks are stored to maximize efficiency and minimize bandwidth usage. The project distinguishes itself through a centralized management console that allows for the orchestration of multiple distributed backup agents from a single web-based dashboard. It supports multi-tenant management, enabling the or
Automates the lifecycle of TLS certificates to secure access to the web-based management interface.
Stalwart is a self-hosted email and collaboration infrastructure that provides an integrated mail server supporting SMTP, IMAP, POP3, and JMAP protocols. It functions as a comprehensive communication hub, combining email hosting with a collaboration server for shared calendars, contacts, and files. The system distinguishes itself through a distributed architecture that uses peer-to-peer cluster coordination to ensure high availability and fault tolerance. It features a built-in security suite that implements an S/MIME and OpenPGP email gateway alongside automated TLS certificate provisioning
Implements automated lifecycle management for TLS certificates using the ACME protocol.
Mailcow-dockerized is an open-source email hosting platform that provides a complete, self-hosted infrastructure suite. It bundles message transfer, storage, and security protocols into a modular, containerized environment designed for deployment on private infrastructure. The platform distinguishes itself by integrating a centralized management interface for configuring mail domains and user accounts alongside collaborative tools like shared calendars and contact lists. It includes automated security features such as integrated spam and malware filtering gateways, as well as automated certif
Provides automated lifecycle management for TLS certificates across multiple hosted mail domains.
This project is a web-based management interface designed for the administration, monitoring, and configuration of Nginx server instances. It functions as a centralized platform for managing reverse proxy settings, traffic routing, and server lifecycles, providing a visual dashboard to replace manual configuration file editing. The platform distinguishes itself through integrated infrastructure automation and observability tools. It supports distributed environments by synchronizing configuration states across multiple nodes and containerized services, while offering artificial intelligence a
Automates the deployment and renewal of security certificates for encrypted traffic.
BunkerWeb is a containerized suite of infrastructure tools that functions as a cloud-native web application firewall and Nginx reverse proxy. It provides a security layer for web applications, combining traffic routing with automated SSL certificate management and a web-based security dashboard for monitoring and configuration. The project distinguishes itself through its deep integration with container orchestrators, serving as a Kubernetes ingress controller that automates security settings and service discovery via container labels. It features a plugin-based extension model and a manageme
Automates the issuance and renewal of HTTPS certificates via DNS integration.
This project is a GitOps infrastructure framework designed for managing bare metal servers, container clusters, and networking. It serves as a declarative system for orchestrating the deployment and lifecycle of self-hosted services, using Git as the source of truth to synchronize the desired state of the environment. The framework differentiates itself through a comprehensive automation suite that covers the entire hardware-to-service pipeline. It includes a PXE-based bare metal provisioner for network booting and operating system installation, alongside a lightweight container orchestration
Automates the entire lifecycle of TLS certificates, including issuance, renewal, and DNS synchronization.
Higress ist ein KI-natives und Cloud-natives API-Gateway, das den Datenverkehr zwischen Clients und Diensten großer Sprachmodelle (LLMs) routet, absichert und optimiert. Es fungiert als zentraler Einstiegspunkt für Microservices und dient sowohl als Kubernetes-Ingress-Controller als auch als KI-Gateway-Orchestrator. Das Projekt zeichnet sich dadurch aus, dass es den Datenverkehr über mehrere KI-Anbieter hinweg mittels eines einheitlichen Protokolls verwaltet und dabei token-bewusstes Rate-Limiting sowie Response-Caching integriert, um die Modell-Inferenz zu optimieren. Es koordiniert die Kommunikation zwischen KI-Modellen und externen Werkzeugen, um Echtzeit-Kontext und Daten bereitzustellen, während es gleichzeitig Server-Endpunkte für KI-Agenten hostet. Zu den umfassenden Funktionen gehören API-Sicherheitsdurchsetzung mittels Web Application Firewalls (WAF), automatisiertes TLS-Zertifikatsmanagement und dynamische Service-Discovery. Das Gateway unterstützt die benutzerdefinierte Anforderungsverarbeitung durch sandboxed WebAssembly-Plugins, die eine Verkehrstransformation mit Hot-Reloading ermöglichen. Das System implementiert standardisierte Ingress-APIs, um das Netzwerk-Routing innerhalb containerisierter Cluster mit geringem Ressourcen-Overhead zu verwalten.
Automates the issuance and renewal of TLS certificates for secure, encrypted connections.
This project is a public key infrastructure management system designed to automate the issuance, renewal, and revocation of X.509, TLS, and SSH certificates. It functions as a machine identity provider and certificate authority, enabling the establishment of private PKI to secure inter-service communication and remote access. The system distinguishes itself through hardware-bound identity attestation, which ties cryptographic keys to physical device silicon or TPMs to prevent credential exfiltration. It supports a wide array of identity verification mechanisms, including OIDC, cloud-provider
Automates the generation and renewal of both TLS and SSH certificates for users, devices, and workloads.
Chaos Mesh is a cloud-native fault injection tool and Kubernetes chaos engineering platform designed to verify system resilience. It functions as a testing framework for designing and executing automated failure scenarios to evaluate how containerized workloads recover from disruptions. The project acts as a multi-cluster chaos orchestrator, providing a centralized control plane to manage and monitor experiments across multiple remote Kubernetes clusters from a single interface. It includes a dashboard for the visual scheduling of experiments and the coordination of complex failure scenarios.
Integrates with external managers to handle the automated issuance and renewal of security certificates.
This project provides a comprehensive guide and set of scripts for deploying and configuring a production-ready Kubernetes cluster from scratch. It centers on establishing a functional environment by installing core management components, storage, and networking across multiple nodes. The implementation emphasizes high availability for the control plane, utilizing layer-4 load balancing and leader election for the API server, scheduler, and controller manager. It further ensures reliability through the deployment of a distributed key-value store for persistent runtime data. The project cover
Automates the lifecycle of TLS certificates, including generation and rotation for cluster components.
Maddy is a modular mail server that assembles a complete email system by connecting small, single-purpose modules through a declarative configuration file. Rather than a monolithic stack, it lets operators compose message processing, storage, authentication, and security enforcement from interchangeable building blocks, with each module handling a specific function like receiving SMTP connections, verifying credentials, or applying policy checks. The server distinguishes itself through its flexible authentication and security architecture. It delegates user verification to external systems in
Automatically obtains and renews TLS certificates via the ACME protocol without manual intervention.
This project is a Kubernetes deployment guide and infrastructure provisioner designed for hobbyist and home lab environments. It provides a framework for setting up multi-node clusters across various cloud providers and physical or virtual nodes, acting as a self-hosted cluster orchestrator. The project focuses on security hardening and infrastructure stability through specific implementation guides. This includes a framework for network security that covers host firewalls and encrypted network overlays, as well as detailed instructions for configuring ingress routing to manage external publi
Automates the lifecycle of TLS certificates for encrypted HTTPS connections within the cluster.
Uncloud is a decentralized container orchestrator designed to deploy and manage applications across multiple servers without a central control plane. It functions as a peer-to-peer system and a Docker Compose cluster deployer, using SSH-based infrastructure management to coordinate operations across remote nodes. The project distinguishes itself by using a secure mesh network overlay to enable direct inter-container communication across different physical machines. It facilitates container image distribution by transferring missing layers directly from local environments to target nodes, bypa
Provides automated handling of the TLS certificate lifecycle, including issuance and renewal, for services in the cluster.
caddy-docker-proxy ist ein dynamischer HTTP-Reverse-Proxy und Docker-Netzwerk-Ingress-Controller, der automatisch Routing-Konfigurationen generiert, indem er Labels aus Docker-Containern liest. Er dient als Service-Discovery-Tool, das Container-IP-Adressen in Echtzeit erkennt, um eingehenden Web-Traffic an die korrekten Backend-Ziele weiterzuleiten. Das Projekt fungiert als verteilter Proxy-Orchestrator, der in der Lage ist, generierte Konfigurationen von einem zentralen Controller an mehrere Remote-Server-Instanzen zu pushen, um die Request-Verarbeitung zu skalieren. Es automatisiert die Ausstellung und Erneuerung von TLS-Sicherheitszertifikaten für proxied Domains und koordiniert gemeinsam genutzte Zertifikate über Server-Replikate hinweg. Das System unterstützt die label-basierte Konfigurationsgenerierung unter Verwendung von Templates und Docker-Secrets, um Metadaten und globale Einstellungen in die Serverkonfiguration zu injizieren. Es behält die Synchronisierung bei, indem es auf Container-Lebenszyklusereignisse lauscht und einen In-Process-Lademechanismus verwendet, um das Serververhalten zu aktualisieren. Die Traffic-Management-Funktionen umfassen das Definieren von Request-Routing-Regeln, Pfad-Matching und URI-Rewriting, um Traffic an containerisierte Ressourcen zu leiten.
Handles the complete lifecycle of TLS certificates, including issuance and renewal, without manual intervention.