The Hoody Proxy
Section titled “The Hoody Proxy”Every URL you’ve been using? The proxy makes it work.
The Hoody Proxy is the gateway between the outside world and your containers. It handles HTTPS certificates, routes requests to the right service, manages permissions, and preserves real client IPs. All automatically. Every program you run gets HTTPS, HTTP/2, and HTTP/3 (QUIC) — out of the box. No configuration. No cert rotation. No Let’s Encrypt dance.
You will never think about a certificate again in your life. It just works.
What the Proxy Does
Section titled “What the Proxy Does”-
Automatic HTTPS — Wildcard TLS certificates for every container URL. No Let’s Encrypt setup, no cert rotation, no DNS challenge.
-
URL routing — Parses
{projectId}-{containerId}-{service}-{instance}.{serverName}.containers.hoody.icuand routes to the correct service inside the correct container. -
Permission enforcement — Authentication (JWT, password, IP whitelist, bearer token) checked before any request reaches your container.
-
Real client IP — Uses netfilter hooks to preserve the real client IP address. Your application sees the actual visitor, not a proxy address.
-
Protocol support — HTTP/1.1, HTTP/2, HTTP/3 (QUIC), and WebSocket upgrades. Real-time terminals and displays work seamlessly.
How URLs Route
Section titled “How URLs Route”When you hit:
https://abc123-def456-terminal-1.node-us-1.containers.hoody.icu/api/v1/terminal/executeThe proxy:
- Extracts
abc123(project),def456(container),terminal-1(service + instance) - Looks up
node-us-1to find the physical server - Routes to
terminalservice instance1inside containerdef456 - Forwards the request with real client IP preserved
All in milliseconds. No configuration on your part.
Custom Domain Aliases
Section titled “Custom Domain Aliases”Tired of sharing a URL stuffed with Project and Container IDs? Create an alias — a memorable name (3-61 chars, a-z, 0-9, hyphens) that resolves to a short, clean URL:
# Create a proxy aliashoody proxy create \ --container-id $CONTAINER_ID \ --program "exec" \ --alias "my-api" \ --index 1const alias = await client.api.proxyAliases.create({ container_id: CONTAINER_ID, program: 'exec', alias: 'my-api', index: 1});// Now https://my-api.{server}.containers.hoody.icu → your exec scriptscurl -X POST https://api.hoody.icu/api/v1/proxy/aliases \ -H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/json" \ -d '{ "container_id": "'$CONTAINER_ID'", "program": "exec", "alias": "my-api", "index": 1 }'Permissions
Section titled “Permissions”By default, container URLs are accessible by anyone who has the URL. The URL itself is unguessable (48+ characters of hex), which provides a baseline of security.
When you’re ready to lock things down:
# Require password authenticationhoody containers proxy permissions replace -c $CONTAINER_ID \ --project $PROJECT_ID \ --groups auth='{"type": "password", "password": "my-secret"}' \ --permissions auth='{"terminal": true, "files": true, "display": true}'
# Restrict to specific IP addresseshoody containers proxy permissions replace -c $CONTAINER_ID \ --project $PROJECT_ID \ --groups office='{"type": "ip", "range": "203.0.113.10/32"}' \ --permissions office='{"terminal": true, "files": true, "display": true}'// Require password authawait client.api.proxyPermissionsContainer.replace(CONTAINER_ID, { project: PROJECT_ID, container: CONTAINER_ID, groups: { devs: { type: 'password', password: 'my-secret' } }, permissions: { devs: { terminal: true, files: true, display: true, http: true } }, default: 'deny'});
// IP restrictionawait client.api.proxyPermissionsContainer.replace(CONTAINER_ID, { project: PROJECT_ID, container: CONTAINER_ID, groups: { office_primary: { type: 'ip', range: '203.0.113.10/32' }, office_subnet: { type: 'ip', range: '198.51.100.0/24' } }, permissions: { office_primary: { terminal: true, files: true, display: true, http: true }, office_subnet: { terminal: true, files: true, display: true, http: true } }, default: 'deny'});# Set password authcurl -X PATCH https://api.hoody.icu/api/v1/containers/$CONTAINER_ID/proxy/permissions \ -H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/json" \ -d '{"project":"'$PROJECT_ID'","container":"'$CONTAINER_ID'","groups":{"devs":{"type":"password","password":"my-secret"}},"permissions":{"devs":{"terminal":true,"files":true,"display":true,"http":true}},"default":"deny"}'One permissions document declares reusable auth groups (password, JWT, IP, token) and grants per-program access to them. Add a program in the permissions.<group>.<program> map to let that group in; anything not granted stays at the default policy. Configure once, apply it across whichever services need protection.
The Philosophy: Open by Default
Section titled “The Philosophy: Open by Default”URLs are unguessable. Sharing requires knowing the URL. This means:
- Development: No auth friction. Just build.
- Collaboration: Share the URL. Everyone’s in.
- Production: Add authentication when you’re ready.
No premature security configuration slowing you down. No “I can’t access the dev environment” tickets.
The proxy is invisible when you don’t need it, and bulletproof when you do.
Next: Your First API →