Zoraxy on Ubuntu 24.04 on Azure User Guide
Overview
Zoraxy is a general purpose, self hosted HTTP reverse proxy and network toolkit that you manage entirely from a web interface. From one management UI you publish and route many sites through a single entry point, terminate TLS with automatic certificate renewal, balance load across upstreams, apply access control by IP or country, forward raw TCP and UDP streams, and monitor uptime. It also bundles a set of network utilities: an mDNS scanner, an IP scanner, a port scanner, traceroute and ping, and wake on LAN. The cloudimg image serves Zoraxy 3.3.3 on a hardened, fully patched Ubuntu 24.04 LTS base. Because Zoraxy is itself the reverse proxy it owns ports 80 and 443 for your proxied sites, while the web management UI listens separately on port 8000.
The image is secure by default: it ships with no administrator account, so the very first time you open the management UI you create your own admin with your own password. A fresh node identity is generated per instance on first boot, and no shared or default login ever ships in the image. Backed by 24/7 cloudimg support.
What is included:
- Zoraxy 3.3.3, a single self contained Go binary, managed by systemd
- The web management UI on
:8000, the reverse proxy on:80and:443 - No default administrator: you create your own admin on the first visit
- Embedded key value store, no external database to run
- Automatic HTTPS with ACME certificate renewal and DNS challenge support
- Reverse proxy with HTTP/2, websockets, load balancing and virtual directories
- Access control by IP or country, TCP and UDP stream proxy, uptime monitor
- Network tools: mDNS scanner, IP scanner, port scanner, traceroute, wake on LAN
- A dedicated Azure data disk at
/opt/zoraxyfor configuration, certificates and state zoraxy.serviceas an enabled systemd unit- 24/7 cloudimg support
Prerequisites
An active Azure subscription, an SSH key pair, and a VNet plus subnet in the target region. Standard_B2s (2 vCPU / 4 GiB RAM) is a sensible starting point; size up for more concurrent connections. NSG inbound: allow 22/tcp from your management network, 8000/tcp for the management UI, and 80/tcp and 443/tcp for the sites you publish through the reverse proxy. Restrict 8000/tcp to trusted networks in production, since it is the administrative interface.
Step 1 - Deploy from the Azure Marketplace
Sign in to the Azure Portal, choose Create a resource, search the Marketplace for Zoraxy by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size; under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22) and HTTP (80), then add custom rules for 443 and 8000. Review the dedicated data disk on the Disks tab, then Review + create then Create.
Step 2 - Deploy from the Azure CLI
az vm create \
--resource-group <your-rg> \
--name zoraxy \
--image <marketplace-image-urn> \
--size Standard_B2s \
--admin-username azureuser \
--generate-ssh-keys \
--public-ip-sku Standard
Then open the management UI port and the reverse proxy ports:
az vm open-port --resource-group <your-rg> --name zoraxy --port 8000 --priority 900
az vm open-port --resource-group <your-rg> --name zoraxy --port 443 --priority 910
Step 3 - Confirm the service is running
SSH in as azureuser and confirm Zoraxy is active. The management UI listens on port 8000, while the reverse proxy listens on ports 80 and 443 for the sites you publish.
systemctl is-active zoraxy zoraxy-firstboot
sudo ss -tlnp | grep -E ':8000 |:80 |:443 ' | awk '{print $1, $4}'
findmnt -no SOURCE,TARGET,FSTYPE /opt/zoraxy

Step 4 - The first visit info note
Zoraxy ships with no administrator account. On the first boot of every VM a one shot service writes an instance info note recording the management URL and the create-admin instruction. There is no password in it, because you set your own on first visit. Read it with sudo:
sudo cat /root/zoraxy-credentials.txt
You can confirm the server is healthy and that no admin is baked into the image from the command line. The version endpoint returns 200, and the account count is 0 until you create your own admin:
curl -s -o /dev/null -w 'GET /api/info/x -> HTTP %{http_code}\n' http://127.0.0.1:8000/api/info/x
curl -s http://127.0.0.1:8000/api/auth/userCount; echo

Step 5 - Create your admin on first visit
Browse to http://<vm-public-ip>:8000/. Because the image ships with no administrator, Zoraxy opens on its Account Setup page. Choose a username and a strong password, confirm the password, and select Confirm. This one screen is where you secure the instance: there are no default credentials to change, because none ship.

Step 6 - The management dashboard
Once your admin is created you sign in to the management UI. The status page confirms the server is online and which port it is serving on, shows request and network activity, and the left navigation groups every feature: Reverse Proxy, Access and Connections, Security, Services, Networking and more.

Step 7 - Publish a site through the reverse proxy
Open Reverse Proxy then HTTP Proxy to manage the hosts you route. Select Create Proxy Rule (or HTTP Proxy then the new rule form) and enter the matching hostname (for example app.example.com), the upstream destination (for example 192.168.1.10:8080), and whether the upstream uses TLS. Save the rule and Zoraxy immediately routes matching requests to that upstream, adding websockets and HTTP/2 automatically.

Step 8 - Use the built in network tools
Zoraxy is also a network toolkit. Open Networking then Network Tools to discover services with the mDNS scanner, find devices on the local network with the IP scanner, check open ports with the port scanner, and trace routes or ping hosts, all from the management UI.

Step 9 - Verify the stack
Confirm the Zoraxy version, that the service is enabled, the management UI responds, and the dedicated data disk mount:
/usr/local/bin/zoraxy -version
systemctl is-enabled zoraxy
curl -s -o /dev/null -w 'GET /login.html -> HTTP %{http_code}\n' http://127.0.0.1:8000/login.html
df -h /opt/zoraxy | tail -1

Step 10 - Where your data lives
Your reverse proxy rules, issued and self signed certificates, access rules, logs and the node identity all live on a dedicated Azure data disk mounted at /opt/zoraxy, separate from the OS disk. This disk is captured into the image and re provisioned on every VM, and you can snapshot and resize it independently. Confirm the mount and the free space:
df -h /opt/zoraxy | tail -1
sudo ls /opt/zoraxy
Step 11 - Enable HTTPS with ACME (optional)
Zoraxy can obtain and renew TLS certificates for you. In the management UI open Security then TLS / SSL certificates and ACME Client, set your contact email, and request a certificate for a domain that resolves to this VM. Zoraxy serves the HTTP challenge on port 80, so keep 80/tcp open in the NSG, then serves your site over HTTPS on port 443 and renews the certificate automatically before it expires. You can also upload your own certificate if you manage TLS elsewhere.
Security notes
- The management UI serves on port 8000. Restrict
8000/tcpin the NSG to trusted networks, and consider putting the management UI behind your own VPN. The reverse proxy itself faces the network on ports 80 and 443 for the sites you publish. - The image ships with no administrator. You create the first admin on first visit, so there are no shared or default credentials to rotate. A fresh node identity is generated per instance on first boot, so no cryptographic identity is shared across deployments.
- Zoraxy runs as root because it binds the privileged ports 80 and 443 and drives network tools. Publish only the upstreams you intend to expose, and use the access control rules to limit who can reach them.
- Keep the VM patched. The image ships fully patched with unattended security upgrades enabled.
Support
cloudimg images come with 24/7 support. If you have any questions about this Zoraxy image or need help with your deployment, contact us through the cloudimg website.