title: Getting Started with Charon description: Get your first website up and running in minutes. A beginner-friendly guide to setting up Charon reverse proxy.

Getting Started with Charon

Welcome! Let's get your first website up and running. No experience needed.

What Is This?

Imagine you have several apps running on your computer. Maybe a blog, a file storage app, and a chat server.

The problem: Each app is stuck on a weird address like 192.168.1.50:3000. Nobody wants to type that.

Charon's solution: You tell Charon "when someone visits myblog.com, send them to that app." Charon handles everything else—including the green lock icon (HTTPS) that makes browsers happy.

Step 1: Install Charon

Option A: Docker Compose (Easiest)

Create a file called docker-compose.yml:

services:
  charon:
    image: ghcr.io/wikid82/charon:latest
    container_name: charon
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - ./charon-data:/app/data
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      - CHARON_ENV=production

Then run:

docker-compose up -d

Option B: Docker Run (One Command)

docker run -d \
  --name charon \
  -p 80:80 \
  -p 443:443 \
  -p 8080:8080 \
  -v ./charon-data:/app/data \
  -v /var/run/docker.sock:/var/run/docker.sock:ro \
  -e CHARON_ENV=production \
  ghcr.io/wikid82/charon:latest

What Just Happened?

• Port 80 and 443: Where your websites will be accessible (like mysite.com)
• Port 8080: The control panel where you manage everything
• Docker socket: Lets Charon see your other Docker containers

Open http://localhost:8080 in your browser!

Step 1.5: Database Migrations (If Upgrading)

If you're upgrading from a previous version and using a persistent database, you may need to run migrations to ensure all security features work correctly.

When to Run Migrations

Run the migration command if:

• ✅ You're upgrading from an older version of Charon
• ✅ You're using a persistent volume for /app/data
• ✅ CrowdSec features aren't working after upgrade

Skip this step if:

• ❌ This is a fresh installation (migrations run automatically)
• ❌ You're not using persistent storage

How to Run Migrations

Docker Compose:

docker exec charon /app/charon migrate

Docker Run:

docker exec charon /app/charon migrate

Expected Output:

{"level":"info","msg":"Running database migrations for security tables...","time":"..."}
{"level":"info","msg":"Migration completed successfully","time":"..."}

What This Does:

• Creates or updates security-related database tables
• Adds CrowdSec integration support
• Ensures all features work after upgrade
• Safe to run multiple times (idempotent)

After Migration:

If you enabled CrowdSec before the migration, restart the container:

docker restart charon

Auto-Start Behavior:

CrowdSec will automatically start if it was previously enabled. The reconciliation function runs at startup and checks:

1. SecurityConfig table for crowdsec_mode = "local"
2. Settings table for security.crowdsec.enabled = "true"
3. Starts CrowdSec if either condition is true

You'll see this in the logs:

{"level":"info","msg":"CrowdSec reconciliation: starting based on SecurityConfig mode='local'"}

Verification:

# Wait 15 seconds for LAPI to initialize
sleep 15

# Check if CrowdSec auto-started
docker exec charon cscli lapi status

Expected output:

✓ You can successfully interact with Local API (LAPI)

If auto-start didn't work: See CrowdSec Not Starting After Restart for detailed troubleshooting steps.

Step 2: Add Your First Website

Let's say you have an app running at 192.168.1.100:3000 and you want it available at myapp.example.com.

1. Click "Proxy Hosts" in the sidebar
2. Click the "+ Add" button
3. Fill in the form:
   • Domain: myapp.example.com
   • Forward To: 192.168.1.100
   • Port: 3000
   • Scheme: http (or https if your app already has SSL)
   • Enable Standard Proxy Headers: ✅ (recommended — allows your app to see the real client IP)
4. Click "Save"

Done! When someone visits myapp.example.com, they'll see your app.

What Are Standard Proxy Headers?

By default (and recommended), Charon adds special headers to requests so your app knows:

• The real client IP address (instead of seeing Charon's IP)
• Whether the original connection was HTTPS (for proper security and redirects)
• The original hostname (for virtual host routing)

When to disable: Only turn this off for legacy applications that don't understand these headers.

Learn more: See Standard Proxy Headers in the features guide.

Step 3: Get HTTPS (The Green Lock)

For this to work, you need:

1. A real domain name (like example.com) pointed at your server
2. Ports 80 and 443 open in your firewall

If you have both, Charon will automatically:

• Request a free SSL certificate from a trusted provider
• Install it
• Renew it before it expires

You don't do anything. It just works.

By default, Charon uses "Auto" mode, which tries Let's Encrypt first and automatically falls back to ZeroSSL if needed. You can change this in System Settings if you want to use a specific certificate provider.

Testing without a domain? See Testing SSL Certificates for a practice mode.

Common Questions

"Where do I get a domain name?"

You buy one from places like:

• Namecheap
• Google Domains
• Cloudflare

Cost: Usually $10-15/year.

"How do I point my domain at my server?"

In your domain provider's control panel:

1. Find "DNS Settings" or "Domain Management"
2. Create an "A Record"
3. Set it to your server's IP address

Wait 5-10 minutes for it to update.

"Can I change which certificate provider is used?"

Yes! Go to System Settings and look for the SSL Provider dropdown. The default "Auto" mode works best for most users, but you can choose a specific provider if needed. See Features for details.

"Can I use this for apps on different computers?"

Yes! Just use the other computer's IP address in the "Forward To" field.

If you're using Tailscale or another VPN, use the VPN IP.

"Will this work with Docker containers?"

Absolutely. Charon can even detect them automatically:

1. Click "Proxy Hosts"
2. Click "Docker" tab
3. You'll see all your running containers
4. Click one to auto-fill the form

What's Next?

Now that you have the basics:

• See All Features — Discover what else Charon can do
• Import Your Old Config — Bring your existing Caddy setup
• Configure Optional Features — Enable/disable features like security and uptime monitoring
• Turn On Security — Block attackers (enabled by default, highly recommended)

Stuck?

Ask for help — The community is friendly!

Maintainers: History-rewrite Tools

If you are a repository maintainer and need to run the history-rewrite utilities, find the scripts in scripts/history-rewrite/.

Minimum required tools:

• git — install: sudo apt-get update && sudo apt-get install -y git (Debian/Ubuntu) or brew install git (macOS).
• git-filter-repo — recommended install via pip: pip install --user git-filter-repo or via your package manager if available: sudo apt-get install git-filter-repo.
• pre-commit — install via pip or package manager: pip install --user pre-commit and then pre-commit install in the repository.

Quick checks before running scripts:

# Fetch full history (non-shallow)
git fetch --unshallow || true
command -v git || (echo "install git" && exit 1)
command -v git-filter-repo || (echo "install git-filter-repo" && exit 1)
command -v pre-commit || (echo "install pre-commit" && exit 1)

See docs/plans/history_rewrite.md for the full checklist, usage examples, and recovery steps.