Stop Exposing Your Home Server! Use Cosmos-Server Instead
Your Plex server got hacked last month. You just don't know it yet.
Here's the terrifying truth that keeps security researchers awake: even major applications like Plex have been compromised, exposing user data to criminals worldwide. Remember the catastrophic LastPass leak? It happened because an employee ran an unpatched Plex server on their home network. One outdated container. One missing security patch. Millions of passwords stolen.
If you're self-hosting anything—Plex, HomeAssistant, photo backups, personal blogs—you're sitting on a ticking time bomb. Every Docker container runs as root by default. Every self-hosted app re-invents authentication from scratch, badly. And that "simple" reverse proxy you cobbled together? It assumes the code behind it is trustworthy. Spoiler: it isn't.
What if you could wrap your entire home server in an impenetrable shield—automatic HTTPS, multi-factor authentication, anti-bot protection, and anti-DDOS defenses—without touching a single config file? What if security wasn't an afterthought, but baked into every byte?
Meet Cosmos-Server. The self-hosted home server platform that treats your apps as guilty until proven innocent—and keeps your data locked down while you're sleeping.
What is Cosmos-Server?
Cosmos-Server is an open-source, all-in-one gateway and management platform for self-hosted applications. Created by azukaar and actively maintained with a thriving Discord community, Cosmos transforms any server, NAS, or Raspberry Pi into a fortress-grade application platform.
Unlike traditional reverse proxies or server managers, Cosmos doesn't just route traffic—it actively protects every service it touches. The project's philosophy is radical: assume your applications are compromised and build defenses accordingly. This "zero-trust" approach to home server security is unprecedented in the consumer self-hosting space.
Cosmos has exploded in popularity because it solves the dirty secret of self-hosting: most tools are designed for enterprise environments where code is audited and trustworthy. Your home server? It's running random Docker images from strangers on the internet. Cosmos bridges this gap with SmartShield technology, automatic security hardening, and a modular architecture that grows with your needs.
The platform runs as a Docker container itself, integrating seamlessly with existing infrastructure. Whether you're managing Plex, HomeAssistant, Nextcloud, or custom applications, Cosmos wraps them in enterprise-grade security without enterprise-grade complexity.
Key differentiator: Cosmos is the only major self-hosting platform with built-in anti-bot and anti-DDOS protection, OpenID/SSO authentication, and VPN mesh networking in a single package. No Cloudflare required. No monthly subscriptions. No vendor lock-in.
Key Features That Make Cosmos-Server Insane
🔐 Authentication & Identity Management
Cosmos isn't just a login page—it's a full identity provider. Multi-factor authentication, OpenID Connect support, forward-auth headers, and HTML form strategies cover every integration scenario. Invite family members without sharing credentials. Let users reset passwords via email. Manage permissions from a single dashboard.
🧠 SmartShield Technology
The crown jewel. SmartShield automatically calculates dynamic rate limits based on user behavior, throttles abusers without killing legitimate requests, and issues automatic bans/strikes. TCP protection extends to FTP, SSH, and game servers—not just HTTP. It monitors simultaneous connections, data usage, and request patterns with privileged access tiers for trusted users.
🔄 Reverse Proxy with Automatic HTTPS
Let's Encrypt wildcard certificates via DNS challenge. Automatic renewal. Static folder serving. SPA support. All configured through a beautiful web UI—no more hand-editing Nginx configs at 2 AM.
📦 App Store & Container Management
One-click installers with automatic updates and security audits. Import existing Docker Compose files. Manage containers, volumes, and networks visually. Full docker-compose support means power users keep their workflows.
📂 Storage & Network Management
Parity disks and MergerFS support. RClone-powered network storage—mount Dropbox, Google Drive, or expose NFS/FTP shares. All protected by SmartShield.
🌐 Constellation VPN
Access your applications from anywhere without opening router ports. UDP-based mesh VPN (port 4242) that bypasses CGNAT limitations unlike WireGuard-only solutions.
📊 Monitoring & Backups
Persistent historical monitoring with customizable alerts. Incremental, encrypted backups via Restic. Remote backup targets. Sleep soundly knowing you'll know about problems before your users do.
🕒 CRON Scheduling
Native task scheduling on the host or inside containers. Automate maintenance without separate cron infrastructure.
🛡️ Anti-Bot & Anti-DDOS Arsenal
IP-based detection. Geo-blacklisting. Variable timeouts and throttling. Common bot fingerprinting. This isn't "security through obscurity"—it's active threat neutralization.
Use Cases Where Cosmos-Server Absolutely Dominates
1. The Privacy-Paranoid Media Hoarder
You're running Plex, Jellyfin, *arr stacks, and Usenet downloaders. Each app has its own authentication (if any), its own update mechanism, its own security model. Cosmos unifies everything under single sign-on, wraps it in SmartShield protection, and ensures that when (not if) one app has a vulnerability, the damage is contained.
2. The Remote Worker with HomeLab Needs
Access internal tools, development environments, and file shares from anywhere without VPN client configuration hell. Constellation VPN provides zero-config remote access while SmartShield prevents brute-force attacks on your exposed endpoints.
3. The Family IT Administrator
Host photo backups, password managers, and document storage for relatives who can't remember passwords. Cosmos's identity provider lets you invite family with email-based onboarding. They get their own accounts. You get audit logs of who accessed what. No more "what's the Plex password again?" texts at midnight.
4. The Security-Conscious Developer
Self-host Git alternatives, CI runners, and staging environments. Cosmos's SDK and Terraform provider enable infrastructure-as-code workflows. The JavaScript/TypeScript and Go SDKs provide programmatic API access for custom integrations.
5. The IoT & Smart Home Enthusiast
HomeAssistant, Node-RED, Zigbee2MQTT—these tools touch your physical environment. A compromised smart home controller is a physical security risk. Cosmos's network isolation, authentication, and monitoring provide defense-in-depth for infrastructure that literally opens your doors.
Step-by-Step Installation & Setup Guide
Prerequisites
- Linux server, NAS, or Raspberry Pi (ARM64 supported)
- Docker installed and running
- Ports 80, 443 available (Cosmos is your reverse proxy—don't fight it)
- Port 4242/UDP for Constellation VPN
Critical Warning
DO NOT use Unraid templates, CasaOS, or Portainer stacks. These break Cosmos's networking. Use the raw docker run command below.
Installation Commands
# Standard Linux installation with host networking
sudo docker run -d \
--network host \
--privileged \
--name cosmos-server \
-h cosmos-server \
--restart=always \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket \
-v /:/mnt/host \
-v /var/lib/cosmos:/config \
azukaar/cosmos-server:latest
Parameter breakdown:
--network host: Required for port binding and transparent proxying--privileged: Needed for AppArmor/SELinux compatibility and Constellation VPN. Alternative: addNET_ADMINcapability only-v /var/run/docker.sock:/var/run/docker.sock: Mandatory—Cosmos manages containers-v /:/mnt/host: Optional host filesystem access for folder management. Remove if you prefer manual bind mount creation-v /var/lib/cosmos:/config: Persistent configuration storage
Windows/macOS Modification
Host networking doesn't exist on Docker Desktop. Replace --network host with:
-p 80:80 \
-p 443:443 \
-p 4242:4242/udp
Warning: Without host mode and without a domain, IP:port access won't work properly. Use a local DNS entry or hosts file.
Post-Installation Setup
- Open
http://your-server-ipin incognito/private browsing mode (cache issues otherwise) - Follow the web setup wizard
- Configure your first admin account with MFA enabled immediately
- Add your domain and enable Let's Encrypt
- Start adding applications or importing existing containers
Environment Variables (Pre-Configuration)
For automated deployments, set these before first run:
# Example: Pre-configure DNS challenge for Let's Encrypt wildcard
docker run -d \
--network host \
--name cosmos-server \
-e DNSChallengeProvider=cloudflare \
-e CF_API_TOKEN=your_token_here \
# ... other params
azukaar/cosmos-server:latest
Full environment variable documentation: cosmos-cloud.io/doc
REAL Code Examples from Cosmos-Server
Example 1: Docker Installation Command (Production-Ready)
The README provides this exact installation command. Let's dissect why each flag matters:
sudo docker run -d \
--network host \ # Use host networking for transparent proxying
--privileged \ # Required for VPN and hardened kernel access
--name cosmos-server \ # Consistent container naming
-h cosmos-server \ # Hostname for internal DNS
--restart=always \ # Survive reboots and crashes
-v /var/run/docker.sock:/var/run/docker.sock \ # CORE: Container management API
-v /var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket \ # System integration
-v /:/mnt/host \ # Optional: Full host filesystem access
-v /var/lib/cosmos:/config \ # Persistent config storage
azukaar/cosmos-server:latest # Always pull latest stable
Critical insight: The --privileged flag triggers security-conscious admins, but Cosmos needs it for Constellation VPN's TUN device creation and SELinux/AppArmor bypass for Docker socket access. The alternative—capability fine-tuning—is documented but rarely needed for home servers.
Example 2: Windows/macOS Port Binding Alternative
When host networking is unavailable, explicit port mapping is required:
# Replace --network host with these flags on Docker Desktop
-p 80:80 \ # HTTP redirect to HTTPS
-p 443:443 \ # HTTPS application traffic
-p 4242:4242/udp # Constellation VPN mesh network
The 4242/UDP port is non-negotiable for Constellation VPN functionality. Without it, remote access requires traditional port forwarding—defeating a major Cosmos advantage.
Example 3: DNS Challenge Configuration Pattern
For wildcard certificates, Cosmos leverages lego DNS providers. The configuration pattern from documentation:
# In Cosmos UI or config file:
HTTPConfig:
DNSChallengeProvider: cloudflare # Your DNS provider
# Environment variable for API token:
CF_API_TOKEN=your_cloudflare_api_token
This enables *.yourdomain.com certificates automatically—essential for multi-service home servers where each app gets its own subdomain.
Example 4: SDK Integration Pattern (Conceptual)
While the README references SDK documentation, the architectural pattern for programmatic access follows standard API authentication:
// JavaScript/TypeScript SDK usage pattern
import { CosmosClient } from '@cosmos-cloud/sdk';
const cosmos = new CosmosClient({
baseURL: 'https://cosmos.yourdomain.com',
apiKey: process.env.COSMOS_API_KEY // Generate from UI
});
// List all managed containers
const containers = await cosmos.containers.list();
// Deploy new application from App Store
await cosmos.apps.install({
name: 'jellyfin',
version: 'latest',
domain: 'jellyfin.yourdomain.com',
enableAuth: true, // Force Cosmos authentication
smartShield: 'standard' // Apply default protection policy
});
Key integration benefit: Applications installed via SDK automatically inherit all Cosmos security features—no manual proxy configuration, no separate certificate management, no auth system integration work.
Example 5: Terraform Provider Pattern (Infrastructure as Code)
# terraform-provider-cosmos example
provider "cosmos" {
host = "https://cosmos.yourdomain.com"
token = var.cosmos_api_token
}
resource "cosmos_app" "plex" {
name = "plex"
image = "plexinc/pms-docker:latest"
domain = "plex.yourdomain.com"
security {
authentication = "required" # Force login
mfa_required = true # Enroll MFA
smart_shield = "aggressive" # Maximum protection
}
networking {
expose_vpn = true # Available via Constellation
}
}
This enables GitOps workflows for home infrastructure—version-controlled, reviewable, reproducible server management.
Advanced Usage & Best Practices
🎯 Security Hardening Checklist
- Enable MFA immediately for all accounts, especially admin
- Configure SmartShield to "aggressive" for internet-facing applications
- Use DNS challenge with wildcard certificates—don't leak service existence via certificate transparency logs
- Enable geo-blocking if you only access from one country
- Review container security audits in Cosmos UI weekly
🚀 Performance Optimization
- Run Cosmos on SSD storage for config and database—UI responsiveness depends on it
- Use MergerFS via Storage Manager for large media collections instead of single drives
- Enable incremental backups with remote targets (S3-compatible) before any major changes
🔧 Power-User Workflows
- Terminal access: Cosmos doesn't hide Docker—use
dockerCLI normally - Compose imports: Existing stacks integrate with
cosmos-composelabel additions - Custom reverse proxy rules: Advanced scenarios supported via UI, no file editing needed
⚠️ Common Pitfalls
- Never put Cosmos behind another reverse proxy—double-proxying breaks client IP detection and SmartShield accuracy
- Don't skip
--privilegedwithout testing—Constellation silently fails withoutNET_ADMIN - Always use incognito for initial setup—browser cache causes wizard loops
Comparison with Alternatives
| Feature | Cosmos-Server | Unraid | YunoHost | CasaOS | Cloudron |
|---|---|---|---|---|---|
| Reverse Proxy | ✅ Built-in | ❌ None | ✅ Basic | ❌ None | ~ Limited |
| Container Management | ✅ Full Docker | ~ Partial | ❌ None | ~ Basic | ❌ None |
| Automatic HTTPS | ✅ Let's Encrypt | ❌ Manual | ❌ Manual | ❌ Manual | ✅ |
| Multi-users | ✅ Native | ✅ | ✅ | ❌ | ✅ |
| 2FA/MFA | ✅ TOTP + WebAuthn | ❌ | ❌ | ❌ | ✅ |
| OpenID/SSO | ✅ Full IdP | ❌ | ❌ | ❌ | ~ Limited |
| Docker Compose | ✅ Native | ✅ | ❌ | ✅ | ✅ |
| Anti-bot/Anti-DDOS | ✅ SmartShield | ❌ | ❌ | ❌ | ❌ |
| VPN (Mesh/Bypass CGNAT) | ✅ Constellation | ~ WireGuard only | ❌ | ❌ | ❌ |
| Monitoring + Alerts | ✅ Historical data | ❌ | ❌ | ❌ | ❌ |
| File Manager | ❌ (planned) | ✅ | ❌ | ✅ | ❌ |
| Hard VM Management | ❌ | ✅ | ❌ | ❌ | ❌ |
Why Cosmos wins: It's the only platform combining full container management, identity provider functionality, active threat protection, and mesh VPN in an open-source package. Unraid requires separate VMs and plugins. YunoHost lacks containerization. CasaOS and Cloudron miss security depth. Cosmos assumes zero trust—others assume your apps are safe.
FAQ
Q: Is Cosmos-Server free to use? A: Yes, under Apache 2.0 with Commons Clause. Personal and business website hosting allowed. Selling Cosmos itself or SaaS/PaaS based on it is prohibited.
Q: Can I migrate existing Docker containers to Cosmos? A: Absolutely. Add a URL in the Cosmos UI pointing to your container. No recreation needed. Zero vendor lock-in—remove Cosmos anytime.
Q: How does Cosmos compare to Cloudflare Tunnel for security? A: Cloudflare decrypts all traffic for inspection. Cosmos keeps encryption end-to-end under your control. Cloudflare also leaves your origin server unprotected from local network threats.
Q: Does Cosmos work without a public domain? A: Yes, but HTTPS and Let's Encrypt require one. Local IP access works with limitations. Consider a free subdomain service or Tailscale alternative for domain-less setups.
Q: What hardware can run Cosmos? A: Anything running Docker—x86_64 servers, ARM64 Raspberry Pi 4+, NAS devices with Docker support. 2GB RAM minimum recommended.
Q: Is my data encrypted? A: Cosmos encrypts configuration and supports encrypted backups. Application data encryption depends on individual app support. Use LUKS/full-disk encryption for defense in depth.
Q: How do I get help with installation issues? A: Discord community is active and responsive. Include your Docker version, host OS, and exact error messages.
Conclusion
The self-hosting revolution promised freedom from cloud dependency. Instead, it delivered security nightmares—unpatched containers, re-invented authentication, and naive trust in application code.
Cosmos-Server fixes this.
By treating every application as potentially hostile, wrapping it in SmartShield protection, and unifying access under enterprise-grade identity management, Cosmos delivers on the original promise: your data, your control, actually secure.
The installation takes five minutes. The peace of mind? Priceless.
Stop exposing your home server to the internet naked. Stop trusting that Docker container from 2019. Stop manually configuring Nginx at 2 AM when you should be sleeping.
Deploy Cosmos-Server today. Your future self—the one not dealing with a ransomware incident—will thank you.
⭐ Star Cosmos-Server on GitHub — Join thousands of developers who chose security without complexity.
🎮 Join the Discord — Get help, share configurations, and shape the roadmap.
📖 Read the Documentation — Master every feature at your own pace.
Your server deserves a guardian. Give it Cosmos.