DrydockDrydock
ConfigurationServer

Server

You can adjust the server configuration with the following environment variables.

You can adjust the server configuration with the following environment variables.

Variables

Env varRequiredDescriptionSupported valuesDefault value when missing
DD_PUBLIC_URLPublic-facing URL for OIDC callbacks and links (auto-detected from request if not set)URL (e.g., https://drydock.example.com)auto-detected
DD_SERVER_ENABLEDIf REST API must be exposedtrue, falsetrue
DD_SERVER_UI_ENABLEDServe the web UI (set to false for headless/API-only mode)true, falsetrue
DD_SERVER_PORTHttp listener portfrom 0 to 655353000
DD_SERVER_TRUSTPROXYTrust X-Forwarded-For headers when behind a reverse proxytrue, false, or hop count (1, 2, etc.)false
DD_SERVER_TLS_ENABLEDEnable HTTPS+TLStrue, falsefalse
DD_SERVER_TLS_KEYTLS server key (required when DD_SERVER_TLS_ENABLED is enabled)File path to the key file
DD_SERVER_TLS_CERTTLS server certificate (required when DD_SERVER_TLS_ENABLED is enabled)File path to the cert file
DD_SERVER_CORS_ENABLEDEnable CORS Requeststrue, falsefalse
DD_SERVER_CORS_ORIGINAllowed CORS origin (prefer an explicit origin in production)* or a single origin URL (for example https://drydock.example.com)*
DD_SERVER_CORS_METHODSSupported CORS methodsComma separated list of valid HTTP verbsGET,HEAD,PUT,PATCH,POST,DELETE
DD_SERVER_COMPRESSION_ENABLEDEnable gzip response compression (SSE responses are excluded automatically)true, falsetrue
DD_SERVER_COMPRESSION_THRESHOLDMinimum response size in bytes before compression is appliedinteger (>=0)1024
DD_SERVER_FEATURE_CONTAINERACTIONSEnable start, stop, restart, and update actions via API and UItrue, falsetrue
DD_SERVER_FEATURE_DELETEIf deleting operations are enabled through API & UItrue, falsetrue
DD_SERVER_METRICS_AUTHRequire authentication on /metrics endpointtrue, falsetrue
DD_SESSION_SECRETOverride the auto-generated session secret for cookie signingAny stringauto-generated
DD_SERVER_COOKIE_SAMESITESession cookie SameSite policy for auth flows (none requires HTTPS)strict, lax, nonelax
DD_SERVER_SESSION_MAXCONCURRENTSESSIONSMaximum concurrent authenticated sessions per user (oldest sessions are revoked first at login when limit is reached)integer (>=1)5
DD_SERVER_RATELIMIT_IDENTITYKEYINGKey authenticated-route rate limits by session/username instead of IP (prevents collisions for multiple users behind shared proxies)true, falsefalse
DD_RUN_AS_ROOTRequest break-glass root mode (requires DD_ALLOW_INSECURE_ROOT=true)true, falsefalse
DD_ALLOW_INSECURE_ROOTExplicit acknowledgment for break-glass root modetrue, falsefalse

For log output configuration (DD_LOG_LEVEL, DD_LOG_FORMAT), see Logs configuration.

CORS Security Guidance

When DD_SERVER_CORS_ENABLED=true and DD_SERVER_CORS_ORIGIN is not set, drydock uses * (all origins). This is convenient for local testing, but broad for production. A startup warning is emitted when the wildcard is implicit. In a future release, an explicit DD_SERVER_CORS_ORIGIN=* will be required to intentionally allow all origins.

For production deployments, set an explicit trusted origin:

  • DD_SERVER_CORS_ORIGIN=https://drydock.example.com
  • DD_SERVER_CORS_ORIGIN=https://ops.example.com

Container Healthcheck

The official Docker image includes a built-in HEALTHCHECK that polls the /health endpoint. When DD_SERVER_TLS_ENABLED=true, the healthcheck automatically switches to HTTPS (with --insecure for self-signed certificates). No additional configuration is needed.

Plain HTTP Deployments

When DD_SERVER_TLS_ENABLED is not set or is false, drydock automatically adjusts its security headers for plain HTTP:

  • HSTS is omitted (since the browser is not on HTTPS)
  • upgrade-insecure-requests CSP directive is omitted (prevents browsers from blocking sub-resource loads)

No additional configuration is required — drydock detects the TLS state and adapts automatically. If you run drydock behind a TLS-terminating reverse proxy, set DD_SERVER_TRUSTPROXY=true (or a hop count) so drydock sees the correct protocol from X-Forwarded-Proto.

  • Use lax (default) for typical web + OIDC setups.
  • Use strict only when drydock and IdP are same-site and you want the strictest cookie policy.
  • Use none only when you explicitly need cross-site cookies (for example embedded UI), and only over HTTPS. Setting DD_SERVER_COOKIE_SAMESITE=none causes a startup validation check -- drydock will refuse to start unless DD_SERVER_TLS_ENABLED=true or DD_SERVER_TRUSTPROXY is set, ensuring cookies are only sent over a secure transport.

Concurrent Session Guidance

DD_SERVER_SESSION_MAXCONCURRENTSESSIONS controls how many authenticated sessions each user may keep active at once. When a login would exceed the cap, drydock revokes that user's oldest existing sessions first.

Examples

Disable http listener

services:
  drydock:
    image: codeswhat/drydock
    ...
    environment:
      - DD_SERVER_ENABLED=false
docker run \
  -e DD_SERVER_ENABLED=false \
  ...
  codeswhat/drydock

Set http listener port to 8080

services:
  drydock:
    image: codeswhat/drydock
    ...
    environment:
      - DD_SERVER_PORT=8080
docker run \
  -e DD_SERVER_PORT=8080 \
  ...
  codeswhat/drydock

Enable HTTPS

services:
  drydock:
    image: codeswhat/drydock
    ...
    environment:
      - DD_SERVER_TLS_ENABLED=true
      - DD_SERVER_TLS_KEY=/drydock_certs/server.key
      - DD_SERVER_TLS_CERT=/drydock_certs/server.crt
docker run \
  -e "DD_SERVER_TLS_ENABLED=true" \
  -e "DD_SERVER_TLS_KEY=/drydock_certs/server.key" \
  -e "DD_SERVER_TLS_CERT=/drydock_certs/server.crt" \
  ...
  codeswhat/drydock

Reverse proxy (trust proxy)

Required when drydock runs behind a TLS-terminating reverse proxy (Traefik, Nginx, Caddy, HAProxy, etc.). Without this setting, drydock cannot determine the real protocol or client IP from forwarded headers, which causes:

  • CSRF validation failures (403 errors on POST/PUT/DELETE requests) — drydock sees http:// internally while the browser sends Origin: https://...
  • Incorrect security headers — HSTS and secure cookie flags may not be applied
  • Wrong client IPs in logs and rate limiting — drydock sees the proxy's IP instead of the real client

Set DD_SERVER_TRUSTPROXY=1 to trust one proxy hop. Use a higher number if you have chained proxies (e.g. CDN → load balancer → app proxy = 3).

services:
  drydock:
    image: codeswhat/drydock
    ...
    environment:
      - DD_SERVER_TRUSTPROXY=1
docker run \
  -e DD_SERVER_TRUSTPROXY=1 \
  ...
  codeswhat/drydock

Your proxy must forward the X-Forwarded-Proto header so drydock knows whether the original request used HTTPS. Most proxies (Traefik, Caddy) do this by default. For Nginx, add proxy_set_header X-Forwarded-Proto $scheme; to your location block. See the FAQ for complete Traefik and Nginx examples.

Advanced Tuning

These variables control the icon proxy cache used to serve container icons. Defaults are suitable for most deployments.

Env varRequiredDescriptionSupported valuesDefault value when missing
DD_ICON_CACHE_TTL_MSTTL for cached icon files on diskinteger (ms)2592000000 (30 days)
DD_ICON_CACHE_MAX_FILESMaximum number of icon files in cacheinteger (>0)5000
DD_ICON_CACHE_MAX_BYTESMaximum total size of icon cache in bytesinteger (>0)104857600 (100 MB)

Secrets from files

Any DD_* environment variable can be loaded from a file by appending __FILE to the variable name and setting the value to the file path. This is useful for Docker secrets and other secret management tools.

services:
  drydock:
    image: codeswhat/drydock
    ...
    environment:
      - DD_SERVER_WEBHOOK_TOKEN__FILE=/run/secrets/webhook_token
      - DD_SERVER_WEBHOOK_TOKENS_UPDATE__FILE=/run/secrets/webhook_update_token
    secrets:
      - webhook_token
      - webhook_update_token

secrets:
  webhook_token:
    file: ./webhook_token.txt
  webhook_update_token:
    file: ./webhook_update_token.txt
docker run \
  -e DD_SERVER_WEBHOOK_TOKEN__FILE=/run/secrets/webhook_token \
  -e DD_SERVER_WEBHOOK_TOKENS_UPDATE__FILE=/run/secrets/webhook_update_token \
  -v ./webhook_token.txt:/run/secrets/webhook_token:ro \
  -v ./webhook_update_token.txt:/run/secrets/webhook_update_token:ro \
  ...
  codeswhat/drydock

Self-Update

Drydock can gracefully update itself when a new version is available.

Storage

Persist drydock state by mounting /store as a volume.

On this page

VariablesCORS Security GuidanceContainer HealthcheckPlain HTTP DeploymentsSession Cookie SameSite GuidanceConcurrent Session GuidanceExamplesDisable http listenerSet http listener port to 8080Enable HTTPSReverse proxy (trust proxy)Advanced TuningSecrets from files