At a Glance:
Cosmos is a self-hosted home server platform that combines a reverse proxy with automatic HTTPS, an authentication server with MFA and OpenID, container management, a VPN, and SmartShield security into a single web-managed solution.
Overview:
Cosmos is a self-hosted server management platform designed to run and secure containerized applications on personal servers, NAS devices, or Raspberry Pi. It acts as a secure gateway by layering authentication, reverse proxying with automatic HTTPS, and anti-bot protections in front of existing or newly installed services. The platform targets users who want to reduce the attack surface of their self-hosted software without manual security tuning, and it explicitly differentiates itself by assuming backend applications are not trustworthy. Cosmos covers application installation through its own app store or manual Docker Compose imports, storage and networking management, scheduled tasks, backups via Restic, and real-time monitoring.
Key Decision Points:
Security model requires no trusted backends: Cosmos deploys SmartShield technology that dynamically rate-limits, throttles, and bans users automatically, operating on the assumption that hosted applications may contain vulnerabilities.
Supports applications installed outside its app store: Users can import existing docker-compose files or use the Docker CLI, and all applications still benefit from the built-in reverse proxy, HTTPS, and authentication layers.
Includes VPN access without port forwarding: A built-in VPN lets users access applications remotely without opening ports on their router, with mesh networking and CGNAT bypass capabilities.
Multi-user identity provider: An integrated authentication server supports multiple strategies (OpenID, forward headers, HTML), and allows inviting family members to applications without sharing raw credentials.
Programmatic management via SDK and Terraform: A JavaScript/TypeScript SDK, a Go SDK, and a Terraform provider are available for users who want to automate setup and management.
Core Features:
SmartShield API protection: Dynamic rate limiting, adaptive throttling, automatic strikes and bans, global request queuing, and per-user consumption metrics applied at the reverse proxy layer.
Reverse proxy with automatic HTTPS: Targets containers, servers, or static folders with Let's Encrypt certificate generation and renewal, including wildcard certificate support via DNS challenge.
Authentication server with MFA: Provides multi-factor authentication alongside OpenID Connect, forward header, and HTML-based authentication strategies for all proxied applications.
Integrated app store and container manager: Installs applications through curated installers with automatic security checks and updates, while also supporting manual docker-compose and Docker CLI workflows.
Storage management with parity and network shares: Handles local disks with Parity Disks and MergerFS, and manages remote or locally shared network storage via RClone (including NFS, FTP, and cloud services like Dropbox).
VPN with mesh and CGNAT bypass: Creates secure remote access tunnels without exposing router ports, differentiated from Wireguard-only solutions by its mesh and NAT traversal support.
Use Cases:
Home server operators securing media or automation services: Users running applications like Plex or HomeAssistant can place Cosmos in front of them to apply authentication, HTTPS, and anti-bot protection without modifying the applications themselves.
Users with mixed application setups: Self-hosters who combine apps from Cosmos's app store with manually deployed containers can manage all of them through a single reverse proxy and security layer.
Developers integrating authentication into self-hosted apps: Self-hosted application developers can offload authentication, user management, and HTTP-layer protection to Cosmos through its provided integration path.
Open-Source Alternative Value:
Cosmos's open-source distribution provides a self-contained platform that combines reverse proxying, identity management, VPN, and application-level security protections that are often distributed across separate tools or locked behind paid tiers in enterprise offerings. The project explicitly positions itself against Cloudflare's tunnel and proxy model by keeping traffic decryption on the user's own infrastructure, meaning no third party reads unencrypted traffic. Its licensing under Apache 2.0 with a Commons Clause allows free use, modification, and redistribution while restricting commercial resale of the platform itself, and users can migrate out at any time since it relies on vanilla Docker containers.
