Domino NRPC Proxy – A Modern Proxy Platform for Domino
Daniel Nashed – 5 July 2026 10:13:09
The Domino NRPC Proxy project started with a simple but ambitious goal: provide a modern, production-ready proxy for Domino NRPC connections that integrates naturally with Docker and Kubernetes.
While traditional TCP proxies can forward NRPC traffic, they have no understanding of the Domino protocol itself.
At the heart of the project is a custom NGINX Stream module that understands the initial Domino NRPC handshake and enables intelligent routing based on the requested Domino server.
Since then, the project has grown well beyond its original scope.
Today it provides a complete proxy platform for Domino, combining NRPC routing, HTTPS reverse proxy support, generic stream proxying.
Key Features
- Custom NGINX Stream module for Domino NRPC
- Intelligent NRPC routing based on the requested Domino server
- HTTPS reverse proxy support
- Generic TCP stream proxy support
- Optional ACME certificate management using LEGO
- Dynamic configuration generation from templates
- Zero-downtime configuration updates
- Automatic certificate reload
- Native Docker and Kubernetes support
- Docker Secrets and Kubernetes Secrets integration
- Environment variable driven configuration
- Own Prometheus metrics endpoint including details about configuration status
Intelligent NRPC Routing
The Domino NRPC Proxy is much more than a TCP forwarder.
The project includes a custom NGINX Stream module developed specifically for Domino NRPC. The module understands the initial NRPC protocol exchange and extracts the Domino server name requested by the Notes client.
This information is then used to make an intelligent routing decision before forwarding the connection to the appropriate back-end Domino server.
The entire process is completely transparent to the client and requires no changes to existing Notes or Domino installations.
This makes it possible to:
- Publish a single NRPC endpoint for multiple Domino servers.
- Route Notes clients automatically to the requested server.
- Hide backend Domino servers inside private Docker or Kubernetes networks.
- Dynamically route connections as infrastructure changes.
- Simplify load balancer configurations.
- Scale from a single Domino server to large Domino deployments.
This capability is particularly valuable in Kubernetes environments, where Domino servers are represented by services and pods whose network topology may change over time.
HTTPS Reverse Proxy
Although NRPC remains the primary focus of the project, most Domino environments also expose HTTP and HTTPS services.
The Domino NRPC Proxy now includes a fully integrated HTTPS reverse proxy based on NGINX.
Features include:
- HTTPS reverse proxy
- HTTP to HTTPS redirection
- Multiple virtual hosts
- Configurable upstream servers
- Dynamic configuration generation
Running both NRPC and HTTPS within the same proxy simplifies deployments while providing a consistent operational model.
Generic Stream Proxy Support
The custom NRPC module is one part of the project.
The surrounding infrastructure has been designed to support generic TCP stream proxying as well.
This allows the same container to proxy additional TCP services using the same configuration framework, making the project useful beyond Domino-specific scenarios.
Designed for Docker and Kubernetes
The project was designed from day one with containers in mind.
Whether you're deploying a single Domino server with Docker Compose or operating a large Kubernetes cluster, the same container image can be used without modification.
Configuration is generated automatically during startup, allowing deployments to be driven entirely by environment variables and secrets.
The result is a container that fits naturally into Infrastructure-as-Code workflows and automated deployments.
Dynamic Configuration Templating
Maintaining multiple static NGINX configuration files quickly becomes difficult as deployments grow.
Instead, the Domino NRPC Proxy gene7rates its configuration dynamically from templates.
The templating system supports:
- HTTP configuration
- Stream configuration
- Environment variable substitution
- Optional feature enablement
- User supplied templates
- Deployment specific customization
This approach keeps the container image generic while allowing extensive customization without rebuilding images.
Zero-Downtime Configuration Updates
Container environments are dynamic by nature.
Services may be added, removed or updated while the proxy continues running.
Whenever configuration changes are detected, the proxy automatically:
- Generates the new configuration
- Validates it using nginx -t
- Atomically replaces the active configuration
- Reloads NGINX without interrupting existing client sessions
Automatic Certificate Management
The latest versions add optional integrated ACME support using the excellent LEGO client.
The proxy can automatically request and renew certificates from Let's Encrypt or any RFC 8555 compatible ACME provider.
Supported features include:
- Let's Encrypt Production and Staging
- Alternative ACME providers
- HTTP-01 challenge support
- Automatic renewals
- Environment variable based configuration
- Automatic NGINX reload after successful renewal
- Support LEGO environment configuration
The implementation also handles the initial bootstrap process, allowing completely unattended deployments.
Automatic Certificate Reload
Certificates may also be provided by external certificate management solutions.
The Domino NRPC Proxy automatically detects updated certificates and reloads NGINX without requiring container restarts.
This enables continuous certificate management without downtime or maintenance windows.
Secret Integration
Security is an important design goal.
Sensitive configuration data should never be embedded in container images.
The Domino NRPC Proxy provides native support for:
- Docker Secrets
- Kubernetes Secrets
Certificates, private keys, bearer tokens, API credentials and other sensitive configuration can be securely mounted while remaining fully compatible with the templating framework.
Built Around Automation
One of the guiding principles throughout the project has been automation.
A modern infrastructure component should require as little manual configuration as possible.
The Domino NRPC Proxy therefore focuses on:
- Convention over configuration
- Environment variable driven deployments
- Dynamic configuration generation
- Automated certificate management
- Automatic configuration validation
- Zero-downtime updates
Part of the Domino Infrastructure Ecosystem
The Domino NRPC Proxy has become one of the core building blocks of a larger Domino infrastructure ecosystem.
It integrates naturally with projects such as:
- Domino Fleet Manager
- Cube Control
- CertMgr
- Domino monitoring components
Open Source
The Domino NRPC Proxy is available as an open source project on GitHub:
https://github.com/nashcom/domino-nrpc-proxy
The project has evolved considerably since its first release and continues to grow with new features and deployment options.
If you're running Domino in Docker, Kubernetes, or simply looking for a modern proxy platform for Domino services, I hope you'll find it useful.
Comments Disabled