Octelium Logo
Documentation
Deploy and Secure Access to Next.js/Vite App

Octelium enables you to seamlessly easily deploy, scale and provide zero trust client-based/client-less BeyondCorp (read more here) secure access as well as public anonymous access (read more here) to your Next.js/Vite.js/Astro web containerized/dockerized applications that can be hosted by public container registries or even private registries that require authentication (read more about managed containers here) effectively making Octelium operate as a PaaS-like deployment platform. In this guide, we're going to assume that your web app is built as a Docker image that is served by a private container registry (e.g. ghcr.io) as follows:

We first need to obtain the user and password/token needed to authenticate to the private container registry. For example, the GitHub container registry (i.e. ghcr.io), you can read more here.

Now we store the obtained token as a Secret as follows:

octeliumctl create secret reg-password

Now we create the Service for our web application as follows:

1
kind: Service

2
metadata:

3
  name: dashboard

4
spec:

5
  mode: WEB

6
  isPublic: true

7
  config:

8
    upstream:

9
      container:

10
        port: 3000

11
        image: ghcr.io/<ORG>/<IMAGE>:<TAG>

12
        command:

13
        - npm

14
        args:

15
        - run

16
        - start

17
        replicas: 3

18
        credentials:

19
          usernamePassword:

20
            username: <USERNAME>

21
            password:

22
              fromSecret: reg-password

23
        resourceLimit:

24
          cpu:

25
            millicores: 2000

26
          memory:

27
            megabytes: 4000

28
        env:

29
        - name: KEY1

30
          value: VALUE1

31
        - name: KEY2

32
          value: VALUE2

33
        securityContext:

34
          runAsUser: 1000

You can now apply the Service as follows (read more here):

octeliumctl apply /PATH/TO/SERVICE.YAML

Now you can access the Service publicly via the client-less/BeyondCorp using your browser at the address https://dashboard.<DOMAIN>. You can read more about publicly exposed BeyondCorp Services here.

And to provide public anonymous access, you only need to enable the isAnonymous field as follows:

1
kind: Service

2
metadata:

3
  name: dashboard

4
spec:

5
  mode: WEB

6
  isPublic: true

7
  isAnonymous: true

8
  config:

9
  # The rest of your config

This was a very short guide to show you how to use Octelium to deploy, scale, route and provide secure access as well as anonymous public access to any webapp containers. Here are a few more related features that you might be interested in:

  • Routing not just by request paths, but also by header keys and values, request body content including JSON (read more here).
  • Request/response header manipulation (read more here).
  • Cross-Origin Resource Sharing (CORS) (read more here).
  • gRPC mode (read more here).
  • Secret-less access to upstreams and injecting bearer, basic, or custom authentication header credentials (read more here).
  • Application layer-aware ABAC access control via policy-as-code using CEL and Open Policy Agent (read more here).
© 2025 octelium.comOctelium Labs, LLCAll rights reserved
Octelium and Octelium logo are trademarks of Octelium Labs, LLC.
WireGuard is a registered trademark of Jason A. Donenfeld
AboutContactEnterprise
Privacy PolicyTerms