Secure by Default

NewTon DC Tournament Manager v5.0.1-beta.7 — March 29, 2026

Overview

NewTon DC Tournament Manager v5.0.1-beta.7 adds SSL/HTTPS and mDNS support to the Docker image. Camera features (QR scanning via BarcodeDetector/getUserMedia) require a secure context — HTTPS or localhost. This beta makes it straightforward to run NewTon over HTTPS on a local network without an external reverse proxy.

All changes are in the Docker layer. The application itself is unchanged.

SSL Support

Two supported paths:

No certificate — set SSL_ENABLED=true, a self-signed certificate is generated automatically on first start (30-year expiry, persisted in a named volume). Accepts a one-time browser security exception.
Real certificate — run a reverse proxy (NPM, Caddy, etc.) in front and let it handle SSL termination. The container stays HTTP-only behind it.

When SSL is active, port 2020 redirects to HTTPS (default port 443, configurable via HTTPS_PORT).

The auto-generated certificate includes a Subject Alternative Name covering <hostname>.local, localhost, and 127.0.0.1, so browsers accept it when accessed via the mDNS name without a hostname mismatch warning.

mDNS — newton.local

The container now broadcasts itself on the local network via Avahi (mDNS/Zeroconf). Devices on the same LAN can reach it at newton.local (or a custom hostname) without any DNS configuration.

The hostname is configurable via MDNS_HOSTNAME (default: newton).

network_mode: host is required for mDNS multicast to reach the LAN. This only works on Linux hosts — Docker Desktop for Mac and Windows runs containers in a VM and does not support host networking on the physical LAN. SSL with port mapping works on all platforms.

Docker Compose Files

Two compose files are provided for SSL deployments alongside the existing HTTP-only default:

docker/docker-compose.yml — HTTP only, all platforms (unchanged default)
docker/docker-compose-ssl.yml — SSL with port mapping, all platforms including Mac and Windows
docker/docker-compose-ssl-mdns.yml — SSL + mDNS via network_mode: host, Linux only

New Environment Variables

Variable	Default	Description
`SSL_ENABLED`	`false`	Set to `true` to auto-generate a self-signed certificate
`HTTPS_PORT`	`443`	HTTPS listening port
`MDNS_HOSTNAME`	`newton`	mDNS hostname → `<value>.local`

Bug Fixes (Found During Beta Testing)

envsubst not found — gettext package was missing from the Dockerfile. Added to the apk add line.
SSL session cache conflict — nginx template files were placed in /etc/nginx/http.d/ and auto-loaded alongside the generated default.conf, causing a duplicate zone declaration. Templates moved to /etc/nginx/.
ssl_session_cache conflict with Alpine nginx — Alpine’s base nginx.conf already declares ssl_session_cache shared:SSL:2m at the http level. Our server block declared it again at a different size. Removed from nginx-ssl.conf.

Files Changed

docker/Dockerfile — installs openssl, avahi, avahi-tools, dbus, gettext; copies nginx templates to /etc/nginx/; copies and chmod +x entrypoint.sh; exposes port 443; switches CMD → ENTRYPOINT
docker/entrypoint.sh — new: dbus + Avahi mDNS startup; SSL cert logic; nginx config selection via envsubst; starts php-fpm and nginx
docker/nginx-http.conf — new: HTTP-only config
docker/nginx-ssl.conf — new: HTTPS config with ${HTTPS_PORT} placeholder; HTTP→HTTPS redirect on 2020; HSTS; all existing location blocks and CSP headers preserved
docker/docker-compose.yml — updated: network_mode: host, removed ports, added newton-ssl named volume, documented new env vars
docker/docker-compose-ssl.yml — new: SSL with port mapping, all platforms
docker/docker-compose-ssl-mdns.yml — new: SSL + mDNS, Linux only

NewTon DC Tournament Manager v5.0.1-beta.7 — Secure by Default.

Download v5.0.1-beta.7

Previous Releases

Latest release
v5.0.1-beta.7 — March 29, 2026 — Secure by Default.
v5.0.1-beta.6 — March 28, 2026 — The Record Books Open.
v5.0.1-beta.5 — March 28, 2026 — The Loop Closes.
v5.0.1-beta.4 — March 28, 2026 — Stats Don't Lie.
v5.0.1-beta.3 — March 27, 2026 — The Eyes Have It.
v5.0.1-beta.2 — March 27, 2026 — Nobody Leaves the Oche.
v5.0.1-beta.1 — March 26, 2026 — The Round-Trip Begins.
v5.0.0 — March 24, 2026 — The Revolution Will Be Scanned.
v5.0.0-beta.2 — March 24, 2026 — The Chalker Has Eyes Now.
v5.0.0-beta.1 — March 22, 2026 — Your Boarding Pass for the Oche.
v4.2.13 — March 20, 2026 — A+ Security Headers. Yes, Really.
v4.2.12 — March 19, 2026 — Dedicated domain: newtondarts.com.
v4.2.11 — March 18, 2026 — Shame has never looked better.
v4.2.10 — March 17, 2026 — Doc pages, user guide, and sitemap improvements.
v4.2.9 — March 15, 2026 — Landing page polish.
v4.2.8 — March 13, 2026 — Late Registration.
v4.2.7 — March 13, 2026 — Sitemap, font loading fix, and Get Started section.
v4.2.6 — March 12, 2026 — Undo system bug fix, Late Registration eligibility checker, and robots.txt.
v4.2.5 — March 11, 2026 — Landing page improvements and a Bracket Editor placeholder in the Developer Console.
v4.2.4 — March 10, 2026 — Proper Single Elimination match length configuration and colour-coded Chalker leg averages.
v4.2.3 — March 10, 2026 — Landing page redesign with retro comic theme by Nano Banana.
v4.2.2 — March 9, 2026 — Landing page fix, cleaner card layout.
v4.2.1 — March 8, 2026 — Cleaner cards, clearer brackets, better discoverability.
v4.2.0 — March 3, 2026 — Single Elimination: one shot, no second chances.

For older releases, see the GitHub releases page.