Hi everybody.
How should I setup reverse proxy for my services? I’ve got things like jellyfin, immich a bitwarden running on my Debian server in docker. So should i install something like nginx for each of these also in docker? Or should I install it from repository and make configs for each of these docker services?
Btw I have no idea how to use something like nginx or caddy but i would still like to learn.
Also can you use nginx for multiple services on the same port like(443)?
This video: https://www.youtube.com/watch?v=qlcVx-k-02E or this video: https://www.youtube.com/watch?v=jx6T6lqX-QM That is all you need to know to successfully set it up. They are really good. Good luck! 😊
I know this is beyond the scope of your question but you are at a very similar place like i was over a year ago.
For the reverse proxy you want ingnx manager and it will handle all of your reverse proxies just fine.
But what i really want to recommend is to change up that debian into proxmox,
Proxmox is a debian based efficient server OS. Basically every service you run now can Easily be run as its own isolated container with very little overhang.
Best of all there is a community for Helper script that will install entire services including Nginx but even nextcloud from a single command.
https://community-scripts.github.io/ProxmoxVE/scripts?id=nginxproxymanager
Thx I appreciate the input. I have already a lot of things set up on the server and switching now would be painful and time consuming. I also use docker in conjunction with kvm-qemu and had I known about proxmox a month ago I would not have construct it at such but alas. I will however in the future get another hardware which I will use as a home server and I will definitely give proxmox a shot.
Unrealted but Alpine Linux is based af!
There’s Nginx proxy manager if you want to set it up. But I’d rather go with Tailscale instead.
tailscale is not the same as nginx or any reverse proxy, though. I don’t expose anything publicly, but I still wouldn’t stop using a reverse proxy
While using a web server before your self hosted micro services is the obvious answer and caddy the easier to configure, as a beginner you should also consider taiscale funnels. You dont need to mess with router stuff like port forward or caring if you ISP have your router behind a cgnat which is kinda norm nowadays , also dont have to care for a domain name dynamic DNS stuff . You could have a look to my quick how to . All you need is running a script , the ports and desired names of your subdomains and your tailscale auth key. https://ippocratis.github.io/tailscale/
Well I already got static IP from my ISP and configured Wireguard on my directly on my router so I think I’m good.
The funnel exposes your local services to the public over https . Like what you want to accomplish with reverse proxy . Its just more straightforward for a beginner.
Personally I closed my router ports and switched to tailscalr funnels after using caddy with mutual TLS for years.
The funnel exposes your local services to the public over https . Like what you want to accomplish with reverse proxy .
they did not say they want it public, and that’s an additional security burden they may not need
He he didnt but thats what he meant
I mean 99% of users use reverse proxy for https public access
Also read the threat replies …
That’s what this thread is about
…
No?
if that’s true, I assume it is because they don’t know about the security consequences, nor about more secure ways. and for 99% that is the worst solution, because they won’t tighten security with a read only filesystem, DMZ and whatnot, worse, they won’t be patching their systems on schedule, but maybe in a year.
99% users should not expose any public services other than wireguard or something based on it. on a VPS the risk my be lower, but on a home network, hell no!
Ok I’m not any networking expert but I think you are overestimating the risk here.
Opening a port doesn’t mean you are opening your whole home network just the specific services you want. And those not directly but with a web server in front of them . Web servers talked in this tgread that sit in front of open ports are well audited . I think that measures like mtls a generic web server hardening are more than ok to not ever be compromised.
But yeah I’m surely interested to listen if you could elaborate.
Thanks
maybe silly question but does tailscale tunnel operate in a similar fashion to a cloud flare tunnel? as in you can remotely access your internal service over https?
Did traefik become uncool? I only read about caddy/nginx/ha here.
my last experience with it was a half empty documentation, and a config structure that signaled to me that they dropped a lot of features for v2 release that they initially wanted to have, which has additionally made understanding their config structure harder. and that hasn’t improved for years.
Reverse proxying was tricky for me, I started with Nginx Proxy Manager and it started out fine, was able to reverse proxy my services in the staging phase however, once I tried to get production SSL/TLS certificates it kept running into errors (this was a while ago I can’t remember exactly) so that pushed me to SWAG and swag worked great! Reverse proxying was straight forward, SSL/TLS certificates worked well however, overall it felt slow, so now I’m using Traefik and so far have no complaints.
It’s honestly whatever works for you and what you prefer having.
Since your a beginner, youll find nginx proxy manager easiest, it has a nice ui, and at this stage you are probably less intrested in the 10/10 fastest lighweight setup and more intrested in getting stuff working.
I recommend Caddy. It’s very easy to deploy, and configuring it is a snap. This tutorial helped me out a bunch. There is a Docker version of Caddy, tho I have never used it. I figured, Caddy would do better installed on bare metal. I use Caddy in conjunction with Duckdns.org. Caddy also takes care of renewing your certs when it’s time.
Caddy
It’s three lines of configuration
jellyfin.example.com { reverse_proxy http://localhost:8083/ }Automatic https with let’sencrypt, simplicity of a single binary, downgrade is as simple as replace binary & restart service.
Wow
Fucking hell why do I use Apache 😂
Because you love the pain that comes with pulling your own hair out, one fistful at a time.
How does my DNS know where to look for this?
if you don’t want to rent a domain, but you run a local DNS server (pihole, technitium) for filtering or other reasons, you can register your own domain names in there, for free. but don’t use common TLDs to avoid conflicts, and leave “.local” alone too because that’s used by mdns/avahi. You may use .home, .lan, or a few others I don’t know without looking them up
-
you rent a domain
-
in the config (provided by the service where you rented the domain) you set it to point to the IP of the device where you run caddy
-
the service tells the relevant global DNS servers your setting
-
your DNS does a DNS lookup and a DNS server returns the IP you configured it to point to
Depending on the DNS you use, you can manually add entries to do 1-3 differently, but that will only work for devices that use your DNS and is hard.
Is this a local address or a public IP address?
I just want the resolving internal to my network but I never got it working right.
I’m not the guy you replied to but personally I use a setup called split-horizon DNS.
- I have a DNS server running on a raspberry pi which I have set up as the DNS server for all devices in my local network (by setting it in the router).
- This DNS server has my domain name as an A record pointing to my reverse-proxy (Nginx Proxy Manager), e.g. example.com would resolve to 192.168.0.100.
- Any subdomain I want to use is set up as a CNAME record in my DNS server referring to the previously configured A record with my domain. (jellyfin.example.com => example.com)
- Now all requests to the registered domain and subdomain are routed to my reverse-proxy which I configured to forward them to the correct service depending on the given subdomain.
This is a little bit of a simplification. I also use a cloudflare tunnel to allow access to select subdomains and I have 2 reverse-proxies chained together since NPM can resolve services by their container name as long as they are in the same docker network.
Also probably important: My DNS server was a pi-hole (until today at least) and did not act as my DHCP server. This meant it had no idea of local device hostnames and therefore was configured to forward queries to local device names to my routers built-in DNS server.
The domain I use for my services is one I rent from a registrar so that I can get valid SSL certificates without self-signing them. If you are fine with self-signed certificates or simple http you probably don’t need to do that.
I’m looking to do something like this. I’m uneasy about having the registered domain pointing towards my IP address (partially because I’m unsure of the exact risks and partially because I’d rather do it internally if possible).
You said you were using pihole. What did you change to and why did you change? Pihole seems the most recommended from what I’ve seen?
You are lucky I haven’t deleted my pi-hole VM yet ;D
In the Pi-Hole DNS settings I have the following configuration:
- Upstream DNS Servers => Quad9 (filtered, DNSSEC) both checkboxes for IPv4 checked
- Under Custom DNS servers I added a line with my routers IP
- Under Interface settings => Permit all origins. Note the warning written regarding this setting and check whether it applies for your setup!
- Under Advanced DNS settings I have enabled “Never forward non-FQDN A and AAAA queries” and “Never forward reverse lookups for private IP ranges”. Since according to the warning this would block local hostname resolution note the next setting.
- Under conditional forwarding I have added this line
true,192.168.1.0/24,192.168.1.1,fritz.box.fritz.boxwas my local DHCP domain name but has since been changed tolan.
The other settings in Pi-Hole were under the Local DNS Records menu where I added my domain name (let’s call it example.com) to the list of local DNS records and pointed it at the IP of the server running my reverse-proxy. Finally I added each subdomain I wanted to use to the List of local CNAME records and pointed it at the domain I just entered to the other list.
I can’t perfectly tell you what my router settings were unfortunately since I have recently moved and replaced my fritzbox with a mikrotik router. The main thing you have to do though is to go to the DHCP server settings of your router and set the pi-holes IP address as the DNS server. Note that in the case of the pi-hole being offline for any reason you will be unable to resolve any domains while in this network
It might be possible to do some sort of failover setup by running a second pi-hole with identical settings but I did not want my network connectivity depending on any device other than my router being on. Hence my move back to using my mikrotiks built-in DNS server which fortunately also supports adding lists for DNS adblocking.
Awesome, thanks for the reply. I can understand not wanting to be stuck without DNS if your pihole goes down.
I’m hoping to use just pihole for internal only resolution, so some sort of split DNS, but it may be outside of my capabilities at the moment
If your router allows it you can set your gateway IP from the router (i.e. 192.168.1.1) as the second DNS address in the DHCP settings. So your routers DNS settings would then act as fail over in case your pi-hole is down. That’s at least how I have done it on my ISP router.
I’ve got the external IP addresses down pat. I’m with you in that I’ve never quite figured out how to do the same with local IP addresses.
-
See here https://wiki.gardiol.org/doku.php?id=selfhost%3Anginx
My notes and my approach, so YMMV
Nginx Proxy Manager was easy to learn as a beginner. I’d recommend it as a learning tool, if nothing else, and if you want to switch to other solutions later you can.
I use Nginx Proxy Manager running as a docker container. Its a gui that makes administration more straight forward. It points at all my services (docker and otherwise) and handles the SSL for me. Because I don’t want to have any ports open I use DNS challenge ACME and NPM has build in support for a number APIs from large public DNS providers to automate that.
i have nginx proxy manager set up all as well, but haven’t worked out the SSL part yet, so all my internal docker services are still on http
out of interest, how did you set up https with npm?
First set up your certificate in the SSL tab of NPM. You can either upload a traditional certificate or set up LetsEncrypt. Be aware that starting next spring the maximum length of a certificate will drop to 9 months and continue to decrease over the next few years until its 47 days.
I have mine set up so LetsEncrypt gets a wildcard cert for my domain (via DNS challenge). Some people go with per subdomain certs.
Once you have the cert, go you each of your hosts and switch to its SSL tab. Then select your cert. Then I usually turn on “Force SSL”
does a wild card cert essentially mean i have use one cert which will cover all my subdomains as well as the primary domain?
This plus technitium DNS is exactly my approach.
IMO, look into the linuxserver.io fork of NGINX, called SWAG.
It comes preloaded with a bunch of fantastic addons for security.
Quite easy to get set up, if you’ve got an idea about how it works.
I was new to doing reverse proxy stuff but Nginx Proxy Manager made it really easy. A bit of doc reading, I probably watched a video or two, and it all made sense. Great clean UI and easy to install. (I run it on a Raspberry Pi.)
This may be a controversial approach, but I recently had to set up reverse proxy along with DNS configuration and certificate handling. I pair programmed with an LLM.
My experience was this… I described what I wanted to set up, my objectives (like containerisation, zero touch deployment, idempotence, etc) and it gave me a starting point. It threw a few bad ideas in but I also asked it to help me stress test against the objectives. I think it’s all just about working now. I learned a lot about shell, docker, nginx, terraform, VM metadata, data persistence, pulling it all in from a git repo, bootstrapping nginx with self-signed certificates, auto renewal, vscode devcontainers and more. Honestly I’m worried about what a pro would make of my code, but I made huge steps in a relatively short time. Disclaimer: I am a software engineer who was keen to learn this stuff and get moving quickly.
I would definitely consider this approach if you’re new to the area.
