Which reverse proxy do you use/recommend?
I have been self-hosting for a while now with Traefik. It works, but I'd like to give Nginx Proxy Manager a try, it seems easier to manage stuff not in docker.
Edit: btw I'm going to try this out on my RPI, not my hetzner vps, so no risk of breaking anything
Caddy all the way!
Seconding Caddy. I've been using it for a couple of years now in an LXC and it's been very easy to setup, edit and run.
Caddy is really simple and easy. Just werks and gives you https
I mean, the basic config file for Caddy is 1 line, and gives you Let's Encrypt by default. The entire config file for a reverse proxy can be as few as 3 lines:
my.servername.net {
reverse_proxy 127.0.0.1:1234
}
It's a single executable, and a single 3-line file. Caddy is an incredible piece of software.
Ive got a basic workflow for nginx proxy manager now so this isnt super useful but good god that's exactly what i wish nginx was.
When I was researching reverse proxies I first stumbled upon nginx and traefik and especially nginx seemed a bit intimidating. As someone who hadn't done it before I was worried if I'd do it right. Then I found caddy and yeah just used a threeliner like that in config and that was that. Simple and easy to get it right.
I've since switched to having my stuff behind wireguard instead of reverse proxy, but I keep caddy around so I can just spin it back up if I want to access Jellyfin on someone's tv or something.
Honest noob question. I currently connect to my self hosted server using Twingate. How would this be different? can you give me an Eli5 what a reverse proxy manager would make my setup better?
I highly recommend npm. It's also the only one I've used, so please keep that in mind.
Nginx from day one. Well documented, it works. If something doesn’t work chances are you are a quick googlefu away from the solution.
I really like Zoraxy. Similar to NPM but it's its own thing and I like it a lot more
I know how to use raw nginx/Caddy/traefik to do it, but I find the WebUI and all the extra features Zoraxy has to be very convenient and easy to use.
Traefik is a PITA.
Caddy all the way. If you build it with Docker support (or grab the prebuilt), you can use docker container names to reverse proxy using names instead of any IP addresses or ports. It's nice because if the IP updates, so does caddy. All automatically.
Here's what my caddyfile looks like;
caddy
{
acme_dns cloudflare {key}
}
domain.dev {
encode zstd gzip
root * /var/www/html/domain.dev/
php_fastcgi unix//run/php/php8.1-fpm.sock
tls {
dns cloudflare {key}
}
}
*.domain.dev {
encode zstd gzip
tls {
dns cloudflare {key}
}
@docker host docker.domain.dev
handle @docker {
encode zstd gzip
reverse_proxy {portainer}
}
@test host test.domain.dev
handle @test {
encode zstd gzip
reverse_proxy 127.0.0.1:10000
}
@images host i.domain.dev
handle @images {
encode zstd gzip
reverse_proxy 127.0.0.1:9002
}
@proxy host proxy.domain.dev
handle @proxy {
encode zstd gzip
reverse_proxy proxy
}
@portal host portal.domain.dev
handle @portal {
encode zstd gzip
reverse_proxy portal
}
@ping host ping.domain.dev
handle @ping {
encode zstd gzip
respond "pong!"
}
}
DNS hosted by cloudflare but because caddy handles ACME certs, all the subdomains automatically get SSL.
Actually I found traefik rather easy, I just had to make the proper docker labels and config.
PITA
Unrelated, I'm going to sound like a grammar nazi here, but holy shit there are so many acronmys, how am I supposed to know every one of them without googling? Please just say "traefik is a pain in the ass". Also please don't take this as a snarky reply.
PITA = pain in the ass.
I never said it was hard. Just a real pain in the ass. Like iptables vs UFW. They're the same thing, but one is easy and a pain in the ass and the other is just easy... So I opt to make my life easier. lol
In my experience, all the 3 big ones work just fine. Caddy, Traefik, Nginx. I use Nginx.
I have had the same experience. Have used all three at some point but mostly use nginx for new servers
Caddy. I started with npm but I realized it was hiding enough stuff that I wasn't learning anything about managing networking. Caddy is super easy and has lot of sane defaults.
same, i've been very happy with Caddy, even with lots of subdomains and weird configs it's been rock solid.
it seems easier to manage stuff not in docker
Read into Traefik’s dynamic configuration. Adding something outside of Docker is as easy as adding a new config file in the dynamic configuration folder. E.g. jellyfin.yml:
http:
routers:
jellyfin:
rule: Host(`jellyfin.example.org`)
entrypoints: websecure
tls:
certResolver: le
service: jellyfin
services:
jellyfin:
loadbalancer:
servers:
- url: "http://192.168.1.5:8096/"
The moment you save that file it will be active and working in Traefik.
Stick with Traefik if you've figured it out. It's much more powerful than NPM in my opinion. If you insist on using NPM, you might want to try NPMPlus, it has more bells and whistles and is more actively maintained.
Yeah I'll stick with Traefik, I know how to use it
I am using nginx on a separate machine (VM) I have yet to try it in docker, I just have not found a reason to change it yet.
I've tried npm, caddy and traefik but they are always way more complicated then adding a new config file in nginx...
I feel the others add too much to the docker configs and limit what can be added to the reverse proxy. I have control of access from the nginx server, without having to change the apps configuration.
NPM is the closest to what I would like (only needing the same network in docker) if I go the docker way but for some reason it never works as it should when I configure it. So I am sticking to plain nginx.
I’ve been using caddyserver for awhile and love it. Config is nicely readable and the defaults are very good.
I'll throw in another recommendation for Caddy. I've been using it for years and the few problems/feature suggestions I had got implemented by the developers pretty quickly. They're super active on their forums and I haven't yet run into an issue where I couldn't either figure it out myself or with help from their community forums (usually from a dev.) They're very friendly and won't berate you for simple mistakes like other devs.
i use nginx proxy manager but im barely getting by. Theres zero useful documentation for setting up custom paths so everyone uses subdomains. I ended up buying my own domain just so i didnt feel guilty spamming freedns lmao.
Caddy is the only reverse proxy I have ever managed to successfully make use of. I failed miserably with Nginix and Traefik.
Caddy has worked very well for me for several years now. It gets the SSL certificate from my domain name provider and all.
If you're just going to VPN in to your home network, I've found caddy to be the simplest.
I tried using PiVPN to route my phone's Internet access through my home network, but it kept breaking and I found I don't have a head for networks.
Would caddy be able to do that in an easier to maintain way?
Set up wireguard in a docker container and then forward the port to wireguard, the default container on docker hub is fairly straightforward and you can always ask me for help if you need :).
However, If you are using ipv4, you need to make sure that you're not behind a CG-NAT (If you think you might be, call your ISP and tell them you have security cameras that need to get out or something like that).
You could also try tailscale which is built using wireguard with nat-busting features and a bit easier to configure (I dont personally use it as wireguard is sufficient for me).
After that Caddy + DNSMasq will simply allow you to map different URLs to IP addresses
dnsmasqmy_computer -> 192.168.1.64http://dokuwiki.my_computer -> http://my_computer:8080http://dokuwiki.192.168.1.64 -> http://192.168.1.64:8080/Caddy and DNSmasq are superfluous, if you've got a good memory or bookmarks, you don't really need them.
VPN back into home is a lot more important. You definitely do not want to be forwarding ports to services you are running, because if you don't know what you're doing this could pose a network security risk.
Use the VPN as the entry point, as it's secure. I also recommend running the VPN in a docker / podman container on an old laptop dedicated just to that, simply to keep it as isolated as you can.
Down the line you could also look into VLan If your router supports that.
I personally would not bother with SSL If you're just going to be providing access to trusted users who already have access to your home network.
If you are looking to host things, just pay for a digital droplet for $7 a month, It's much simpler, You still get to configure everything but you don't expose your network to a security risk.
I like NPM, it's simple, but also allows for more complex configs as well if needed. I run it in its own LXC because I have other non-dockerized things that are exposed.
I think NGINX has the best reverse proxy
Nginx installed directly, I use nano over ssh to edit configs. Forces you to learn some things and I never moved passed it because it works so well.
I use Traefik at home. The initial setup was more complex than others but now it's set up it's by far the easiest to add new routes than any other I've tried, just by virtue of being right there in the compose/k8s files I'm already writing. Static routes are manual of course, but so are every other proxy so that's no different, and they're not exactly complicated (I see another comment has examples). The config files are the same markup language as your Compose/k8s files so you're not learning a whole new syntax and having to switch languages mentally as you switch between them.
Caddy is super easy, but the fact that the Docker labels thing was a plugin is a con to me, I'd prefer it being first party. It also isn't as performant as Traefik, higher CPU usage while also having higher latency.
As far as I'm aware, Nginx and Nginx Proxy Manager support no such thing, you have to manually write those routes every time you create a new service. Personally I think Nginxs config syntax annoying, I'm very comfortable with it now but I much prefer TOML/YAML.
Nginx Proxy Manager is a lot like Portainer. It's useful for people who don't want to learn Nginx and/or just want to click a few buttons. But anything complex you're suddenly going to be thrown into the deep end.
You've already set up Traefik, you've already done the complex bit. IMO there's no reason to change, from this point everything else is more complicated.
We use Nginx at work but are currently in the process of switching to Traefik.
I use traefik. I like it. Took a bit to understand, but it has some cool options like ssl passthrough and middlewares for basic auth.
You can even use it to do the SSL part for a local non-SSL IMAP server. And, there’s a CrowdSec middleware as well, that will block blacklisted IPs.
NPM was the first one that worked for me. I used a YouTube tutorial. I tried Nginx and Caddy, but couldn't figure them out. For context, I try to run anything I can out of Docker, which adds some complexity I think. I must not have been doing the templates correctly or something.
I plan on trying to go for Nginx or Caddy later, but right now NPM works wonders for my use case.
I use NPM in a docker container. It could not be easier in my opinion but then again, I did not use any of the alternatives so I might be missing out on something, who knows. I did manage a couple of proxy servers in the past based on Apache and I can tell you that NPM is much easier and logical to me than that.
Just create a compose file and start it. Create DNS records pointing to your NPM IP address/exposed IP and make a host in NPM sending traffic to the right container IP:port. The compose file is super simple, could not be easier. Here's mine for example:
bash
services:
nginx-proxy-manager:
container_name: nginx-proxy-manager
image: 'jc21/nginx-proxy-manager:latest'
restart: always
ports:
- '80:80'
- '443:443'
volumes:
- ./data:/data
- ./letsencrypt:/etc/letsencrypt
I just make sure ports 443 and 80 are exposed on my router so DNS records can point to that IP adrdess. All traffic on port 80 gets re-routed to 443.
I'm probably stating all the obvious things here 😀
I mean yes, that seems obvious now that I've learned this.
But I wish I read this comment 3 years ago when I was starting to dive into self hosting. Would have saved me a bunch of time. So always assume some piece of knowledge is not obvious for someone out there and share ᕕ( ᐛ )ᕗ
So always assume some piece of knowledge is not obvious for someone out there and share
You just described a thing of mine I cannot help but do; explain the ever loving crap out of things
I need to be careful with that though as relatives start to complain and push back on me telling things over and over.
Thing is, until I see a full comprehension on the other side on what I try to convey I just keep explaining in variations, keep finding metaphors and keep pestering you until you 'get it'. Some say it is a virtue, some say it is a hindrance.
I have had therapy on this... 😂
but I’d like to give Nginx Proxy Manager a try, it seems easier to manage stuff not in docker.
NPM is pretty agnostic. If it receives a request for a specific address and port combination it just forwards the traffic to another specific address and port combination. This can be a docker container, but also can be a physical machine or any random URL.
It also has Let's Encrypt included (but that should be a no-brainer).
I used NPM, It was pretty solid
Then I changed headspace and now I run SearXNG through cloudflare, and tailscale everything that doesn't need to be public.
For a while now I've been using either haproxy or nginx depending on my needs. I've hit instances with both where the functionality I want is in the paid version.
Nginx for my intranet because configuration is fully manual and I have complete control over it.
Caddy for the public services on my vps because it handles cert renewal automatically and most of its configuration is magic which just works.
It is unbelievable how shorter caddy configuration is, but on my intranet:
I switched to caddy just for the certs. I get trusted certs on all my internal subdomains without maintenance.
I use haproxy, nginx and caddy at work including a caddy instance with internal CA. 4 lines in config and its signed by our normal CA, so its trusted by all our devices.
You can easily get automatic renewal for nginx using certbot.
Yes, but it is a different cron job that needs to run, and you need to monitor it for failures. Caddy does everything out of the box, including retries.
I've been mostly using Nginx Proxy Manager, but I recently set up Bunkerweb as a WAF for a couple of public services I'm hosting and I kind of like it. It does reverse proxy along with a bunch of other things (bad behavior blocking, geographic blocking, SSL cert handling, it does a lot).
Mentioning it because I didn't see any other mention of it yet.
NPM is easy to use. Caddy sounds like something I'd like to try too now.
npm/npmplus
I've been using NPM for a few years now and can't recommend it enough. I use it to route to both docker containers on an internal proxy network as well at other services within my networks
I want to just mention frp, I use it to get around firewalls
I had a poor experience with NPM which turned me to SWAG, it worked, but was a tad slow. Moved to Traefik and haven’t looked back.
I've been using nginx forever. It works, I can do almost everything I want, even if more complex things sometimes require some contortions. I'm not sure I would pick it again if starting from scratch, but I have no problems that are worth switching for.
having tried many in past, i always go back to haproxy. it has everything required as proxy and load balancer while also being very efficient.
I use nginx for static websites and TLS passthrough servers.
I use traefik as a reverse proxy for sites with many services and SSO.
Nginx is definitely easier to configure for simple things. But I prefer traefik for more complex setups.
I use the caddy plugin in opnsense. Used nginx proxy manager from Proxmox helper scripts before that, which was relatively easy and helped me understand the whole proxy thing. Moved to caddy on opnsense a few months ago, just because, and have had no good reason to change yet.
I was thinking about putting it from its dedicated VM to opnsense as well. I just don't know yet what the security implications are and also my firewall hardware isn't too beefy so I have to play around with it for a bit.
I recently switched a bunch of nginx configs to the opnsense Caddy plugin. It is easy to configure, but in my opinion it lacks the ability to change settings beyond the basics. It isn't helpful either that the plugin developer fails to recognize any other use case than the basics. It disqualifies the plugin for everyone with a little bit more complex setups.
I use Synology integrated reverse proxy, stupidly simple and always works for me (only if IPv6 doesn't fuck up itself, I can't fallback to IPv4 because that is CGNATED), if I am missing features that other options have I would like to know :)
I've looked at it but never actually given the Synology proxy a go despite using their DNS server. Does it do auto certificate renewal?
Have you considered using a Cloudflare tunnel to bypass the CGNAT? You can do that into a proxy or straight into the service.
Does it do auto certificate renewal?
Yes.
Have you considered using a Cloudflare tunnel to bypass the CGNAT?
I did before when I had some free domain over there, but I don't think there are any worthy free domains out there anymore, and even when they are cheap, I really don't need it and don't feel comfortable to pay for something that I can't use in its fullest (due to CGNAT).
For example, I am aware cloudflare tunnels can't be used for a Plex/Video streaming and that is the number 1 service that I want to be exposed to the Internet.
For now I am living with my IPv6 address and the Synology DDNS with the reverse proxy features... My personal fallback are Tailscale and Zerotier.
I use nginx as the internet facing proxy, write my own config and manage it with source control. Also use traefik in docker land with service labels to configure it
I use both, Traefik on my docker host that's also used for trying out new stacks, and NPM at work for a config that won't change (ever, probably).
Yes, the NPM web ui is somewhat easier in regard to proxying targets outside Docker.
This the main reason I switched from traefik, I can have certificates on all my internal stuff and not just on my docker host. I personally love NPM but maybe I'll give NPMPlus a try, I have never heard of it.
Ok, stupid question from a stupid person: if I have a phone connected to a local WiFi network, and I type in the URL of a subdomain which points make to that same network ie a hosted service on a home server, what route does the data take from the service back to my phone?
Simple question but can be a complex answer. Basically it depends where your phone gets DNS from: if it's using the ISP DNS (or some other public DNS server) it will resolve the public internet IP of your server and the data will route out to the ISP WAN before being routed back in.
On the other hand you can configure a split DNS system, so say you are using your modem/gateway as your DNS server and it forwards DNS queries up to your ISP (or other) DNS server - a common setup, 1. you can add in a static host entry for your local server. Eg 'yourservice.yourserverdomain.com = 192.168.1.20 (your server's LAN IP)'
Now when your phone is on the WiFi and it looks up your server's address it gets the local IP and routes locally, which will be faster.
If you need more info, search for terms like 'reverse proxy split DNS best practice'.
I like Zoraxy it has a lot of features, like Zerotier integration, status monitoring etc and a clean UI
Runs fine for my needs and fully replaced NPM for me 😊
You can run it in docker or as a single binary directly
I use and love nginx.
Maybe a bit more old fashioned than more modern solutions, but steady solid and versatile. I use it as reverse proxy ad well as proxy for php stuff and more.