Hi everybody.
How should I setup reverse proxy for my services? I’ve got things like jellyfin, immich a bitwarden running on my Debian server in docker. So should i install something like nginx for each of these also in docker? Or should I install it from repository and make configs for each of these docker services?
Btw I have no idea how to use something like nginx or caddy but i would still like to learn.
Also can you use nginx for multiple services on the same port like(443)?
Reverse proxying was tricky for me, I started with Nginx Proxy Manager and it started out fine, was able to reverse proxy my services in the staging phase however, once I tried to get production SSL/TLS certificates it kept running into errors (this was a while ago I can’t remember exactly) so that pushed me to SWAG and swag worked great! Reverse proxying was straight forward, SSL/TLS certificates worked well however, overall it felt slow, so now I’m using Traefik and so far have no complaints.
It’s honestly whatever works for you and what you prefer having.
Since your a beginner, youll find nginx proxy manager easiest, it has a nice ui, and at this stage you are probably less intrested in the 10/10 fastest lighweight setup and more intrested in getting stuff working.
Did traefik become uncool? I only read about caddy/nginx/ha here.
Caddy
It’s three lines of configuration
jellyfin.example.com { reverse_proxy http://localhost:8083/ }Automatic https with let’sencrypt, simplicity of a single binary, downgrade is as simple as replace binary & restart service.
Fucking hell why do I use Apache 😂
How does my DNS know where to look for this?
-
you rent a domain
-
in the config (provided by the service where you rented the domain) you set it to point to the IP of the device where you run caddy
-
the service tells the relevant global DNS servers your setting
-
your DNS does a DNS lookup and a DNS server returns the IP you configured it to point to
Depending on the DNS you use, you can manually add entries to do 1-3 differently, but that will only work for devices that use your DNS and is hard.
Is this a local address or a public IP address?
I just want the resolving internal to my network but I never got it working right.
I’m not the guy you replied to but personally I use a setup called split-horizon DNS.
- I have a DNS server running on a raspberry pi which I have set up as the DNS server for all devices in my local network (by setting it in the router).
- This DNS server has my domain name as an A record pointing to my reverse-proxy (Nginx Proxy Manager), e.g. example.com would resolve to 192.168.0.100.
- Any subdomain I want to use is set up as a CNAME record in my DNS server referring to the previously configured A record with my domain. (jellyfin.example.com => example.com)
- Now all requests to the registered domain and subdomain are routed to my reverse-proxy which I configured to forward them to the correct service depending on the given subdomain.
This is a little bit of a simplification. I also use a cloudflare tunnel to allow access to select subdomains and I have 2 reverse-proxies chained together since NPM can resolve services by their container name as long as they are in the same docker network.
Also probably important: My DNS server was a pi-hole (until today at least) and did not act as my DHCP server. This meant it had no idea of local device hostnames and therefore was configured to forward queries to local device names to my routers built-in DNS server.
The domain I use for my services is one I rent from a registrar so that I can get valid SSL certificates without self-signing them. If you are fine with self-signed certificates or simple http you probably don’t need to do that.
I’m looking to do something like this. I’m uneasy about having the registered domain pointing towards my IP address (partially because I’m unsure of the exact risks and partially because I’d rather do it internally if possible).
You said you were using pihole. What did you change to and why did you change? Pihole seems the most recommended from what I’ve seen?
If you want DNS only in your LAN, you need to self host a DNS server and register this domain locally (by putting it in some config file of yours)
I’ve got the external IP addresses down pat. I’m with you in that I’ve never quite figured out how to do the same with local IP addresses.
-
I use Nginx Proxy Manager running as a docker container. Its a gui that makes administration more straight forward. It points at all my services (docker and otherwise) and handles the SSL for me. Because I don’t want to have any ports open I use DNS challenge ACME and NPM has built in support for a number APIs from large public DNS providers to automate that.
This plus technitium DNS is exactly my approach.
deleted by creator
I recommend Caddy. It’s very easy to deploy, and configuring it is a snap. This tutorial helped me out a bunch. There is a Docker version of Caddy, tho I have never used it. I figured, Caddy would do better installed on bare metal. I use Caddy in conjunction with Duckdns.org. Caddy also takes care of renewing your certs when it’s time.
Nginx Proxy Manager was easy to learn as a beginner. I’d recommend it as a learning tool, if nothing else, and if you want to switch to other solutions later you can.
I prefer doing nginx on the host (vs a container), & have different configs for each service. You can have multiple services on the same port, it can be controlled via DNS instead (i.e.: access Jellyfin.domain.com & bitwarden.domain.com, both of 443).
Ive tried Caddy once or twice but couldn’t get it working, so i just stick with nginx & cert or to automatically get certificates from my internal CA
I’m doing the same with Apache in a container. Using Let’s Encrypt with DNS challenge for SSL certificate. The DNS records point to the reverse proxy IP which is only accessible via VPN (Tailscale). 😂
nginx + certbot \ acme for certs from my local Step-CA, proper DNS & I just use a WireGuard VPN on-demand for when I leave my house. As soon as I’m off my Wi-Fi I have the VPN active so I don’t need to expose anything more than 1 port for that to work =]
I might look at Tailscale, if only because I’ve seen plenty of people say that’s how they connect, so worth looking into =]
If you want to stay fully self-hosted, look into Headscale. You could run it locally with a port open, or you could throw it on the tiniest cloud VM somewhere and have zero ports open at home.
Thanks! I’ll take a look at that.
Yeah but when I last tried nginx on my bitwarden host and another on my jellyfin host i could access the one for bitwarden on port 81 of my server but couldn’t access the other nginx web page on port 85 even though i have written it in docker compose file and the port 85 was also open on my server.
It looks like jhdeval mentioned this already, but you may need to review your config file. By default, you would likely have nginx listening on ports 80 & 443 for requests to a specific address (i.e.: jellyfin.domain.com) which would be configured in your DNS, & then nginx would direct the jellfin 443 traffic to port 85 to access Jellyfin. Same principle for Bitwarden. If you have your nginx config files, i \ we could take a look & see if we spot any issues.
I’m currently cannot post it here and also since it didn’t work the first time I’m using only http for jellyfin and immich but i can later post the docker config for bitwarden.
deleted by creator
Yeah, another vote for Caddy. I’ve run nginx as a reverse proxy before and it wasn’t too bad, but Caddy is even easier. Needs naff-all resources too. My ProxMox VM for it has 256 MB of RAM!
I’ll definitely take a look at so thx. Also I’m using duckdns right now so i didn’t need to port forward anything but if I use my domain do i need to port forward ports 80&443 from through my router to my debian server (192.168.200.101)?
To access things outside of your LAN (for example from your phone while at the grocery store), each service gets a DuckDNS entry. “service.myduckdns.com” or whatever.
Your phone will look for service.myduckdns.com on port 443, because you’ll have https:// certificates and that all happens on port 443.
When that request eventually gets to your router and is trying to penetrate your firewall, you’ll need 443 open and forwarded to your Debian machine.
So yes, you have it right.
Also forward port 80.
You can also choose a mesh vpn like tailscale and then you don’t have to worry about ddns or port forwarding at all, ace you can still use a reverse proxy.
I mean i have a wireguard on my router but how can I point the domain from my provider like (godaddy) to my server without opening ports?
Yes. (I think)
See here https://wiki.gardiol.org/doku.php?id=selfhost%3Anginx
My notes and my approach, so YMMV
What is your goal, simplest to configure? industry standard? Secure options set by default? Do you need a gui or are you fine with config files?
Something secure and easy to understand and setup for beginner. The easier the better. I don’t mind writing config files if I can understand it.
IMO, look into the linuxserver.io fork of NGINX, called SWAG.
It comes preloaded with a bunch of fantastic addons for security.
Quite easy to get set up, if you’ve got an idea about how it works.
A lot of people aren’t big fans of Nginx Proxy Manager, which is separate from Nginx. But I like it. It’s got a nice gui, and the part I really like is the letsencrypt ssl certs baked in. You can get a new one, for a new service with a click of a button, and it auto renews your certs, so you don’t have to worry about it once it’s set up.
I was new to doing reverse proxy stuff but Nginx Proxy Manager made it really easy. A bit of doc reading, I probably watched a video or two, and it all made sense. Great clean UI and easy to install. (I run it on a Raspberry Pi.)
