I have been self-hosting for a while now with Traefik. It works, but I’d like to give Nginx Proxy Manager a try, it seems easier to manage stuff not in docker.
Edit: btw I’m going to try this out on my RPI, not my hetzner vps, so no risk of breaking anything
You must log in or register to comment.
Caddy all the way!
Seconding Caddy. I’ve been using it for a couple of years now in an LXC and it’s been very easy to setup, edit and run.
Traefik is a PITA.
Caddy all the way. If you build it with Docker support (or grab the prebuilt), you can use docker container names to reverse proxy using names instead of any IP addresses or ports. It’s nice because if the IP updates, so does caddy. All automatically.
Here’s what my caddyfile looks like;
{ acme_dns cloudflare {key} } domain.dev { encode zstd gzip root * /var/www/html/domain.dev/ php_fastcgi unix//run/php/php8.1-fpm.sock tls { dns cloudflare {key} } } *.domain.dev { encode zstd gzip tls { dns cloudflare {key} } @docker host docker.domain.dev handle @docker { encode zstd gzip reverse_proxy {portainer} } @test host test.domain.dev handle @test { encode zstd gzip reverse_proxy 127.0.0.1:10000 } @images host i.domain.dev handle @images { encode zstd gzip reverse_proxy 127.0.0.1:9002 } @proxy host proxy.domain.dev handle @proxy { encode zstd gzip reverse_proxy proxy } @portal host portal.domain.dev handle @portal { encode zstd gzip reverse_proxy portal } @ping host ping.domain.dev handle @ping { encode zstd gzip respond "pong!" } }DNS hosted by cloudflare but because caddy handles ACME certs, all the subdomains automatically get SSL.
Actually I found traefik rather easy, I just had to make the proper docker labels and config.
PITA
Unrelated, I’m going to sound like a grammar nazi here, but holy shit there are so many acronmys, how am I supposed to know every one of them without googling? Please just say “traefik is a pain in the ass”. Also please don’t take this as a snarky reply.
PITA = pain in the ass.
I never said it was hard. Just a real pain in the ass. Like iptables vs UFW. They’re the same thing, but one is easy and a pain in the ass and the other is just easy… So I opt to make my life easier. lol
I like NPM, it’s simple, but also allows for more complex configs as well if needed. I run it in its own LXC because I have other non-dockerized things that are exposed.
If you’re just going to VPN in to your home network, I’ve found caddy to be the simplest.
I tried using PiVPN to route my phone’s Internet access through my home network, but it kept breaking and I found I don’t have a head for networks.
Would caddy be able to do that in an easier to maintain way?
Set up wireguard in a docker container and then forward the port to wireguard, the default container on docker hub is fairly straightforward and you can always ask me for help if you need :).
However, If you are using ipv4, you need to make sure that you’re not behind a CG-NAT (If you think you might be, call your ISP and tell them you have security cameras that need to get out or something like that).
You could also try tailscale which is built using wireguard with nat-busting features and a bit easier to configure (I dont personally use it as wireguard is sufficient for me).
After that Caddy + DNSMasq will simply allow you to map different URLs to IP addresses
dnsmasq- will let you map, E.g.
my_computer->192.168.1.64
- will let you map, E.g.
- Caddy (Or nginx, but caddy is simpler)
- will let you map to ports so e.g.:
- with DNS (DNSMasq as above)
http://dokuwiki.my_computer->http://my_computer:8080
- Without DNS
http://dokuwiki.192.168.1.64->http://192.168.1.64:8080
- with DNS (DNSMasq as above)
- will let you map to ports so e.g.:
Caddy and DNSmasq are superfluous, if you’ve got a good memory or bookmarks, you don’t really need them.
VPN back into home is a lot more important. You definitely do not want to be forwarding ports to services you are running, because if you don’t know what you’re doing this could pose a network security risk.
Use the VPN as the entry point, as it’s secure. I also recommend running the VPN in a docker / podman container on an old laptop dedicated just to that, simply to keep it as isolated as you can.
Down the line you could also look into VLan If your router supports that.
I personally would not bother with SSL If you’re just going to be providing access to trusted users who already have access to your home network.
If you are looking to host things, just pay for a digital droplet for $7 a month, It’s much simpler, You still get to configure everything but you don’t expose your network to a security risk.
Thank you, that looks like a good set of hooks for me to get into at a weekend, child allowing.
I very much appreciate the guide. I’ll let you know when I’ve had a fiddle.
I am using nginx on a separate machine (VM) I have yet to try it in docker, I just have not found a reason to change it yet.
I’ve tried npm, caddy and traefik but they are always way more complicated then adding a new config file in nginx…
I feel the others add too much to the docker configs and limit what can be added to the reverse proxy. I have control of access from the nginx server, without having to change the apps configuration.
NPM is the closest to what I would like (only needing the same network in docker) if I go the docker way but for some reason it never works as it should when I configure it. So I am sticking to plain nginx.
I highly recommend npm. It’s also the only one I’ve used, so please keep that in mind.
I think NGINX has the best reverse proxy
Nginx installed directly, I use nano over ssh to edit configs. Forces you to learn some things and I never moved passed it because it works so well.
I really like Zoraxy. Similar to NPM but it’s its own thing and I like it a lot more
I know how to use raw nginx/Caddy/traefik to do it, but I find the WebUI and all the extra features Zoraxy has to be very convenient and easy to use.
NPM was the first one that worked for me. I used a YouTube tutorial. I tried Nginx and Caddy, but couldn’t figure them out. For context, I try to run anything I can out of Docker, which adds some complexity I think. I must not have been doing the templates correctly or something.
I plan on trying to go for Nginx or Caddy later, but right now NPM works wonders for my use case.
I want to just mention frp, I use it to get around firewalls
I had a poor experience with NPM which turned me to SWAG, it worked, but was a tad slow. Moved to Traefik and haven’t looked back.
having tried many in past, i always go back to haproxy. it has everything required as proxy and load balancer while also being very efficient.
Caddy is really simple and easy. Just werks and gives you https
I mean, the basic config file for Caddy is 1 line, and gives you Let’s Encrypt by default. The entire config file for a reverse proxy can be as few as 3 lines:
my.servername.net { reverse_proxy 127.0.0.1:1234 }It’s a single executable, and a single 3-line file. Caddy is an incredible piece of software.
Ive got a basic workflow for nginx proxy manager now so this isnt super useful but good god that’s exactly what i wish nginx was.
When I was researching reverse proxies I first stumbled upon nginx and traefik and especially nginx seemed a bit intimidating. As someone who hadn’t done it before I was worried if I’d do it right. Then I found caddy and yeah just used a threeliner like that in config and that was that. Simple and easy to get it right.
I’ve since switched to having my stuff behind wireguard instead of reverse proxy, but I keep caddy around so I can just spin it back up if I want to access Jellyfin on someone’s tv or something.
Honest noob question. I currently connect to my self hosted server using Twingate. How would this be different? can you give me an Eli5 what a reverse proxy manager would make my setup better?
In my experience, all the 3 big ones work just fine. Caddy, Traefik, Nginx. I use Nginx.
I have had the same experience. Have used all three at some point but mostly use nginx for new servers
