Hi everybody.
How should I setup reverse proxy for my services? I’ve got things like jellyfin, immich a bitwarden running on my Debian server in docker. So should i install something like nginx for each of these also in docker? Or should I install it from repository and make configs for each of these docker services?
Btw I have no idea how to use something like nginx or caddy but i would still like to learn.
Also can you use nginx for multiple services on the same port like(443)?
Reverse proxying was tricky for me, I started with Nginx Proxy Manager and it started out fine, was able to reverse proxy my services in the staging phase however, once I tried to get production SSL/TLS certificates it kept running into errors (this was a while ago I can’t remember exactly) so that pushed me to SWAG and swag worked great! Reverse proxying was straight forward, SSL/TLS certificates worked well however, overall it felt slow, so now I’m using Traefik and so far have no complaints.
It’s honestly whatever works for you and what you prefer having.
You’d install one reverse proxy only and make that forward to the individual services. Popular choices include nginx, Caddy and Traefik. I always try to rely on packages from the repository. They’re maintained by your distribution and tied into your system. You might want to take a different approach if you use containers, though. I mean if you run everything in Docker, you might want to do the reverse proxy in Docker as well.
That one reverse proxy would get port 443 and 80. All services like Jellyfin, Immich… get random higher ports and your reverse proxy internally connects (and forwards) to those random ports. That’s the point of a reverse proxy, to make multiple distinct services available via just one and the same port.
And if i wanted to install nginx from debian repo and make the config file for immich docker instance, bitwarden dcoker instance… how would the config files and ssl certificates for nginx look like?
Maybe have a look at https://nginxproxymanager.com as well. I don’t know how difficult it is to install since I never used it, but I heard it has a relatively straight-forward graphical interface.
Configuring good old plain nginx isn’t super complicated. It depends a bit on your specific setup, though. Generally, you’d put config files into
/etc/nginx/sites-available/servicexyz(or put it in thedefault)server { listen 80; server_name jellyfin.yourdomain.com; return 301 https://$server_name$request_uri; } server { listen 443 ssl; server_name jellyfin.yourdomain.com; ssl_certificate /etc/ssl/certs/your_ssl_certificate.crt; ssl_certificate_key /etc/ssl/private/your_private_key.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384'; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; location / { proxy_pass http://127.0.0.1:8096; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; } access_log /var/log/nginx/jellyfin.yourdomain_access.log; error_log /var/log/nginx/jellyfin.yourdomain_error.log; }It’s a bit tricky to search for tutorials these days… I got that from: https://linuxconfig.org/setting-up-nginx-reverse-proxy-server-on-debian-linux
Jellyfin would then take all requests addressed at jellyfin.yourdomain.com and forward that to your Jellyfin which hopefully runs on port 8096. You’d use a similar file like this for each service, just adapt them to the internal port and domain.
You can also have all of this on a single domain (and not sub-domains). That’d be the difference between “jellyfin.yourdomain.com” and “yourdomain.com/jellyfin”. That’s accomplished with one file with a single “server” block in it, but make it several “location” blocks within, like
location /jellyfinAlright, now that I wrote it down, it certainly requires some knowledge. If that’s too much and all the other people here recommend Caddy, maybe have a look at that as well. It seems to be packaged in Debian, too.
Edit: Oh yes, and you probably want to set up Letsencrypt so you connect securely to your services. The reverse proxy would be responsible for encryption.
Edit2: And many projects have descriptions in their documentation. Jellyfin has documentation on some major reverse proxies: https://jellyfin.org/docs/general/post-install/networking/advanced/nginx
Omg thank you very much. I’ll definitely look it up.
That question is a little bit out of the scope of a forum like this. A question like that would better be answered by the nginx documentation. Sometimes the project documentation might have a blurb about nginx configuration specific for that project. For example, Immich.
For the most part, you only have to reference the nginx documentation. I’ve never looked at the Immich config above until now, and my Immich server works great.
I’ve had a reverse proxy for years, but the config files are very foreign to me because I use Nginx-Proxy-Manager. NPM makes nginx usable for dummies like me, at the expense of gaining a deeper understanding of how it works. I’m ok with that, but you might feel differently.
I recommend Caddy. It’s very easy to deploy, and configuring it is a snap. This tutorial helped me out a bunch. There is a Docker version of Caddy, tho I have never used it. I figured, Caddy would do better installed on bare metal. I use Caddy in conjunction with Duckdns.org. Caddy also takes care of renewing your certs when it’s time.
What is your goal, simplest to configure? industry standard? Secure options set by default? Do you need a gui or are you fine with config files?
Something secure and easy to understand and setup for beginner. The easier the better. I don’t mind writing config files if I can understand it.
Nginx Proxy Manager is probably your best bet at this stage. It’s a simple to use GUI with QOL features like automatic certificate acquisition built on top of the industry standard Nginx. It should do everything you need it to do and it’s hands down the easiest to get started with.
When you reach the point that you’re trying to do something outside the scope of Nginx Proxy Manager’s gui, that would be a good time to get into another solution that’s config file based. My weapon of choice here is Caddy. I LOVE how simple and minimal the configuration is and it does a lot of things by default that other solutions don’t.
Plain Nginx is a solid tool but working with it directly will be the least straightforward and beginner friendly of all the solutions. Only reason I’d recommend straight Nginx is if you want experience with it for work.
Traefik, don’t bother with until you have an actual reason to use it over other solutions (Like you’re getting into clustering or kubernetes or anything else that requires dynamic configuration instead of static.)
A lot of people aren’t big fans of Nginx Proxy Manager, which is separate from Nginx. But I like it. It’s got a nice gui, and the part I really like is the letsencrypt ssl certs baked in. You can get a new one, for a new service with a click of a button, and it auto renews your certs, so you don’t have to worry about it once it’s set up.
I use Nginx Proxy Manager running as a docker container. Its a gui that makes administration more straight forward. It points at all my services (docker and otherwise) and handles the SSL for me. Because I don’t want to have any ports open I use DNS challenge ACME and NPM has built in support for a number APIs from large public DNS providers to automate that.
This plus technitium DNS is exactly my approach.
i have nginx proxy manager set up all as well, but haven’t worked out the SSL part yet, so all my internal docker services are still on http
out of interest, how did you set up https with npm?
First set up your certificate in the SSL tab of NPM. You can either upload a traditional certificate or set up LetsEncrypt. Be aware that starting next spring the maximum length of a certificate will drop to 9 months and continue to decrease over the next few years until its 47 days.
I have mine set up so LetsEncrypt gets a wildcard cert for my domain (via DNS challenge). Some people go with per subdomain certs.
Once you have the cert, go you each of your hosts and switch to its SSL tab. Then select your cert. Then I usually turn on “Force SSL”
does a wild card cert essentially mean i have use one cert which will cover all my subdomains as well as the primary domain?
yes
Did traefik become uncool? I only read about caddy/nginx/ha here.
my last experience with it was a half empty documentation, and a config structure that signaled to me that they dropped a lot of features for v2 release that they initially wanted to have, which has additionally made understanding their config structure harder. and that hasn’t improved for years.
I think it’s still one of the best solutions.
See here https://wiki.gardiol.org/doku.php?id=selfhost%3Anginx
My notes and my approach, so YMMV
While using a web server before your self hosted micro services is the obvious answer and caddy the easier to configure, as a beginner you should also consider taiscale funnels. You dont need to mess with router stuff like port forward or caring if you ISP have your router behind a cgnat which is kinda norm nowadays , also dont have to care for a domain name dynamic DNS stuff . You could have a look to my quick how to . All you need is running a script , the ports and desired names of your subdomains and your tailscale auth key. https://ippocratis.github.io/tailscale/
Well I already got static IP from my ISP and configured Wireguard on my directly on my router so I think I’m good.
The funnel exposes your local services to the public over https . Like what you want to accomplish with reverse proxy . Its just more straightforward for a beginner.
Personally I closed my router ports and switched to tailscalr funnels after using caddy with mutual TLS for years.
The funnel exposes your local services to the public over https . Like what you want to accomplish with reverse proxy .
they did not say they want it public, and that’s an additional security burden they may not need
He he didnt but thats what he meant
I mean 99% of users use reverse proxy for https public access
Also read the threat replies …
That’s what this thread is about
…
No?
if that’s true, I assume it is because they don’t know about the security consequences, nor about more secure ways. and for 99% that is the worst solution, because they won’t tighten security with a read only filesystem, DMZ and whatnot, worse, they won’t be patching their systems on schedule, but maybe in a year.
99% users should not expose any public services other than wireguard or something based on it. on a VPS the risk my be lower, but on a home network, hell no!
Ok I’m not any networking expert but I think you are overestimating the risk here.
Opening a port doesn’t mean you are opening your whole home network just the specific services you want. And those not directly but with a web server in front of them . Web servers talked in this tgread that sit in front of open ports are well audited . I think that measures like mtls a generic web server hardening are more than ok to not ever be compromised.
But yeah I’m surely interested to listen if you could elaborate.
Thanks
Opening a port doesn’t mean you are opening your whole home network just the specific services you want.
until a new high severity vulnerability gets discovered and some bot exploits it on your server, taking it over. and you won’t even know. if they were a bit smart, you won’t notice it ever either.
but there’s more! its not only the reverse proxy that can be exploited! over the past few years, jellyfin has patched a dozen vulnerabilities, some of which allowed execution of arbitrary system commands. one of the maintainers have expressed that nobody should be running those old versions anymore, because they are not safe even only on the LAN. and this was just jellyfin.
maybe silly question but does tailscale tunnel operate in a similar fashion to a cloud flare tunnel? as in you can remotely access your internal service over https?
Yes that’s exactly what they do
I prefer doing nginx on the host (vs a container), & have different configs for each service. You can have multiple services on the same port, it can be controlled via DNS instead (i.e.: access Jellyfin.domain.com & bitwarden.domain.com, both of 443).
Ive tried Caddy once or twice but couldn’t get it working, so i just stick with nginx & cert or to automatically get certificates from my internal CA
I’m doing the same with Apache in a container. Using Let’s Encrypt with DNS challenge for SSL certificate. The DNS records point to the reverse proxy IP which is only accessible via VPN (Tailscale). 😂
nginx + certbot \ acme for certs from my local Step-CA, proper DNS & I just use a WireGuard VPN on-demand for when I leave my house. As soon as I’m off my Wi-Fi I have the VPN active so I don’t need to expose anything more than 1 port for that to work =]
I might look at Tailscale, if only because I’ve seen plenty of people say that’s how they connect, so worth looking into =]
If you want to stay fully self-hosted, look into Headscale. You could run it locally with a port open, or you could throw it on the tiniest cloud VM somewhere and have zero ports open at home.
Thanks! I’ll take a look at that.
Yeah but when I last tried nginx on my bitwarden host and another on my jellyfin host i could access the one for bitwarden on port 81 of my server but couldn’t access the other nginx web page on port 85 even though i have written it in docker compose file and the port 85 was also open on my server.
It looks like jhdeval mentioned this already, but you may need to review your config file. By default, you would likely have nginx listening on ports 80 & 443 for requests to a specific address (i.e.: jellyfin.domain.com) which would be configured in your DNS, & then nginx would direct the jellfin 443 traffic to port 85 to access Jellyfin. Same principle for Bitwarden. If you have your nginx config files, i \ we could take a look & see if we spot any issues.
I’m currently cannot post it here and also since it didn’t work the first time I’m using only http for jellyfin and immich but i can later post the docker config for bitwarden.
deleted by creator
Yeah, another vote for Caddy. I’ve run nginx as a reverse proxy before and it wasn’t too bad, but Caddy is even easier. Needs naff-all resources too. My ProxMox VM for it has 256 MB of RAM!
I’ll definitely take a look at so thx. Also I’m using duckdns right now so i didn’t need to port forward anything but if I use my domain do i need to port forward ports 80&443 from through my router to my debian server (192.168.200.101)?
You can also choose a mesh vpn like tailscale and then you don’t have to worry about ddns or port forwarding at all, ace you can still use a reverse proxy.
I mean i have a wireguard on my router but how can I point the domain from my provider like (godaddy) to my server without opening ports?
deleted by creator
To access things outside of your LAN (for example from your phone while at the grocery store), each service gets a DuckDNS entry. “service.myduckdns.com” or whatever.
Your phone will look for service.myduckdns.com on port 443, because you’ll have https:// certificates and that all happens on port 443.
When that request eventually gets to your router and is trying to penetrate your firewall, you’ll need 443 open and forwarded to your Debian machine.
So yes, you have it right.
Also forward port 80.
This may be a controversial approach, but I recently had to set up reverse proxy along with DNS configuration and certificate handling. I pair programmed with an LLM.
My experience was this… I described what I wanted to set up, my objectives (like containerisation, zero touch deployment, idempotence, etc) and it gave me a starting point. It threw a few bad ideas in but I also asked it to help me stress test against the objectives. I think it’s all just about working now. I learned a lot about shell, docker, nginx, terraform, VM metadata, data persistence, pulling it all in from a git repo, bootstrapping nginx with self-signed certificates, auto renewal, vscode devcontainers and more. Honestly I’m worried about what a pro would make of my code, but I made huge steps in a relatively short time. Disclaimer: I am a software engineer who was keen to learn this stuff and get moving quickly.
I would definitely consider this approach if you’re new to the area.
There’s Nginx proxy manager if you want to set it up. But I’d rather go with Tailscale instead.
tailscale is not the same as nginx or any reverse proxy, though. I don’t expose anything publicly, but I still wouldn’t stop using a reverse proxy
Ok, fair enough.
This video: https://www.youtube.com/watch?v=qlcVx-k-02E or this video: https://www.youtube.com/watch?v=jx6T6lqX-QM That is all you need to know to successfully set it up. They are really good. Good luck! 😊
I was new to doing reverse proxy stuff but Nginx Proxy Manager made it really easy. A bit of doc reading, I probably watched a video or two, and it all made sense. Great clean UI and easy to install. (I run it on a Raspberry Pi.)
