I haven’t really hosted anything on my home network that’s exposed, but I’ve been considering getting a VPN for my phone to connect to my services from home. People keep asking me about NGINX, Traefic, and similar tools, but I’ve always said I don’t even know what they do. I’ve watched a few videos, but I’m still not sure why I would need them on my home network. Can someone explain in simple terms why I should probably start using them and how to set them up properly if necessary?
Well. I have a lot of internal services.
Lets just say, 40 internal websites for various services as a number.
All of those, are SSL / HTTPs. The vast majority is secured via a SSO solution.
Now, without a reverse proxy, you have to manage 40 individual certificates. You also have to manage 40 individual IP / port combinations.
If you don’t want to mess with a bunch of non-standard ports, then you need to manage 40 different IP addresses, so you can just browse to https://yourservice/
Otherwise, you will have 40 instances of…
https://myserver:8006
https://myserver:9201
https://myserver:8000
https://myserver:9000
Now, a reverse proxy, lets you have your cake and eat it too.
Now you can put all of those services, behind a single IP and port, and (with a decent one), automatically manage the SSL certs.
And- if you take it a step further, and you run a dns server, you can point *.yourdomain.com as a CNAME to the reverse proxy server…
And then, anything.yourdomain.com automatically hits your reverse proxy.
So, adding a new service, just means a tiny amount of minor configuration. No need to touch certs. No need to touch IPs and networking. No need to mess with firewalls.
For me reverse proxy was necessary because I wanted to host more than one service in my server. It took a while to figure out, but I can happily say it was worth it!
I believe there is a reverse proxy method to get a letsencrypt SSL to use internally, if you or your significant other are tired of the warning messages popping up.
Saw you use Truenas Scale. Well i do too, hosting a bunch of media serving applications. Having Traefik(among other backend)there makes deploying as easy as putting in the (sub)domain name and hitting install aside from app config.
When it’s all up its super convenient, and you can set up access a lot smarter
You don’t need a reverse proxy if you aren’t exposing the services or port forwarding them outside of your local network. Sometimes it’s easier to set one up and still just use it internally, say for bitwarden and then have all your services on a domain for quick access.
I use mine to serve my LAN with “local” FQDN’s like homepage.lan even though it’s served on port something random. It raises the wife approval factor, my wife cannot remember port numbers.
Serving public services is a second thing in my setup, I can but don’t.
Because instead of having to remember machines and ports I can just type service names. As examples:
nas.lan:5001 → nas.lan
nas.lan:8096 → jellyfin.lan
nas.lan:8080 → download.lan
nas.lan:8090 → pihole.lan
pi.lan:8000 → homepage.lan
pi.lan:9443 → pt.lan (portainer)
pi.lan:8090 → pihole2.lan
etc
Another benefit is that (since I actually use a real domain name which I own instead of using the .lan tld) my reverse proxy is set up to automatically provision+renew a SSL certificate so all my local traffic can be served over HTTPS.
- If you will only VPN in, and you are OK remembering port numbers, and none of your applications insists on https … then no need.
But if you expose anything over https it’s:
- The simplest way to map services on ports to names/urls
- Can terminate certs in one place and so provide https
- Can automate cert renewal
- Can add security e.g. Fail2ban, Crowdsec on top, or geo filters
- Can be selective in what’s exposed publicly and what is local only
- Can munge http headers when needed
- Can do caching and load balancing
If you don’t need something. You don’t need it. Why force yourself to need something you don’t need?
A reverse proxy lets you open only one port on your router to the outside world (e.g 443) and the you can have multiple containers accessible via that port.
For example you can have Audiobookshelf running and instead of using and opening port 3333 on your external router you can set a reverse proxy entry that says “whenever a request comes in that says ‘https://audiobookshelf.myDomain.com’ route it to [your server IP]:[the port used for Audiobookshelf (like 3333]”
You can keep adding those rules (as long as there are no destination port conflicts) so that you have a bunch of containers all accessible from the outside via only the standard https port open.
reverse proxy is essentially a way to simplify running multiple services, but only have to configure one entry point.
- It’s just convenient to have my recipe server (for example) at recipes.example.com
- If your question is “why would I need” then you are missing an important element of why we do this, because it’s moree about, “what can I do”, than “Why would I need”.
You need them to expose your system to the internet, but if you keep away from that, they are mostly useless.
If you run cloudflare tunnel, it acts as a reverse proxy, so less moving parts and friction
If you use a mesh VPN like Tailscale you don’t need a reverse proxy. You can simply run Tailscale on your server and on your phone or laptop and you’ll be able to connect to <server’s tailscale name>: from anywhere.
Reverse proxy is useful if you want to expose services publicly using a domain name. The proxy can apply TLS encryption to all the services at once, and lets you expose multiple services using only one forwarded port (but different subdomains).
Because it’s not hard and much cleaner, less issues to deal with, and consistent with what I already do on VPS servers. I have one server that runs multiple applications. I can run as many PHP apps and Docker apps as I want, all with SSL on a subdomain of domain name dedicated for home stuff.
When I use Wireguard to connect to home, I just use my easy to remember subdomains to access things.
Just set the DNS to local IPs and to the get certificate for domains, I just use Certbot and the Cloudflare DNS plugin, then wrap it in a bash function/alias:
function ssl_new_wildcard {
printf "\n"
printf "CREATING A NEW WILDCARD CERTIFICATE FOR: $1";
printf "\n"
sudo certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --email [email protected] --dns-cloudflare --dns-cloudflare-credentials /home/nick/cloudflare.ini --dns-cloudflare-propagation-seconds 60 -d *.$1 -d $1;
}
export -f ssl_new_wildcard
So I can just ask for ssl_new_wildcard mydomain.com and it gets one. Then use something like this in an Nginx conf file:
server {
listen 80;
listen [::]:80;
server_name app.mydomain.com;
return 301 https://$server_name:443$request_uri;
}
server {
listen 443;
listen [::]:443;
server_name app.mydomain.com;
ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
proxy_pass http://localhost:3302/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forward-Proto http;
proxy_set_header X-Nginx-Proxy true;
proxy_redirect off;
}
}
This is exactly right. I can’t be bothered to remember every random port, but I don’t have to, either. I can go to media.mywebsite.com for Jellyfin, minecraft.mywebsite.com for Crafty, apt.mywebsite.com for my repository mirrors, and adding new sites is as easy as adding a couple lines to a config file. Whatever insecure services I might want to run get proxied, and pick up secure log in and SSL along the way. Is a little bit of a learning curve, but no worse than, say, docker, and it makes life so much easier!
Damn! This and one other comment are the only ones who didn’t write some shit which has nothing to do with reverse proxy or were just wrong.
I actually just accomplished this and it’s sweet as hell. Also not too hard. Long story short:
Setup a wildcat *.domain.com A name record with your DNS, I used cloudflare.
I use Nginx Proxy Manager and I was able to setup the cert in the SSL tab. Other reverse proxies will have their own instructions for setting up a wildcat cert. I had to use cloudflare for a dedicated SSL cert. Plenty of tutorials with a quick Google.
Then I use adguard for an internal DNS that forwards all *.domain.com requests to the reverse proxy for internal routing. I also do this for any local domains I setup. Now anytime I want a dns local or external i just have to add it to Nginx proxy manager. I can also force https with most things using a self signed wildcat cert for internal domains