Which reverse proxy do you use/recommend?

Lena@gregtech.eu · edit-2 5 days ago

Which reverse proxy do you use/recommend?

PieMePlenty@lemmy.world · 4 days ago

Nginx installed directly, I use nano over ssh to edit configs. Forces you to learn some things and I never moved passed it because it works so well.

Xanza@lemm.ee · 4 days ago

Traefik is a PITA.

Caddy all the way. If you build it with Docker support (or grab the prebuilt), you can use docker container names to reverse proxy using names instead of any IP addresses or ports. It’s nice because if the IP updates, so does caddy. All automatically.

Here’s what my caddyfile looks like;

{
        acme_dns cloudflare {key}
}

domain.dev {
        encode zstd gzip
        root * /var/www/html/domain.dev/
        php_fastcgi unix//run/php/php8.1-fpm.sock
        tls {
                dns cloudflare {key}
        }
}
*.domain.dev {
        encode zstd gzip
        tls {
                dns cloudflare {key}
        }
        @docker host docker.domain.dev
        handle @docker {
                encode zstd gzip
                reverse_proxy {portainer}
        }
        @test host test.domain.dev
        handle @test {
                encode zstd gzip
                reverse_proxy 127.0.0.1:10000
        }
        @images host i.domain.dev
        handle @images {
                encode zstd gzip
                reverse_proxy 127.0.0.1:9002
        }
        @proxy host proxy.domain.dev
        handle @proxy {
                encode zstd gzip
                reverse_proxy proxy
        }
        @portal host portal.domain.dev
        handle @portal {
                encode zstd gzip
                reverse_proxy portal
        }
        @ping host ping.domain.dev
        handle @ping {
                encode zstd gzip
                respond "pong!"
        }
}

DNS hosted by cloudflare but because caddy handles ACME certs, all the subdomains automatically get SSL.

Lena@gregtech.eu · 4 days ago

Actually I found traefik rather easy, I just had to make the proper docker labels and config.

PITA

Unrelated, I’m going to sound like a grammar nazi here, but holy shit there are so many acronmys, how am I supposed to know every one of them without googling? Please just say “traefik is a pain in the ass”. Also please don’t take this as a snarky reply.

Xanza@lemm.ee · 4 days ago

PITA = pain in the ass.

I never said it was hard. Just a real pain in the ass. Like iptables vs UFW. They’re the same thing, but one is easy and a pain in the ass and the other is just easy… So I opt to make my life easier. lol

kevincox@lemmy.ml · 5 days ago

I’ve been using nginx forever. It works, I can do almost everything I want, even if more complex things sometimes require some contortions. I’m not sure I would pick it again if starting from scratch, but I have no problems that are worth switching for.

Synapse@lemmy.world · 5 days ago

Caddy is the only reverse proxy I have ever managed to successfully make use of. I failed miserably with Nginix and Traefik.

Caddy has worked very well for me for several years now. It gets the SSL certificate from my domain name provider and all.

WhyFlip@lemmy.world · 3 days ago

I highly recommend npm. It’s also the only one I’ve used, so please keep that in mind.

Korthrun@lemmy.sdf.org · 5 days ago

For a while now I’ve been using either haproxy or nginx depending on my needs. I’ve hit instances with both where the functionality I want is in the paid version.

EpicStuff@lemmy.ca · 4 days ago

I want to just mention frp, I use it to get around firewalls

potentiallynotfelix@lemmy.fish · 4 days ago

I think NGINX has the best reverse proxy

Cardboard5308@lemmy.world · 4 days ago

NPM was the first one that worked for me. I used a YouTube tutorial. I tried Nginx and Caddy, but couldn’t figure them out. For context, I try to run anything I can out of Docker, which adds some complexity I think. I must not have been doing the templates correctly or something.

I plan on trying to go for Nginx or Caddy later, but right now NPM works wonders for my use case.

Pax@lemmy.world · 5 days ago

Nginx from day one. Well documented, it works. If something doesn’t work chances are you are a quick googlefu away from the solution.

merthyr1831@lemmy.ml · 5 days ago

i use nginx proxy manager but im barely getting by. Theres zero useful documentation for setting up custom paths so everyone uses subdomains. I ended up buying my own domain just so i didnt feel guilty spamming freedns lmao.

Encrypt-Keeper@lemmy.world · 5 days ago

At that point you might be better off just using Nginx without the gui. SWAG is a nice reverse proxy focused implementation of it.

merthyr1831@lemmy.ml · 5 days ago

I spent far too much on my domain (£3.86 for the year) to change course now!

Encrypt-Keeper@lemmy.world · 5 days ago

You having a domain or not has no bearing on which of these you use lol

merthyr1831@lemmy.ml · 4 days ago

my laziness does though! ill keep that service in mind though :)

Tinkerer@lemmy.ca · 5 days ago

This the main reason I switched from traefik, I can have certificates on all my internal stuff and not just on my docker host. I personally love NPM but maybe I’ll give NPMPlus a try, I have never heard of it.

Krill@feddit.uk · 5 days ago

Ok, stupid question from a stupid person: if I have a phone connected to a local WiFi network, and I type in the URL of a subdomain which points make to that same network ie a hosted service on a home server, what route does the data take from the service back to my phone?

pulsewidth@lemmy.world · 4 days ago

Simple question but can be a complex answer. Basically it depends where your phone gets DNS from: if it’s using the ISP DNS (or some other public DNS server) it will resolve the public internet IP of your server and the data will route out to the ISP WAN before being routed back in.

On the other hand you can configure a split DNS system, so say you are using your modem/gateway as your DNS server and it forwards DNS queries up to your ISP (or other) DNS server - a common setup, 1. you can add in a static host entry for your local server. Eg ‘yourservice.yourserverdomain.com = 192.168.1.20 (your server’s LAN IP)’

Now when your phone is on the WiFi and it looks up your server’s address it gets the local IP and routes locally, which will be faster.

If you need more info, search for terms like ‘reverse proxy split DNS best practice’.

Krill@feddit.uk · 4 days ago

Thanks!

ikidd@lemmy.world · 5 days ago

Stick with Traefik if you’ve figured it out. It’s much more powerful than NPM in my opinion. If you insist on using NPM, you might want to try NPMPlus, it has more bells and whistles and is more actively maintained.

Lena@gregtech.eu · 5 days ago

Yeah I’ll stick with Traefik, I know how to use it

Hawk@lemmynsfw.com · 4 days ago

If you’re just going to VPN in to your home network, I’ve found caddy to be the simplest.

Semjaza@lemmynsfw.com · 4 days ago

I tried using PiVPN to route my phone’s Internet access through my home network, but it kept breaking and I found I don’t have a head for networks.

Would caddy be able to do that in an easier to maintain way?

Hawk@lemmynsfw.com · 4 days ago

Set up wireguard in a docker container and then forward the port to wireguard, the default container on docker hub is fairly straightforward and you can always ask me for help if you need :).

However, If you are using ipv4, you need to make sure that you’re not behind a CG-NAT (If you think you might be, call your ISP and tell them you have security cameras that need to get out or something like that).

You could also try tailscale which is built using wireguard with nat-busting features and a bit easier to configure (I dont personally use it as wireguard is sufficient for me).

After that Caddy + DNSMasq will simply allow you to map different URLs to IP addresses

dnsmasq
- will let you map, E.g. my_computer -> 192.168.1.64
Caddy (Or nginx, but caddy is simpler)
- will let you map to ports so e.g.:
  - with DNS (DNSMasq as above)
    - http://dokuwiki.my_computer -> http://my_computer:8080
  - Without DNS
    - http://dokuwiki.192.168.1.64 -> http://192.168.1.64:8080

Caddy and DNSmasq are superfluous, if you’ve got a good memory or bookmarks, you don’t really need them.

VPN back into home is a lot more important. You definitely do not want to be forwarding ports to services you are running, because if you don’t know what you’re doing this could pose a network security risk.

Use the VPN as the entry point, as it’s secure. I also recommend running the VPN in a docker / podman container on an old laptop dedicated just to that, simply to keep it as isolated as you can.

Down the line you could also look into VLan If your router supports that.

I personally would not bother with SSL If you’re just going to be providing access to trusted users who already have access to your home network.

If you are looking to host things, just pay for a digital droplet for $7 a month, It’s much simpler, You still get to configure everything but you don’t expose your network to a security risk.

Semjaza@lemmynsfw.com · 4 days ago

Thank you, that looks like a good set of hooks for me to get into at a weekend, child allowing.

I very much appreciate the guide. I’ll let you know when I’ve had a fiddle.

Tenkard@lemmy.ml · 5 days ago

Caddy. I started with npm but I realized it was hiding enough stuff that I wasn’t learning anything about managing networking. Caddy is super easy and has lot of sane defaults.

icmpecho@lemmy.ml · 4 days ago

same, i’ve been very happy with Caddy, even with lots of subdomains and weird configs it’s been rock solid.