I have been self-hosting for a while now with Traefik. It works, but I’d like to give Nginx Proxy Manager a try, it seems easier to manage stuff not in docker.
Edit: btw I’m going to try this out on my RPI, not my hetzner vps, so no risk of breaking anything
For a while now I’ve been using either haproxy or nginx depending on my needs. I’ve hit instances with both where the functionality I want is in the paid version.
I use Synology integrated reverse proxy, stupidly simple and always works for me (only if IPv6 doesn’t fuck up itself, I can’t fallback to IPv4 because that is CGNATED), if I am missing features that other options have I would like to know :)
I’ve looked at it but never actually given the Synology proxy a go despite using their DNS server. Does it do auto certificate renewal?
Have you considered using a Cloudflare tunnel to bypass the CGNAT? You can do that into a proxy or straight into the service.
Does it do auto certificate renewal?
Yes.
Have you considered using a Cloudflare tunnel to bypass the CGNAT?
I did before when I had some free domain over there, but I don’t think there are any worthy free domains out there anymore, and even when they are cheap, I really don’t need it and don’t feel comfortable to pay for something that I can’t use in its fullest (due to CGNAT).
For example, I am aware cloudflare tunnels can’t be used for a Plex/Video streaming and that is the number 1 service that I want to be exposed to the Internet.
For now I am living with my IPv6 address and the Synology DDNS with the reverse proxy features… My personal fallback are Tailscale and Zerotier.
I highly recommend npm. It’s also the only one I’ve used, so please keep that in mind.
having tried many in past, i always go back to haproxy. it has everything required as proxy and load balancer while also being very efficient.
I use both, Traefik on my docker host that’s also used for trying out new stacks, and NPM at work for a config that won’t change (ever, probably).
Yes, the NPM web ui is somewhat easier in regard to proxying targets outside Docker.
I use nginx as the internet facing proxy, write my own config and manage it with source control. Also use traefik in docker land with service labels to configure it
In my experience, all the 3 big ones work just fine. Caddy, Traefik, Nginx. I use Nginx.
I have had the same experience. Have used all three at some point but mostly use nginx for new servers
I’ve been using caddyserver for awhile and love it. Config is nicely readable and the defaults are very good.
Nginx for my intranet because configuration is fully manual and I have complete control over it.
Caddy for the public services on my vps because it handles cert renewal automatically and most of its configuration is magic which just works.
It is unbelievable how shorter caddy configuration is, but on my intranet:
- I don’t want my reverse proxy to dial on internet to try to fetch new SSL certs. I know it can be disabled, but this is the default.
- I like to learn how stuff works, Nginx forces you to know more details but it is full of good documentation so it is not too painful compared to Caddy.
You can easily get automatic renewal for nginx using certbot.
Yes, but it is a different cron job that needs to run, and you need to monitor it for failures. Caddy does everything out of the box, including retries.
I switched to caddy just for the certs. I get trusted certs on all my internal subdomains without maintenance.
I use haproxy, nginx and caddy at work including a caddy instance with internal CA. 4 lines in config and its signed by our normal CA, so its trusted by all our devices.
I use NPM in a docker container. It could not be easier in my opinion but then again, I did not use any of the alternatives so I might be missing out on something, who knows. I did manage a couple of proxy servers in the past based on Apache and I can tell you that NPM is much easier and logical to me than that.
Just create a compose file and start it. Create DNS records pointing to your NPM IP address/exposed IP and make a host in NPM sending traffic to the right container IP:port. The compose file is super simple, could not be easier. Here’s mine for example:
services: nginx-proxy-manager: container_name: nginx-proxy-manager image: 'jc21/nginx-proxy-manager:latest' restart: always ports: - '80:80' - '443:443' volumes: - ./data:/data - ./letsencrypt:/etc/letsencryptI just make sure ports 443 and 80 are exposed on my router so DNS records can point to that IP adrdess. All traffic on port 80 gets re-routed to 443.
I’m probably stating all the obvious things here 😀
I mean yes, that seems obvious now that I’ve learned this.
But I wish I read this comment 3 years ago when I was starting to dive into self hosting. Would have saved me a bunch of time. So always assume some piece of knowledge is not obvious for someone out there and share ᕕ( ᐛ )ᕗ
So always assume some piece of knowledge is not obvious for someone out there and share
You just described a thing of mine I cannot help but do; explain the ever loving crap out of things
I need to be careful with that though as relatives start to complain and push back on me telling things over and over.
Thing is, until I see a full comprehension on the other side on what I try to convey I just keep explaining in variations, keep finding metaphors and keep pestering you until you ‘get it’. Some say it is a virtue, some say it is a hindrance.I have had therapy on this… 😂
Hahaha, I can totally relate. I think we should think of it as a virtue. Continue the good work 💪
This the main reason I switched from traefik, I can have certificates on all my internal stuff and not just on my docker host. I personally love NPM but maybe I’ll give NPMPlus a try, I have never heard of it.
Ok, stupid question from a stupid person: if I have a phone connected to a local WiFi network, and I type in the URL of a subdomain which points make to that same network ie a hosted service on a home server, what route does the data take from the service back to my phone?
Simple question but can be a complex answer. Basically it depends where your phone gets DNS from: if it’s using the ISP DNS (or some other public DNS server) it will resolve the public internet IP of your server and the data will route out to the ISP WAN before being routed back in.
On the other hand you can configure a split DNS system, so say you are using your modem/gateway as your DNS server and it forwards DNS queries up to your ISP (or other) DNS server - a common setup, 1. you can add in a static host entry for your local server. Eg ‘yourservice.yourserverdomain.com = 192.168.1.20 (your server’s LAN IP)’
Now when your phone is on the WiFi and it looks up your server’s address it gets the local IP and routes locally, which will be faster.
If you need more info, search for terms like ‘reverse proxy split DNS best practice’.
Thanks!
Caddy all the way!
Seconding Caddy. I’ve been using it for a couple of years now in an LXC and it’s been very easy to setup, edit and run.
Traefik is a PITA.
Caddy all the way. If you build it with Docker support (or grab the prebuilt), you can use docker container names to reverse proxy using names instead of any IP addresses or ports. It’s nice because if the IP updates, so does caddy. All automatically.
Here’s what my caddyfile looks like;
{ acme_dns cloudflare {key} } domain.dev { encode zstd gzip root * /var/www/html/domain.dev/ php_fastcgi unix//run/php/php8.1-fpm.sock tls { dns cloudflare {key} } } *.domain.dev { encode zstd gzip tls { dns cloudflare {key} } @docker host docker.domain.dev handle @docker { encode zstd gzip reverse_proxy {portainer} } @test host test.domain.dev handle @test { encode zstd gzip reverse_proxy 127.0.0.1:10000 } @images host i.domain.dev handle @images { encode zstd gzip reverse_proxy 127.0.0.1:9002 } @proxy host proxy.domain.dev handle @proxy { encode zstd gzip reverse_proxy proxy } @portal host portal.domain.dev handle @portal { encode zstd gzip reverse_proxy portal } @ping host ping.domain.dev handle @ping { encode zstd gzip respond "pong!" } }DNS hosted by cloudflare but because caddy handles ACME certs, all the subdomains automatically get SSL.
Actually I found traefik rather easy, I just had to make the proper docker labels and config.
PITA
Unrelated, I’m going to sound like a grammar nazi here, but holy shit there are so many acronmys, how am I supposed to know every one of them without googling? Please just say “traefik is a pain in the ass”. Also please don’t take this as a snarky reply.
PITA = pain in the ass.
I never said it was hard. Just a real pain in the ass. Like iptables vs UFW. They’re the same thing, but one is easy and a pain in the ass and the other is just easy… So I opt to make my life easier. lol
I like NPM, it’s simple, but also allows for more complex configs as well if needed. I run it in its own LXC because I have other non-dockerized things that are exposed.
it seems easier to manage stuff not in docker
Read into Traefik’s dynamic configuration. Adding something outside of Docker is as easy as adding a new config file in the dynamic configuration folder. E.g.
jellyfin.yml:http: routers: jellyfin: rule: Host(`jellyfin.example.org`) entrypoints: websecure tls: certResolver: le service: jellyfin services: jellyfin: loadbalancer: servers: - url: "http://192.168.1.5:8096/"The moment you save that file it will be active and working in Traefik.
