Hi everybody.

How should I setup reverse proxy for my services? I’ve got things like jellyfin, immich a bitwarden running on my Debian server in docker. So should i install something like nginx for each of these also in docker? Or should I install it from repository and make configs for each of these docker services?

Btw I have no idea how to use something like nginx or caddy but i would still like to learn.

Also can you use nginx for multiple services on the same port like(443)?

  • ippocratis@lemmy.mlEnglish
    22·
    1 day ago

    While using a web server before your self hosted micro services is the obvious answer and caddy the easier to configure, as a beginner you should also consider taiscale funnels. You dont need to mess with router stuff like port forward or caring if you ISP have your router behind a cgnat which is kinda norm nowadays , also dont have to care for a domain name dynamic DNS stuff . You could have a look to my quick how to . All you need is running a script , the ports and desired names of your subdomains and your tailscale auth key. https://ippocratis.github.io/tailscale/

    • Octavusss@lemm.eeOPEnglish
      1·
      1 day ago

      Well I already got static IP from my ISP and configured Wireguard on my directly on my router so I think I’m good.

      • ippocratis@lemmy.mlEnglish
        21·
        1 day ago

        The funnel exposes your local services to the public over https . Like what you want to accomplish with reverse proxy . Its just more straightforward for a beginner.

        Personally I closed my router ports and switched to tailscalr funnels after using caddy with mutual TLS for years.

        • CapitalNumbers@lemm.eeEnglish
          1·
          17 hours ago

          maybe silly question but does tailscale tunnel operate in a similar fashion to a cloud flare tunnel? as in you can remotely access your internal service over https?

        • WhyJiffie@sh.itjust.worksEnglish
          0·
          16 hours ago

          The funnel exposes your local services to the public over https . Like what you want to accomplish with reverse proxy .

          they did not say they want it public, and that’s an additional security burden they may not need

          • ippocratis@lemmy.mlEnglish
            1·
            6 hours ago

            He he didnt but thats what he meant

            I mean 99% of users use reverse proxy for https public access

            Also read the threat replies …

            That’s what this thread is about

            No?

            • WhyJiffie@sh.itjust.worksEnglish
              1·
              2 hours ago

              if that’s true, I assume it is because they don’t know about the security consequences, nor about more secure ways. and for 99% that is the worst solution, because they won’t tighten security with a read only filesystem, DMZ and whatnot, worse, they won’t be patching their systems on schedule, but maybe in a year.

              99% users should not expose any public services other than wireguard or something based on it. on a VPS the risk my be lower, but on a home network, hell no!

              • ippocratis@lemmy.mlEnglish
                1·
                39 minutes ago

                Ok I’m not any networking expert but I think you are overestimating the risk here.

                Opening a port doesn’t mean you are opening your whole home network just the specific services you want. And those not directly but with a web server in front of them . Web servers talked in this tgread that sit in front of open ports are well audited . I think that measures like mtls a generic web server hardening are more than ok to not ever be compromised.

                But yeah I’m surely interested to listen if you could elaborate.

                Thanks