I have been self-hosting for a while now with Traefik. It works, but I’d like to give Nginx Proxy Manager a try, it seems easier to manage stuff not in docker.
Edit: btw I’m going to try this out on my RPI, not my hetzner vps, so no risk of breaking anything
You must log in or register to comment.
Caddy all the way!
Seconding Caddy. I’ve been using it for a couple of years now in an LXC and it’s been very easy to setup, edit and run.
Nginx from day one. Well documented, it works. If something doesn’t work chances are you are a quick googlefu away from the solution.
Traefik is a PITA.
Caddy all the way. If you build it with Docker support (or grab the prebuilt), you can use docker container names to reverse proxy using names instead of any IP addresses or ports. It’s nice because if the IP updates, so does caddy. All automatically.
Here’s what my caddyfile looks like;
{ acme_dns cloudflare {key} } domain.dev { encode zstd gzip root * /var/www/html/domain.dev/ php_fastcgi unix//run/php/php8.1-fpm.sock tls { dns cloudflare {key} } } *.domain.dev { encode zstd gzip tls { dns cloudflare {key} } @docker host docker.domain.dev handle @docker { encode zstd gzip reverse_proxy {portainer} } @test host test.domain.dev handle @test { encode zstd gzip reverse_proxy 127.0.0.1:10000 } @images host i.domain.dev handle @images { encode zstd gzip reverse_proxy 127.0.0.1:9002 } @proxy host proxy.domain.dev handle @proxy { encode zstd gzip reverse_proxy proxy } @portal host portal.domain.dev handle @portal { encode zstd gzip reverse_proxy portal } @ping host ping.domain.dev handle @ping { encode zstd gzip respond "pong!" } }DNS hosted by cloudflare but because caddy handles ACME certs, all the subdomains automatically get SSL.
Actually I found traefik rather easy, I just had to make the proper docker labels and config.
PITA
Unrelated, I’m going to sound like a grammar nazi here, but holy shit there are so many acronmys, how am I supposed to know every one of them without googling? Please just say “traefik is a pain in the ass”. Also please don’t take this as a snarky reply.
PITA = pain in the ass.
I never said it was hard. Just a real pain in the ass. Like iptables vs UFW. They’re the same thing, but one is easy and a pain in the ass and the other is just easy… So I opt to make my life easier. lol
Stick with Traefik if you’ve figured it out. It’s much more powerful than NPM in my opinion. If you insist on using NPM, you might want to try NPMPlus, it has more bells and whistles and is more actively maintained.
Yeah I’ll stick with Traefik, I know how to use it
Caddy. I started with npm but I realized it was hiding enough stuff that I wasn’t learning anything about managing networking. Caddy is super easy and has lot of sane defaults.
same, i’ve been very happy with Caddy, even with lots of subdomains and weird configs it’s been rock solid.
I’ll throw in another recommendation for Caddy. I’ve been using it for years and the few problems/feature suggestions I had got implemented by the developers pretty quickly. They’re super active on their forums and I haven’t yet run into an issue where I couldn’t either figure it out myself or with help from their community forums (usually from a dev.) They’re very friendly and won’t berate you for simple mistakes like other devs.
Caddy is the only reverse proxy I have ever managed to successfully make use of. I failed miserably with Nginix and Traefik.
Caddy has worked very well for me for several years now. It gets the SSL certificate from my domain name provider and all.
i use nginx proxy manager but im barely getting by. Theres zero useful documentation for setting up custom paths so everyone uses subdomains. I ended up buying my own domain just so i didnt feel guilty spamming freedns lmao.
At that point you might be better off just using Nginx without the gui. SWAG is a nice reverse proxy focused implementation of it.
I spent far too much on my domain (£3.86 for the year) to change course now!
You having a domain or not has no bearing on which of these you use lol
my laziness does though! ill keep that service in mind though :)
I use Traefik at home. The initial setup was more complex than others but now it’s set up it’s by far the easiest to add new routes than any other I’ve tried, just by virtue of being right there in the compose/k8s files I’m already writing. Static routes are manual of course, but so are every other proxy so that’s no different, and they’re not exactly complicated (I see another comment has examples). The config files are the same markup language as your Compose/k8s files so you’re not learning a whole new syntax and having to switch languages mentally as you switch between them.
Caddy is super easy, but the fact that the Docker labels thing was a plugin is a con to me, I’d prefer it being first party. It also isn’t as performant as Traefik, higher CPU usage while also having higher latency.
As far as I’m aware, Nginx and Nginx Proxy Manager support no such thing, you have to manually write those routes every time you create a new service. Personally I think Nginxs config syntax annoying, I’m very comfortable with it now but I much prefer TOML/YAML.
Nginx Proxy Manager is a lot like Portainer. It’s useful for people who don’t want to learn Nginx and/or just want to click a few buttons. But anything complex you’re suddenly going to be thrown into the deep end.
You’ve already set up Traefik, you’ve already done the complex bit. IMO there’s no reason to change, from this point everything else is more complicated.
We use Nginx at work but are currently in the process of switching to Traefik.
I use traefik. I like it. Took a bit to understand, but it has some cool options like ssl passthrough and middlewares for basic auth.
You can even use it to do the SSL part for a local non-SSL IMAP server. And, there’s a CrowdSec middleware as well, that will block blacklisted IPs.
but I’d like to give Nginx Proxy Manager a try, it seems easier to manage stuff not in docker.
NPM is pretty agnostic. If it receives a request for a specific address and port combination it just forwards the traffic to another specific address and port combination. This can be a docker container, but also can be a physical machine or any random URL.
It also has Let’s Encrypt included (but that should be a no-brainer).
I like NPM, it’s simple, but also allows for more complex configs as well if needed. I run it in its own LXC because I have other non-dockerized things that are exposed.
I’ve been mostly using Nginx Proxy Manager, but I recently set up Bunkerweb as a WAF for a couple of public services I’m hosting and I kind of like it. It does reverse proxy along with a bunch of other things (bad behavior blocking, geographic blocking, SSL cert handling, it does a lot).
Mentioning it because I didn’t see any other mention of it yet.
NPM is easy to use. Caddy sounds like something I’d like to try too now.
If you’re just going to VPN in to your home network, I’ve found caddy to be the simplest.
I tried using PiVPN to route my phone’s Internet access through my home network, but it kept breaking and I found I don’t have a head for networks.
Would caddy be able to do that in an easier to maintain way?
Set up wireguard in a docker container and then forward the port to wireguard, the default container on docker hub is fairly straightforward and you can always ask me for help if you need :).
However, If you are using ipv4, you need to make sure that you’re not behind a CG-NAT (If you think you might be, call your ISP and tell them you have security cameras that need to get out or something like that).
You could also try tailscale which is built using wireguard with nat-busting features and a bit easier to configure (I dont personally use it as wireguard is sufficient for me).
After that Caddy + DNSMasq will simply allow you to map different URLs to IP addresses
dnsmasq- will let you map, E.g.
my_computer->192.168.1.64
- will let you map, E.g.
- Caddy (Or nginx, but caddy is simpler)
- will let you map to ports so e.g.:
- with DNS (DNSMasq as above)
http://dokuwiki.my_computer->http://my_computer:8080
- Without DNS
http://dokuwiki.192.168.1.64->http://192.168.1.64:8080/
- with DNS (DNSMasq as above)
- will let you map to ports so e.g.:
Caddy and DNSmasq are superfluous, if you’ve got a good memory or bookmarks, you don’t really need them.
VPN back into home is a lot more important. You definitely do not want to be forwarding ports to services you are running, because if you don’t know what you’re doing this could pose a network security risk.
Use the VPN as the entry point, as it’s secure. I also recommend running the VPN in a docker / podman container on an old laptop dedicated just to that, simply to keep it as isolated as you can.
Down the line you could also look into VLan If your router supports that.
I personally would not bother with SSL If you’re just going to be providing access to trusted users who already have access to your home network.
If you are looking to host things, just pay for a digital droplet for $7 a month, It’s much simpler, You still get to configure everything but you don’t expose your network to a security risk.
Thank you, that looks like a good set of hooks for me to get into at a weekend, child allowing.
I very much appreciate the guide. I’ll let you know when I’ve had a fiddle.
I am using nginx on a separate machine (VM) I have yet to try it in docker, I just have not found a reason to change it yet.
I’ve tried npm, caddy and traefik but they are always way more complicated then adding a new config file in nginx…
I feel the others add too much to the docker configs and limit what can be added to the reverse proxy. I have control of access from the nginx server, without having to change the apps configuration.
NPM is the closest to what I would like (only needing the same network in docker) if I go the docker way but for some reason it never works as it should when I configure it. So I am sticking to plain nginx.
