92
submitted 2 weeks ago by [email protected] to c/[email protected]

Hi everybody.

How should I setup reverse proxy for my services? I've got things like jellyfin, immich a bitwarden running on my Debian server in docker. So should i install something like nginx for each of these also in docker? Or should I install it from repository and make configs for each of these docker services?

Btw I have no idea how to use something like nginx or caddy but i would still like to learn.

Also can you use nginx for multiple services on the same port like(443)?

top 50 comments
sorted by: hot top new old
[-] [email protected] 45 points 2 weeks ago

Caddy

It’s three lines of configuration

jellyfin.example.com {
  reverse_proxy http://localhost:8083/
}

Automatic https with let’sencrypt, simplicity of a single binary, downgrade is as simple as replace binary & restart service.

[-] [email protected] 22 points 2 weeks ago

Fucking hell why do I use Apache 😂

[-] [email protected] 6 points 2 weeks ago

Because you love the pain that comes with pulling your own hair out, one fistful at a time.

[-] [email protected] 5 points 2 weeks ago

How does my DNS know where to look for this?

[-] [email protected] 10 points 2 weeks ago* (last edited 2 weeks ago)
  1. you rent a domain

  2. in the config (provided by the service where you rented the domain) you set it to point to the IP of the device where you run caddy

  3. the service tells the relevant global DNS servers your setting

  4. your DNS does a DNS lookup and a DNS server returns the IP you configured it to point to


Depending on the DNS you use, you can manually add entries to do 1-3 differently, but that will only work for devices that use your DNS and is hard.

[-] [email protected] 2 points 2 weeks ago

Is this a local address or a public IP address?

I just want the resolving internal to my network but I never got it working right.

[-] [email protected] 5 points 2 weeks ago* (last edited 2 weeks ago)

I'm not the guy you replied to but personally I use a setup called split-horizon DNS.

  1. I have a DNS server running on a raspberry pi which I have set up as the DNS server for all devices in my local network (by setting it in the router).
  2. This DNS server has my domain name as an A record pointing to my reverse-proxy (Nginx Proxy Manager), e.g. example.com would resolve to 192.168.0.100.
  3. Any subdomain I want to use is set up as a CNAME record in my DNS server referring to the previously configured A record with my domain. (jellyfin.example.com => example.com)
  4. Now all requests to the registered domain and subdomain are routed to my reverse-proxy which I configured to forward them to the correct service depending on the given subdomain.

This is a little bit of a simplification. I also use a cloudflare tunnel to allow access to select subdomains and I have 2 reverse-proxies chained together since NPM can resolve services by their container name as long as they are in the same docker network.

Also probably important: My DNS server was a pi-hole (until today at least) and did not act as my DHCP server. This meant it had no idea of local device hostnames and therefore was configured to forward queries to local device names to my routers built-in DNS server.

The domain I use for my services is one I rent from a registrar so that I can get valid SSL certificates without self-signing them. If you are fine with self-signed certificates or simple http you probably don't need to do that.

[-] [email protected] 2 points 2 weeks ago

I'm looking to do something like this. I'm uneasy about having the registered domain pointing towards my IP address (partially because I'm unsure of the exact risks and partially because I'd rather do it internally if possible).

You said you were using pihole. What did you change to and why did you change? Pihole seems the most recommended from what I've seen?

load more comments (6 replies)
[-] [email protected] 3 points 2 weeks ago

I've got the external IP addresses down pat. I'm with you in that I've never quite figured out how to do the same with local IP addresses.

load more comments (1 replies)
[-] [email protected] 3 points 2 weeks ago

if you don't want to rent a domain, but you run a local DNS server (pihole, technitium) for filtering or other reasons, you can register your own domain names in there, for free. but don't use common TLDs to avoid conflicts, and leave ".local" alone too because that's used by mdns/avahi. You may use .home, .lan, or a few others I don't know without looking them up

load more comments (1 replies)
[-] [email protected] 15 points 2 weeks ago* (last edited 2 weeks ago)

I use Nginx Proxy Manager running as a docker container. Its a gui that makes administration more straight forward. It points at all my services (docker and otherwise) and handles the SSL for me. Because I don't want to have any ports open I use DNS challenge ACME and NPM has built in support for a number APIs from large public DNS providers to automate that.

[-] [email protected] 3 points 2 weeks ago

This plus technitium DNS is exactly my approach.

load more comments (4 replies)
[-] [email protected] 10 points 2 weeks ago

I prefer doing nginx on the host (vs a container), & have different configs for each service. You can have multiple services on the same port, it can be controlled via DNS instead (i.e.: access Jellyfin.domain.com & bitwarden.domain.com, both of 443).

Ive tried Caddy once or twice but couldn’t get it working, so i just stick with nginx & cert or to automatically get certificates from my internal CA

[-] [email protected] 4 points 2 weeks ago

Yeah but when I last tried nginx on my bitwarden host and another on my jellyfin host i could access the one for bitwarden on port 81 of my server but couldn't access the other nginx web page on port 85 even though i have written it in docker compose file and the port 85 was also open on my server.

[-] [email protected] 5 points 2 weeks ago

It looks like jhdeval mentioned this already, but you may need to review your config file. By default, you would likely have nginx listening on ports 80 & 443 for requests to a specific address (i.e.: jellyfin.domain.com) which would be configured in your DNS, & then nginx would direct the jellfin 443 traffic to port 85 to access Jellyfin. Same principle for Bitwarden. If you have your nginx config files, i \ we could take a look & see if we spot any issues.

[-] [email protected] 1 points 2 weeks ago

I'm currently cannot post it here and also since it didn't work the first time I'm using only http for jellyfin and immich but i can later post the docker config for bitwarden.

[-] [email protected] 2 points 2 weeks ago

I'm doing the same with Apache in a container. Using Let's Encrypt with DNS challenge for SSL certificate. The DNS records point to the reverse proxy IP which is only accessible via VPN (Tailscale). 😂

load more comments (3 replies)
[-] [email protected] 6 points 2 weeks ago* (last edited 2 weeks ago)

There's Nginx proxy manager if you want to set it up. But I'd rather go with Tailscale instead.

[-] [email protected] 6 points 2 weeks ago

tailscale is not the same as nginx or any reverse proxy, though. I don't expose anything publicly, but I still wouldn't stop using a reverse proxy

load more comments (1 replies)
[-] [email protected] 6 points 2 weeks ago

Since your a beginner, youll find nginx proxy manager easiest, it has a nice ui, and at this stage you are probably less intrested in the 10/10 fastest lighweight setup and more intrested in getting stuff working.

[-] [email protected] 5 points 2 weeks ago

Did traefik become uncool? I only read about caddy/nginx/ha here.

[-] [email protected] 2 points 2 weeks ago

my last experience with it was a half empty documentation, and a config structure that signaled to me that they dropped a lot of features for v2 release that they initially wanted to have, which has additionally made understanding their config structure harder. and that hasn't improved for years.

load more comments (1 replies)
[-] [email protected] 5 points 2 weeks ago* (last edited 2 weeks ago)

IMO, look into the linuxserver.io fork of NGINX, called SWAG.

It comes preloaded with a bunch of fantastic addons for security.

Quite easy to get set up, if you've got an idea about how it works.

[-] [email protected] 4 points 2 weeks ago

Reverse proxying was tricky for me, I started with Nginx Proxy Manager and it started out fine, was able to reverse proxy my services in the staging phase however, once I tried to get production SSL/TLS certificates it kept running into errors (this was a while ago I can’t remember exactly) so that pushed me to SWAG and swag worked great! Reverse proxying was straight forward, SSL/TLS certificates worked well however, overall it felt slow, so now I’m using Traefik and so far have no complaints.

It’s honestly whatever works for you and what you prefer having.

[-] [email protected] 4 points 2 weeks ago

Nginx Proxy Manager was easy to learn as a beginner. I'd recommend it as a learning tool, if nothing else, and if you want to switch to other solutions later you can.

[-] [email protected] 3 points 2 weeks ago* (last edited 2 weeks ago)

You'd install one reverse proxy only and make that forward to the individual services. Popular choices include nginx, Caddy and Traefik. I always try to rely on packages from the repository. They're maintained by your distribution and tied into your system. You might want to take a different approach if you use containers, though. I mean if you run everything in Docker, you might want to do the reverse proxy in Docker as well.

That one reverse proxy would get port 443 and 80. All services like Jellyfin, Immich... get random higher ports and your reverse proxy internally connects (and forwards) to those random ports. That's the point of a reverse proxy, to make multiple distinct services available via just one and the same port.

[-] [email protected] 2 points 2 weeks ago

And if i wanted to install nginx from debian repo and make the config file for immich docker instance, bitwarden dcoker instance... how would the config files and ssl certificates for nginx look like?

[-] [email protected] 2 points 2 weeks ago

That question is a little bit out of the scope of a forum like this. A question like that would better be answered by the nginx documentation. Sometimes the project documentation might have a blurb about nginx configuration specific for that project. For example, Immich.

For the most part, you only have to reference the nginx documentation. I've never looked at the Immich config above until now, and my Immich server works great.

I've had a reverse proxy for years, but the config files are very foreign to me because I use Nginx-Proxy-Manager. NPM makes nginx usable for dummies like me, at the expense of gaining a deeper understanding of how it works. I'm ok with that, but you might feel differently.

[-] [email protected] 2 points 2 weeks ago* (last edited 2 weeks ago)

Maybe have a look at https://nginxproxymanager.com/ as well. I don't know how difficult it is to install since I never used it, but I heard it has a relatively straight-forward graphical interface.

Configuring good old plain nginx isn't super complicated. It depends a bit on your specific setup, though. Generally, you'd put config files into /etc/nginx/sites-available/servicexyz (or put it in the default)

server {  
    listen 80;  
    server_name jellyfin.yourdomain.com;  
    return 301 https://$server_name$request_uri;  
}  

server {  
    listen 443 ssl;  
    server_name jellyfin.yourdomain.com;  

    ssl_certificate /etc/ssl/certs/your_ssl_certificate.crt;  
    ssl_certificate_key /etc/ssl/private/your_private_key.key;  
    ssl_protocols TLSv1.2 TLSv1.3;  
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';  
    ssl_prefer_server_ciphers on;  
    ssl_session_cache shared:SSL:10m;  

    location / {  
        proxy_pass http://127.0.0.1:8096/;  
        proxy_http_version 1.1;  
        proxy_set_header Upgrade $http_upgrade;  
        proxy_set_header Connection 'upgrade';  
        proxy_set_header Host $host;  
        proxy_cache_bypass $http_upgrade;  
    }  

    access_log /var/log/nginx/jellyfin.yourdomain_access.log;  
    error_log /var/log/nginx/jellyfin.yourdomain_error.log;  
}  

It's a bit tricky to search for tutorials these days... I got that from: https://linuxconfig.org/setting-up-nginx-reverse-proxy-server-on-debian-linux

Jellyfin would then take all requests addressed at jellyfin.yourdomain.com and forward that to your Jellyfin which hopefully runs on port 8096. You'd use a similar file like this for each service, just adapt them to the internal port and domain.

You can also have all of this on a single domain (and not sub-domains). That'd be the difference between "jellyfin.yourdomain.com" and "yourdomain.com/jellyfin". That's accomplished with one file with a single "server" block in it, but make it several "location" blocks within, like location /jellyfin

Alright, now that I wrote it down, it certainly requires some knowledge. If that's too much and all the other people here recommend Caddy, maybe have a look at that as well. It seems to be packaged in Debian, too.

Edit: Oh yes, and you probably want to set up Letsencrypt so you connect securely to your services. The reverse proxy would be responsible for encryption.

Edit2: And many projects have descriptions in their documentation. Jellyfin has documentation on some major reverse proxies: https://jellyfin.org/docs/general/post-install/networking/advanced/nginx

[-] [email protected] 2 points 2 weeks ago

Omg thank you very much. I'll definitely look it up.

[-] [email protected] 3 points 2 weeks ago

A lot of people aren't big fans of Nginx Proxy Manager, which is separate from Nginx. But I like it. It's got a nice gui, and the part I really like is the letsencrypt ssl certs baked in. You can get a new one, for a new service with a click of a button, and it auto renews your certs, so you don't have to worry about it once it's set up.

[-] [email protected] 3 points 2 weeks ago

I know this is beyond the scope of your question but you are at a very similar place like i was over a year ago.

For the reverse proxy you want ingnx manager and it will handle all of your reverse proxies just fine.

But what i really want to recommend is to change up that debian into proxmox,

Proxmox is a debian based efficient server OS. Basically every service you run now can Easily be run as its own isolated container with very little overhang.

Best of all there is a community for Helper script that will install entire services including Nginx but even nextcloud from a single command.

https://community-scripts.github.io/ProxmoxVE/scripts?id=nginxproxymanager

[-] [email protected] 2 points 2 weeks ago

Thx I appreciate the input. I have already a lot of things set up on the server and switching now would be painful and time consuming. I also use docker in conjunction with kvm-qemu and had I known about proxmox a month ago I would not have construct it at such but alas. I will however in the future get another hardware which I will use as a home server and I will definitely give proxmox a shot.

Unrealted but Alpine Linux is based af!

[-] [email protected] 3 points 2 weeks ago

What is your goal, simplest to configure? industry standard? Secure options set by default? Do you need a gui or are you fine with config files?

[-] [email protected] 4 points 2 weeks ago

Something secure and easy to understand and setup for beginner. The easier the better. I don't mind writing config files if I can understand it.

[-] [email protected] 2 points 2 weeks ago* (last edited 2 weeks ago)

Nginx Proxy Manager is probably your best bet at this stage. It’s a simple to use GUI with QOL features like automatic certificate acquisition built on top of the industry standard Nginx. It should do everything you need it to do and it’s hands down the easiest to get started with.

When you reach the point that you’re trying to do something outside the scope of Nginx Proxy Manager’s gui, that would be a good time to get into another solution that’s config file based. My weapon of choice here is Caddy. I LOVE how simple and minimal the configuration is and it does a lot of things by default that other solutions don’t.

Plain Nginx is a solid tool but working with it directly will be the least straightforward and beginner friendly of all the solutions. Only reason I’d recommend straight Nginx is if you want experience with it for work.

Traefik, don’t bother with until you have an actual reason to use it over other solutions (Like you’re getting into clustering or kubernetes or anything else that requires dynamic configuration instead of static.)

[-] [email protected] 3 points 2 weeks ago

I recommend Caddy. It's very easy to deploy, and configuring it is a snap. This tutorial helped me out a bunch. There is a Docker version of Caddy, tho I have never used it. I figured, Caddy would do better installed on bare metal. I use Caddy in conjunction with Duckdns.org. Caddy also takes care of renewing your certs when it's time.

[-] [email protected] 2 points 2 weeks ago

This video: https://www.youtube.com/watch?v=qlcVx-k-02E or this video: https://www.youtube.com/watch?v=jx6T6lqX-QM That is all you need to know to successfully set it up. They are really good. Good luck! 😊

[-] [email protected] 2 points 2 weeks ago

I was new to doing reverse proxy stuff but Nginx Proxy Manager made it really easy. A bit of doc reading, I probably watched a video or two, and it all made sense. Great clean UI and easy to install. (I run it on a Raspberry Pi.)

[-] [email protected] 1 points 2 weeks ago

Nginx, caddy and haproxy are 3 choice for reverse proxy. The way a reverse proxy works is it looks on port 80 and 443 for requests to a DNS connection. Like say you want to go to jellyfin you may have a DNS entry for jellyfin.personalsite.tld the reverse proxy will then take that and redirect the connection to the proper port and server behind your firewall. You do not need multiple reverse proxies. In the case of haproxy and nginx (only ones I have experience with) you create a "back end connection" like explained above and it will redirect. In the case of nginx it is very small I installed it natively and setup configs for each of my services for easy maintenance.

load more comments (1 replies)
[-] [email protected] 1 points 2 weeks ago* (last edited 2 weeks ago)

This may be a controversial approach, but I recently had to set up reverse proxy along with DNS configuration and certificate handling. I pair programmed with an LLM.

My experience was this... I described what I wanted to set up, my objectives (like containerisation, zero touch deployment, idempotence, etc) and it gave me a starting point. It threw a few bad ideas in but I also asked it to help me stress test against the objectives. I think it's all just about working now. I learned a lot about shell, docker, nginx, terraform, VM metadata, data persistence, pulling it all in from a git repo, bootstrapping nginx with self-signed certificates, auto renewal, vscode devcontainers and more. Honestly I'm worried about what a pro would make of my code, but I made huge steps in a relatively short time. Disclaimer: I am a software engineer who was keen to learn this stuff and get moving quickly.

I would definitely consider this approach if you're new to the area.

load more comments
view more: next ›
this post was submitted on 19 May 2025
92 points (95.1% liked)

Selfhosted

46672 readers
347 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS