This video: https://www.youtube.com/watch?v=qlcVx-k-02E or this video: https://www.youtube.com/watch?v=jx6T6lqX-QM That is all you need to know to successfully set it up. They are really good. Good luck! π
this post was submitted on 19 May 2025
91 points (95.0% liked)
Selfhosted
46685 readers
334 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (donβt cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 2 years ago
MODERATORS
I know this is beyond the scope of your question but you are at a very similar place like i was over a year ago.
For the reverse proxy you want ingnx manager and it will handle all of your reverse proxies just fine.
But what i really want to recommend is to change up that debian into proxmox,
Proxmox is a debian based efficient server OS. Basically every service you run now can Easily be run as its own isolated container with very little overhang.
Best of all there is a community for Helper script that will install entire services including Nginx but even nextcloud from a single command.
https://community-scripts.github.io/ProxmoxVE/scripts?id=nginxproxymanager
Thx I appreciate the input. I have already a lot of things set up on the server and switching now would be painful and time consuming. I also use docker in conjunction with kvm-qemu and had I known about proxmox a month ago I would not have construct it at such but alas. I will however in the future get another hardware which I will use as a home server and I will definitely give proxmox a shot.
Unrealted but Alpine Linux is based af!
There's Nginx proxy manager if you want to set it up. But I'd rather go with Tailscale instead.
tailscale is not the same as nginx or any reverse proxy, though. I don't expose anything publicly, but I still wouldn't stop using a reverse proxy
Ok, fair enough.
While using a web server before your self hosted micro services is the obvious answer and caddy the easier to configure, as a beginner you should also consider taiscale funnels. You dont need to mess with router stuff like port forward or caring if you ISP have your router behind a cgnat which is kinda norm nowadays , also dont have to care for a domain name dynamic DNS stuff . You could have a look to my quick how to . All you need is running a script , the ports and desired names of your subdomains and your tailscale auth key. https://ippocratis.github.io/tailscale/
Well I already got static IP from my ISP and configured Wireguard on my directly on my router so I think I'm good.
The funnel exposes your local services to the public over https . Like what you want to accomplish with reverse proxy . Its just more straightforward for a beginner.
Personally I closed my router ports and switched to tailscalr funnels after using caddy with mutual TLS for years.
The funnel exposes your local services to the public over https . Like what you want to accomplish with reverse proxy .
they did not say they want it public, and that's an additional security burden they may not need
He he didnt but thats what he meant
I mean 99% of users use reverse proxy for https public access
Also read the threat replies ...
That's what this thread is about
..........
No?
if that's true, I assume it is because they don't know about the security consequences, nor about more secure ways. and for 99% that is the worst solution, because they won't tighten security with a read only filesystem, DMZ and whatnot, worse, they won't be patching their systems on schedule, but maybe in a year.
99% users should not expose any public services other than wireguard or something based on it. on a VPS the risk my be lower, but on a home network, hell no!
Ok I'm not any networking expert but I think you are overestimating the risk here.
Opening a port doesn't mean you are opening your whole home network just the specific services you want. And those not directly but with a web server in front of them . Web servers talked in this tgread that sit in front of open ports are well audited . I think that measures like mtls a generic web server hardening are more than ok to not ever be compromised.
But yeah I'm surely interested to listen if you could elaborate.
Thanks
Opening a port doesn't mean you are opening your whole home network just the specific services you want.
until a new high severity vulnerability gets discovered and some bot exploits it on your server, taking it over. and you won't even know. if they were a bit smart, you won't notice it ever either.
but there's more! its not only the reverse proxy that can be exploited! over the past few years, jellyfin has patched a dozen vulnerabilities, some of which allowed execution of arbitrary system commands. one of the maintainers have expressed that nobody should be running those old versions anymore, because they are not safe even only on the LAN. and this was just jellyfin.
maybe silly question but does tailscale tunnel operate in a similar fashion to a cloud flare tunnel? as in you can remotely access your internal service over https?
Yes that's exactly what they do
Did traefik become uncool? I only read about caddy/nginx/ha here.
my last experience with it was a half empty documentation, and a config structure that signaled to me that they dropped a lot of features for v2 release that they initially wanted to have, which has additionally made understanding their config structure harder. and that hasn't improved for years.
I think it's still one of the best solutions.
Reverse proxying was tricky for me, I started with Nginx Proxy Manager and it started out fine, was able to reverse proxy my services in the staging phase however, once I tried to get production SSL/TLS certificates it kept running into errors (this was a while ago I canβt remember exactly) so that pushed me to SWAG and swag worked great! Reverse proxying was straight forward, SSL/TLS certificates worked well however, overall it felt slow, so now Iβm using Traefik and so far have no complaints.
Itβs honestly whatever works for you and what you prefer having.
Since your a beginner, youll find nginx proxy manager easiest, it has a nice ui, and at this stage you are probably less intrested in the 10/10 fastest lighweight setup and more intrested in getting stuff working.
I recommend Caddy. It's very easy to deploy, and configuring it is a snap. This tutorial helped me out a bunch. There is a Docker version of Caddy, tho I have never used it. I figured, Caddy would do better installed on bare metal. I use Caddy in conjunction with Duckdns.org. Caddy also takes care of renewing your certs when it's time.
view more: next βΊ