What is a reverse proxy
In short, a reverse proxy is a webserver that is placed in front of other webservers and then forwards traffic to the requested webserver. The webserver then replies to the reverse proxy with the requested content which in turn forwards it to the client. With this setup a client is never directly connected to the content serving webserver.
Why use a reverse proxy
There are many reasons to implement a reverse proxy, the main reasons are security, performance and simplicity. In this post I’m mainly focusing on the security and simplicity aspects.
Security: I don’t want clients to directly connect to multiple machines in my network. I want as few servers/services accessible from the internet as possible.
Simplicity: unless you have multiple public IP’s (not really a thing for most homelabs) you can only expose ports 80 and 443 to one service. If you want to expose multiple services you would need to expose different ports and manually define them for each service. This is a pain to type or remember, and a reverse proxy solves this issue.
Install Nginx-Proxy-Manager with docker
Since this is a pretty bare bones docker install I’ll forward you to the installation page of the Nginx-Proxy-Manager project. Just make sure to note the ports that you set to talk to the container, by default these are 80, 81 and 443. 80 and 443 are used for the Reverse Proxy, while 81 is used to talk to the admin web interface.
Configure Port Forwarding on your router/firewall
Login to your router/firewall and forward port 80 and 443 to the ports that you picked for the container. For example if you changed 80 to 8080 make sure to forward port 80 from your firewall to port 8080 on the host that is running nginx-proxy manager.
Setting up the first reverse proxy
Open your browser to the nginx-proxy manager on port 81 (http://hostname:81).
Fill in the user information and change the password to something strong and secure.
Go to proxy hosts and select “Add Proxy Host”
The domain name would be how you want to access the site from the outside for instance test.roadtosysadmin.com. The scheme is for the internal website, if your webserver internally only serves http, pick http. Fill in the Hostname or IP form the webserver and the port that it answers to.
You can save these settings for now.
Pointing the domain name to your public IP
If you haven’t configured your (sub)domain go to your registrar or DNS provider and create and A record or CNAME that points to your public IP. Since every registrar is a bit different you’ll have to google this yourself if you’re not familiar with this. If you don’t have a static IP address (like many residential users) you can use a Dynamic DNS service (DDNS) like DuckDNS. If your A or CNAME record is created and points to your public IP/DDNS service, see if you can access your webpage in http, since we haven’t setup https yet. Note that it might take a couple hours for the changes to take effect.
Configure HTTPS/SSL
Go to SSL Certificates and click on “Add SSL Certificate”
Since Let’s Encrypt certs are free we’ll pick this one.
Type the domain or subdomain that you configured earlier. If you plan on using multiple subdomains in the future you can also use *.mydomain.com, this way you only need to renew one cert for all subdomains. Fill in the email you want to be notified on in case of renewal issues.
Agree to the terms and click on save.
If your certificate is configured you should now see and expiration date. Let’s Encrypt certs are only valid for 90 days, but the certbot will try to renew them after 30 days so it has plenty of time to retry in case of an issue. You will receive and email if the cert hasn’t been renewed 1 week before expiration.
Go back to the proxy host that you created earlier, click on the 3 dots on the side and pick “Edit”. Now go to the SSL tab and select the certificate from the drop down list. I recommend you also select the Force SSL switch while you’re in there.
Now browse to your site in https and see if everything is working as intended.
Additional security with Cloudflare Proxy
To add some extra security to your setup you can also use a Cloudflare proxy in front of your own reverse proxy. If you’re interested in this defiantly check out my next post.