this post was submitted on 19 May 2025

91 points (94.2% liked)

Selfhosted

46676 readers

535 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago

MODERATORS

HybridSarcasm@lemmy.world

HybridSarcasm@lemmy.hybridsarcasm.xyz

How to reverse proxy? (lemm.ee)

submitted 4 days ago by Octavusss@lemm.ee to c/selfhosted@lemmy.world

76 comments fedilink hide all child comments

Hi everybody.

How should I setup reverse proxy for my services? I've got things like jellyfin, immich a bitwarden running on my Debian server in docker. So should i install something like nginx for each of these also in docker? Or should I install it from repository and make configs for each of these docker services?

Btw I have no idea how to use something like nginx or caddy but i would still like to learn.

Also can you use nginx for multiple services on the same port like(443)?

(page 2) 28 comments

sorted by: hot top controversial new old

[–] hendrik@palaver.p3x.de 3 points 4 days ago* (last edited 4 days ago) (1 children)

You'd install one reverse proxy only and make that forward to the individual services. Popular choices include nginx, Caddy and Traefik. I always try to rely on packages from the repository. They're maintained by your distribution and tied into your system. You might want to take a different approach if you use containers, though. I mean if you run everything in Docker, you might want to do the reverse proxy in Docker as well.

That one reverse proxy would get port 443 and 80. All services like Jellyfin, Immich... get random higher ports and your reverse proxy internally connects (and forwards) to those random ports. That's the point of a reverse proxy, to make multiple distinct services available via just one and the same port.

[–] Octavusss@lemm.ee 2 points 4 days ago (2 children)

And if i wanted to install nginx from debian repo and make the config file for immich docker instance, bitwarden dcoker instance... how would the config files and ssl certificates for nginx look like?

[–] hendrik@palaver.p3x.de 2 points 4 days ago* (last edited 4 days ago) (1 children)

Maybe have a look at https://nginxproxymanager.com/ as well. I don't know how difficult it is to install since I never used it, but I heard it has a relatively straight-forward graphical interface.

Configuring good old plain nginx isn't super complicated. It depends a bit on your specific setup, though. Generally, you'd put config files into /etc/nginx/sites-available/servicexyz (or put it in the default)

server {  
    listen 80;  
    server_name jellyfin.yourdomain.com;  
    return 301 https://$server_name$request_uri;  
}  

server {  
    listen 443 ssl;  
    server_name jellyfin.yourdomain.com;  

    ssl_certificate /etc/ssl/certs/your_ssl_certificate.crt;  
    ssl_certificate_key /etc/ssl/private/your_private_key.key;  
    ssl_protocols TLSv1.2 TLSv1.3;  
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';  
    ssl_prefer_server_ciphers on;  
    ssl_session_cache shared:SSL:10m;  

    location / {  
        proxy_pass http://127.0.0.1:8096/;  
        proxy_http_version 1.1;  
        proxy_set_header Upgrade $http_upgrade;  
        proxy_set_header Connection 'upgrade';  
        proxy_set_header Host $host;  
        proxy_cache_bypass $http_upgrade;  
    }  

    access_log /var/log/nginx/jellyfin.yourdomain_access.log;  
    error_log /var/log/nginx/jellyfin.yourdomain_error.log;  
}

It's a bit tricky to search for tutorials these days... I got that from: https://linuxconfig.org/setting-up-nginx-reverse-proxy-server-on-debian-linux

Jellyfin would then take all requests addressed at jellyfin.yourdomain.com and forward that to your Jellyfin which hopefully runs on port 8096. You'd use a similar file like this for each service, just adapt them to the internal port and domain.

You can also have all of this on a single domain (and not sub-domains). That'd be the difference between "jellyfin.yourdomain.com" and "yourdomain.com/jellyfin". That's accomplished with one file with a single "server" block in it, but make it several "location" blocks within, like location /jellyfin

Alright, now that I wrote it down, it certainly requires some knowledge. If that's too much and all the other people here recommend Caddy, maybe have a look at that as well. It seems to be packaged in Debian, too.

Edit: Oh yes, and you probably want to set up Letsencrypt so you connect securely to your services. The reverse proxy would be responsible for encryption.

Edit2: And many projects have descriptions in their documentation. Jellyfin has documentation on some major reverse proxies: https://jellyfin.org/docs/general/post-install/networking/advanced/nginx

[–] Octavusss@lemm.ee 2 points 4 days ago

Omg thank you very much. I'll definitely look it up.

[–] walden@sub.wetshaving.social 2 points 4 days ago

That question is a little bit out of the scope of a forum like this. A question like that would better be answered by the nginx documentation. Sometimes the project documentation might have a blurb about nginx configuration specific for that project. For example, Immich.

For the most part, you only have to reference the nginx documentation. I've never looked at the Immich config above until now, and my Immich server works great.

I've had a reverse proxy for years, but the config files are very foreign to me because I use Nginx-Proxy-Manager. NPM makes nginx usable for dummies like me, at the expense of gaining a deeper understanding of how it works. I'm ok with that, but you might feel differently.

[–] rasterweb@fedia.io 2 points 4 days ago

I was new to doing reverse proxy stuff but Nginx Proxy Manager made it really easy. A bit of doc reading, I probably watched a video or two, and it all made sense. Great clean UI and easy to install. (I run it on a Raspberry Pi.)

[–] Shimitar@downonthestreet.eu 1 points 4 days ago

See here https://wiki.gardiol.org/doku.php?id=selfhost%3Anginx

My notes and my approach, so YMMV

[–] y8h8do3a2vg5@lemmy.world 1 points 4 days ago* (last edited 4 days ago)

This may be a controversial approach, but I recently had to set up reverse proxy along with DNS configuration and certificate handling. I pair programmed with an LLM.

My experience was this... I described what I wanted to set up, my objectives (like containerisation, zero touch deployment, idempotence, etc) and it gave me a starting point. It threw a few bad ideas in but I also asked it to help me stress test against the objectives. I think it's all just about working now. I learned a lot about shell, docker, nginx, terraform, VM metadata, data persistence, pulling it all in from a git repo, bootstrapping nginx with self-signed certificates, auto renewal, vscode devcontainers and more. Honestly I'm worried about what a pro would make of my code, but I made huge steps in a relatively short time. Disclaimer: I am a software engineer who was keen to learn this stuff and get moving quickly.

I would definitely consider this approach if you're new to the area.

[–] jhdeval@lemmy.world 1 points 4 days ago (1 children)

Nginx, caddy and haproxy are 3 choice for reverse proxy. The way a reverse proxy works is it looks on port 80 and 443 for requests to a DNS connection. Like say you want to go to jellyfin you may have a DNS entry for jellyfin.personalsite.tld the reverse proxy will then take that and redirect the connection to the proper port and server behind your firewall. You do not need multiple reverse proxies. In the case of haproxy and nginx (only ones I have experience with) you create a "back end connection" like explained above and it will redirect. In the case of nginx it is very small I installed it natively and setup configs for each of my services for easy maintenance.

[–] Octavusss@lemm.ee 0 points 4 days ago

Okay and in that case can you please point me in the right direction how should i write the nginx configs for each of my services and also make ssl certificates?

[–] ippokratis@lemmy.ml 0 points 4 days ago (1 children)

While using a web server before your self hosted micro services is the obvious answer and caddy the easier to configure, as a beginner you should also consider taiscale funnels. You dont need to mess with router stuff like port forward or caring if you ISP have your router behind a cgnat which is kinda norm nowadays , also dont have to care for a domain name dynamic DNS stuff . You could have a look to my quick how to . All you need is running a script , the ports and desired names of your subdomains and your tailscale auth key. https://ippocratis.github.io/tailscale/

[–] Octavusss@lemm.ee 1 points 3 days ago (1 children)

Well I already got static IP from my ISP and configured Wireguard on my directly on my router so I think I'm good.

[–] ippokratis@lemmy.ml 1 points 3 days ago (7 children)

The funnel exposes your local services to the public over https . Like what you want to accomplish with reverse proxy . Its just more straightforward for a beginner.

Personally I closed my router ports and switched to tailscalr funnels after using caddy with mutual TLS for years.

load more comments (7 replies)

load more comments