Selfhosted @lemmy.world hispeedzintarwebz @kbin.social 1y ago

Looking For Opinions on Docker + Letsencrypt + Reverse Proxy Setup

I've been running 2 linodes for a number of years now - one has my website (wordpress) on it and one has a Foundry VTT server running. Both are separate linodes, and I use Google Domains to point [site.tld] to the wordpress VPS and foundry.[site.tld] to the other linode.

For a few services I run at home within my own network (Sonarr, Lidarr, Plex, etc.) I've started to use Docker and Portainer, and I like how easy it is to set things up (and remove them if they don't work). I'd like to redo my VPS similarly - I'd like to have a single linode, as a Docker host, and have the main domain point to a Wordpress container, a subdomain point to a Foundry container, and be able to easily add other containers for something like freshrss, etc. My goal is to be able to quickly spin up a docker via a compose file (portainer would be preferred), have it automatically reach out to letsencrypt to get a cert for the relevant subdomain, and have that subdomain point to that docker container.

I've been doing some searching around, and there seem to be a number of options, things like nginx reverse proxy, traefik, etc. and there are a lot of conflicting results.

Does anyone here have an opinion on this or some advice as to what the best option to look into might be?

34 comments

I'll throw in SWAG as another option which I found was easiest to setup, albeit it on a VPN/local only setup. It supports certbot for SSL and pre-defined proxy configs for various services (mostly linuxserver.io containers but there are others) and it's easy to edit them to make your own configs. I'm not sure about portainer support as I'm not familiar with that.
- I have pertainer served over swag/tailscale and it works fine. Plus one to swag tho, pretty straightforward and easy to setup, good community
I have a setup very similar to what you described in terms of having several web geegaws hiding behind a proxy, with Docker to manage them all. Foundry is even part of my setup as well (speaking of which, join https://lemmy.ml/c/FoundryVTT it's still pretty dead in there but one of the reddit mods came over and while they're not promoting things they're keeping an eye on them).

The proxy server of choice is very much matter of taste.

I use Caddy, which is very modern, simple to configure, and automatically handles letsencrypt cert setup out of the box.

Nginx is almost as modern, more flexible/powerful, IMO less beginner-friendly to setup, and has letsencrypt automation but not out of the box. Nginx is probably most common these days.

I know less about traefik, I feel like that's most often employed as a kubernetes ingress... but maybe people use it for other stuff and I just haven't encountered it. I do feel like outside of k8s, it's MUCH less common than nginx.

Good ole apache is great if you know how to use it. It's a bit archaic to configure compared to nginx or caddyz and though it is supremely capable, I do not recommend it unless you're already steeped in its ways.

There's a hundred other options as well, but it's really just preference for a toy setup like ours. I've used many of these things and prefer Caddy for my homelab stuff cause it's dreamily simple to configure. If I wasn't using Caddy, I'd be using nginx just because it's so commonly used that you can find help/instructions for anything you can imagine.
- Thank you! Caddy rings a bell as well - I will add that to the list. My current main site is still behind apache...it took my forever to figure out how to get it working so I've been afraid to touch it. I definitely don't think I want to go down that route again if at all possible.
  
  Naaah, Caddy is way simpler than Apache. It'll be much easier. Take a quick look at the docs and you'll see what I mean.
Traefik really shines when you have an orchestrator like k8s/nomad automatically driving its config via labels.
- Traefik is just magic.
  
  All my reverse proxy configuration takes place in my docker compose so there's no config sprawl. Unlike my 5+ years of nginx-proxy and caddy, I haven't had to do a single reverse proxy hack or config patch or fix to get something to proxy correctly for over 25 services from all over the self-hosted world.
As someone who's used pretty much every solution out there at some point, I have thoughts on the main contenders:

Traefik is great if you've got a purely docker setup. It's extremely powerful and the dashboard is quite nice, but it's quite complex and it's got a lot of moving parts. Docker integration works great but the whole label configuration thing is clunky, and the documentation can be confusing.

Caddy ingests a dead simple config and just works. Can easily handle cert renewal behind the scenes without you even having to think about it, drop the dynamic DNS one in and you basically have it all covered. There's even one that gives it Traefik-like capabilities, although I can't speak for how well it works in practice.

NPM works great if you're more of a GUI person, very straightforward and impossible to screw up but a bit more annoying to go off the beaten path imo

I personally favor Caddy these days, but they're all solid choices.
- +1 for caddy, simplest setup process for a reverse proxy + https certs
I use NPM which is also a docker image and has automatic let's encrypt and a nice interface. Nginx Proxy Manager.
- Awesome, thanks for the reply. (My first reply on my first Kbin post, I'll add!)
  
  I'll look into NPM
I have had an issue with updates to Nginx Proxy Manager breaking itself in the past so I switched to Traefik.

NPM is much more user-friendly when it works. However, as mentioned, Traefik integrates directly with docker through labels, making it very convenient if not a bit more of a learning curve.

So far, the only annoyance I have with Traefik is that I haven't found a very easy way to host itself on a separate server from where the containers are running because it uses the docker.sock file to pick up the labels on running containers automatically. Instead, I manually create files for the files provider. I don't think this is an issue if you are using Kubernetes, but I haven't gotten all the way down that road quite yet, as it is a bit overkill for me.
NPM is great! I even use it in a production environment at work for a small service and it works beautifully
- Awesome, thanks! That's 2 votes for NPM so far
  
  I've found npm to be fairly easy to setup. But I'm not far from your situation, trying out various options to see what works best for me
  
  Here's a 3rd to convince you even more, I have it running on several instances.
Everyone has an opinion, and at the end of the day, whatever works best for you is what you should stick with.

I like Traefik because you can mount /var/run/docker.sock:/var/run/docker.sock:ro to Traefik, then it can read labels from containers, and automatically wire up new instances based on labels on them. I'm sure there's equivalent in other reverse proxy solutions, but as I said, it works for me and I like it.

I give that container my Cloudflare origin certificate, everything gets encrypted in transit to Cloudflare, and then Cloudflare handles all the SSL management for me, as well as provide extra layer of DDOS protection.
- Thanks for the suggestion! Does cloudflare essentially fulfill the same role as letsencrypt (with DDOS protection added)? I've heard of cloudflare but I'm not particularly familiar with them.
  
  Yep! Basicall, they sit between you and your visitors as a reverse proxy. When you domain is accessed through their infrastructure (you set this up via DNS), they’ll sign SSL for you domains so you don’t need to worry about it. Using the origin certificate secures communication from your server to theirs, so there’s no point in the chain being left in the open. They’ll even do DDOS protection and some basic web application firewall for free as well.
  
  Additionally, since they’re globally distributed, your website could have static content cached closer to your visitor, thereby giving a faster experience.
  
  They’ve also added lots of great stuff to help with locking down remote access to your internal infrastructure. For example if I want to SSH into my homelab, I don’t have to expose my SSH globally, and when I try to access it, I get a browser pop up asking me to login to my SSO, and then grants access.
  
  I really enjoy and recommend trying their free offering.
  
  Yes, it can provide a SSL connection to the end-user even though you're just serving http with no cert. However it is yet another moving part that can break or be mis-configured and yet another bunch of capitalists data-mining all the things.
I went with nginx proxy manager.
Nothing to add here, but I was going to ask somehow the same question? I tried Nginx (not NPM) and my gosh this is hardcore stuff... Tried to make it work on my system (old spare laptop with a few docker containers) but It drove me crazy... !

Also tried Traefik and even if it didn't worked out as expect I had a better feeling on how It's build up and works. And I'm probably going to give It a second try by reading through the docs !

I have no idea about caddy, but It seems easier to setup? The docs looks really well written and easy to read through. If I fail to make it work with Traefic I will probably give it a try !

Also, the docs of Nginx are... As a non native I have the feeling I need a PhD to understand all the quirks and work-arounds, important stuff ? It's VERY WELL documented, but really out of my comprehension league !

Thanks for your question :)
traefik or caddy would take care of that easy, you could bring everything up via doxker compose
I use cloudflare and point my domains to its bameservers, which has ssl support ootb. however this does not work for wildcard domains kike *.sub.example.com, which I heavily rely on.

Instead I run a Caddy container with the cloudflare plugin, it's as simple as adding the token and caddy does all the wildcard ssl magic.

Coming from nginx and heavily relying on regex, Caddy is a bit different to set up, but once you dig a bit into it, itčs mostly one-liners.
@hispeedzintarwebz I love Traefik. I will admit it was a steep learning curve at first, but it elegantly handles everything I throw at it. You can include the Traefik configuration for a container in the docker-compose with labels.

What I like about Traefik is that it was built out of the box to do this kind of thing, rather than something like nginx which is actually a web server that has been shoehorned into being a reverse proxy.
- Thank you! I will add this to the list as well!
You need a wildcard certificate. So one cert that covers *.site.tld

Deploy that once and you're done other than renewal.
I sugget using Caddy. It's insanely easy, handles SSL so you don't need Let's Encrypt (it uses LE under the hood), has a reverse_proxy command that is 1-3 lines. I dabbled with Apache2 for a time, and I can say switching to Caddy was the best decision.

I now have a DNS server, syncthing, nextcloud, grafana and a few more stuff all behind reverse proxy, SSL handled by caddy. Some of them point to file servers for different paths (i.e. stuff.example.com/admin goes to a website and stuff.example.com goes to the service) and the configuration is less than 5 lines.

34 comments