New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Shill Me Your Favorite Reverse Proxy!
I need a reverse proxy for a project I'm working on. It's just going to proxy some pages from localhost, but I need to add basic password authentication on the front. (The software in question has no access control whatsoever.) Looking for lightweight, simple, and, as a bonus, a nice Ansible role I can snag.
My go-to would probably be Varnish; Squid and Apache are probably too much for such a simple task. Would consider Caddy, though. Maybe there's some other new hotness? Haven't checked yet to see if any of them will do what I want.
So, what do you guys recommend?
Comments
haproxy
Really? I think of haproxy as a load balancer. Seems like more than I need. But it does look like it would do what I want to do.
nginx w/NPM
Nifty. NPM has built-in Let's Encrypt support. Me likey.
haproxy can do pretty much any reverse or forward proxy you need, and you can make rules to direct traffic based on pretty much any criteria you want. If you don't want load-balancing, you can make a pool with just a single server.
To achieve similar to what you're doing, I have one rule that forwards
/api
to the pool that contains the closest internal webapp backend and some further away fallback options, and another rule that forwards/dev
to a different pool where it can forward to either my work PC or my work macbook and it picks whichever one is currently running a server (because I develop on both). So, the app I'm developing on my phone can use the normal internet to connect tomydomain.com:/api/...
for the live api, ormydomain.com:/dev/...
for my current in-progress work.haproxy also lets you forward pretty much any TCP traffic too.
https://github.com/boringproxy/boringproxy
Caddy... manages Let's encrypt certs management natively.
I am a bit unsure of adding auth layer but I would not be surprised it has something already.
Well, the name definitely sounds like what I want!
HAProxy or Nginx if you don't want a webgui
Nginx Proxy Manager if you want a webui
Check out Traefik
I don't actively use Caddy, but should be possible using the
basic_auth
directive: https://caddyserver.com/docs/caddyfile/directives/basic_auth#basicauthHuh. Never even heard of that one! Sounds like a lot more than I want, but filed away for future reference…
Yeah, I don't need a GUI. If Nginx takes care of the Let's Encrypt, then that's enough.
Honestly, I think I could do everything I need with a couple of firewall rules and a PHP script. But it would be nice to add the Let's Encrypt stuff later, so might as well do it right from the beginning.
Caddy 100%. I have fought long enough to get Apache and nginx to reverse proxy with TLS and it was always annoying. Caddy just does everything automated. Only downside is that you don't have like nginx 10+ years of old forum discussions on how to solve your specific problem, or 100+ years of old grey beards discussing how to get Apache to do what you want. But if you have normal problems and want the obvious, easy solution, it's caddy IMO.
I wonder if something like Cloudflare Pages or Cloudflare Tunnel would work for you.
Caddy
No, not really.
Well, I've been using Apache since the mid-90s, and my beard would in fact be grey if I let it grow out, and even I don't want to use Apache for this. LOL
I mean, I would if there were some other reason to have it on the server. But this is a very specialized thing.
If you're using Docker/Podman, then definitely go with Traefik because it has a lot of features built around it.
Nevermind, I missed that Ansible part. I haven't used Ansible before, but I would go with Caddy first.
Yup, once you want to also start serving stuff Apache becomes maybe easier again. Just these days I wanted to add php to caddy and had to manually install php-fpm and configure the Unix socket. I have to say, the LAMP stack is definitely easier with Apache. But then you need websockets, ugh...
I've been meaning to try to setup a reverse proxy one of these days, so I can get some experience. I'll probably give it a try soon.
This is the way.
Caddy ftw
Have been using caddy from many days now.... It's good.
caddy only (except for advanced caching, in which case i still use caddy for ssl/http3 and nginx behind it)
caddy makes it really easy to build custom container images with plugins
for example i have a caddy image with a redis plugin which allows multiple caddy instances to share the same ssl certs, for geodns. i connect it to local redis instances in a cluster
Caddy
If you're using Docker,
Traefik
is also a great choice.Haproxy 100%
Caddy +1. simple and sufficient.
IMHO, it's best to aim for a clean separation of concerns. Once you start having your webserver also acting as a proxy for another server, you're unnecessarily increasing the load on the web server (which is usually much heavier than the proxy anyway, hence the rationale for reverse proxy as a load-balancer) and also you're adding an additional point of failure for the service that's being proxied.
IMHO, it's cleanest to have reverse proxies on the edge of your network that forward to the correct place for the service required. When you need to grow or reshape your web server configs you can do it much more easily.