Hi All,
I’ve tried and failed to use my router as reverse proxy for my webservers (Synology DSM with many services on it - HA on my Rasperry PI). So I was wondering: can I (and SHOULD I) use my rasperry pi whe HA is running as a nginx proxy?
Will it be safe? Or what else can i do?
I think there are a good number of people out here doing exactly that. I think the standard way people are doing it is using ssl through letsencrypt, but it should be able to be done through any group that provides the certificates.
Thank you for your reply! So i need to generate only one certificate for all webservers? and what about security? It is “safe”?
Nothing exposed to the Internet is guaranteed safe. All you can do is reduce your risk, and the amount of risk that is acceptable is up to you. Using a reverse proxy is better than directly exposing your ports to the web using port forwarding. If you enable remote access to your servers via the web, you definitely want to be using a cert for HTTPS at the MINIMUM. A more secure option would be to not expose your servers via the web and instead set up a VPN that you can connect to and access your devices on your LAN.
I’d also suggest looking at Caddyserver. I use that to reverse proxy as it automates all the letsencrypt stuff.
Be aware you’ll need to build from source with a small change around line 235 of reverseproxy.go to get it to work with HA, but other than that slightly challenging step, it is lightweight and much simpler than NGINX to configure.
Thank you all for your feedback.
I’m intrested in particular for caddyserver as I was unable to configure NGINX properly. Can you suggest me a how to ?
Thank you in advance!
Hi Nikc, sorry for bothering you but I’ve searched around the net without results. Can you please support me? 
No problem,
Take a look here:
Once it is set up, adding a reverse proxy entry is as simple as the following (maybe not 100% right as done from memory so Google to check):
domain.com
{
proxy [IpOfMachineWhereServiceRuns]:[PORT] {
transparent
websocket
} tls [email protected]
}
… in your caddyfile. As long as you have port 443 and 80 open to the IP of the machine Caddy runs on, allow Caddy to bind to those ports, and they can be reached by a domain name (either DynamicDNS or a legit domain name you own) then it will deal with all of the letsencrypt stuff for you automatically.
There is an issue atm for reverse proxying for HA:
You can either fix this yourself by pulling from master, making the one word code change, and building with Go, or alternatively you can wait for the next release where this issue is resolved.
I’m running about 7 services behind this right now, and the config is 4 lines each as supposed to a hell of a lot of messing with NGINX.
Let me know if anything isn’t clear and I’ll do my best to help.
Thank you for your help!
Sincerely I think it depends on how much I have to wait to next stable release. Do you know where I can find a sort of roadmap?
I don’t know where the release schedule is kept but they are fairly regular releases.
The key benefit is once this is in, adding further reverse proxies is a copy and paste of four lines. So much simpler than nginx.
If you were working on an x86_64 machine running Ubuntu 16.04 then you could just follow the normal install instructions, and I could send you my built binary with the change added. Then you would just need to set permissions.
But I see you are running on a Pi which isn’t where I run this. It’s only a 3mb webserver so should be fine, I just haven’t built a binary on that platform.
I would note that before this I had never used go nd never built from GitHub. And it still only took me about 20 minutes to get it right so it isn’t too hard. I can help walk you through it if you’d like. First thing is to find some instructions to install golang on the pi and set your environment variables. After that it’s a few commands.
I’ve seen that a new release have been published (https://github.com/mholt/caddy/pulse) but I don’t see the #1316 issue nomber on it.
Meanwhile I will google for istructions to install goland on rb pi3. Let’s see who’ll be faster, me or the developers!
I believe it’s this one:
Here I am.
I was able to install and start caddy but now I’m stuck in the caddyfile setup.
Here’s my configuration:
domain.com
domain.com/jarvis
{
proxy adress:port {
transparent
websocket
} tls [email protected]
}
domain.com/joshua
{
proxy adress:port {
transparent
websocket
} tls [email protected]
}
domain.com/plex
{
proxy adress:port {
transparent
websocket
} tls [email protected]
}
everytime I launch caddy I receive this error:
caddy -host domani.com
2017/07/29 17:58:56 Caddyfile:3 - Parse error: Unknown directive ‘domani.com/jarvis’
Where am I wrong?
Thank you again
Take the subfolder out of the top directive:
proxy /api localhost:9005
Uhm, i don’t understand.
Can you please be more specific?
Thank you
could you suggest a link for a tutorial?
You no longer need to build from source as the change was merged and released. Or do you mean a tutorial for the caddy file? Which platform are you on?
I have trouble with the NGINX, so wish to try CADDY.
I am on a pi3. Could use also a NUC with windows 10 (but prefer the pi3), since my NUC gets overheated and is like having an airplane in the living room, unless I buy a fanless case that costs 150 euro
I used the script the first time which pulls the correct binary:
curl -s https://getcaddy.com | bash
It will ask for sudo rights.
This guide is for Ubuntu but should be very similar for the Pi:
I couldn’t find a Pi specific guide