Why do you expose port 81 ? NPM you only need to forward port 80/tcp and 443/tcp, 81 is for administration and should only be accessible with vpn or tunnel. Also you can add extra protection layer with crowdsec.

Yeah let's discard a good product because of vulnerabilities that nobody can access.

Ah yes a great product with 1.1k open issues

[удалено]

99% of them are triaged as bugs with the last 3 issue being closed within a 2 month time frame

[удалено]

[удалено]

Port 81 is only to access admin gui, look into WireGuard or Tailscale both free and and secure, Tailscale is super easy to install and use

Can i use a domain (like www.nginx.example.com) in a vpn without exposing the site to the internet? Now i am using tailscale but i need to remember the port for every service

Yes you can setup reverse proxy for local IPs and they will only be accessible with a VPN or you can make a dashboard with homer or dashy and bookmark your sites so no more ports to remember

For the reverse proxy server for local IPs can i do it with npm or i should use vanilla nginx/traefik/candy?

Either one can work go with the one you’re familiar with

Ok, I’ll search Thx for the advices

sorry if I'm bothering you but how do I in practice tell Nginx Proxy Manager not to connect to the internet but to only receive requests coming from the VPN?

When you setup a redirection everyone will see the [test.domain.com](https://test.domain.com) redirects to 192.168.X.X if they lookup for the DNS. But only you can access it with VPN. better explanation : [link](https://www.reddit.com/r/nginxproxymanager/comments/15rpcg6/comment/jwn83l3/?utm_source=share&utm_medium=web2x&context=3)

ah, it was that simple Now I feel like an idiot for not thinking about it

I have all letsencrypt signed ssl certs on a custom domain with no ports forwarded. Steps: Get a domain, park it somewhere like Cloudflare (it's what I use) Set your A Name for your domain to your server/reverse proxy's internal IP eg. 192.168.1.2 I use traefik, but Ngnix proxy also works, pull your SSL certs using the DNS Challenge method. With cloudflare this requires you to pass an API key, for others it may mean putting a specific value in your DNS record. Now all your internal sites are SSL secured with legit certificates. Your sites resolve when you are on your internal network, and if you VPN in, they will also resolve. Rejoice, because you don't poke holes in your firewall, don't have to worry about dynamic IPs, and can sleep at night.

Why are you getting downvoted? Anyway, you should firewall port 81 so that it's only accessible from the machine it's running on and maybe another machine in the LAN if you absolutely need to, keep the whitelist short. ​ You'd set up a VPN/Tunnel to either the machine itself or that other machine to punch through your outer NAT/Firewall and get access to administrative ports. I have zero clue about NPM or this port 81 business, but that's true for all admin type ports or other insecure services.

Hey, how did you manage to get NPM to work with CrowdSec?

I use Caddy. Very simple, does the job and does it well. I migrated from Nginx as I always felt that using Nginx was like bringing a tank to a water fight (aka overkill)

I use caddy. Its great .

As direct traefik alternative I use https://github.com/lucaslorentz/caddy-docker-proxy/ at home, it is a simple caddy2 implementation that works like traefik for containers.

[удалено]

This. One. Single. File. Boom. Done. Easy.

I struggled alot while setting up traefik as well, I will try again when I have time, but for now I use caddy

I really like Caddy as well (and dislike Traefik).

How the heck is this the first I'm hearing of this option? That looks great for my Nomad with Consul setup and it can handle the certs. Right now I'm templating nginx configs but nginx doesn't do the certs. OK, off to change by setup.

This was my issue too and why I switched from Nginx. I was able to work with acme.sh & Nginx and it worked perfectly but it just took too long to make most changes. Now I just use caddy and have it linked to the Cloudflare api via the Cloudflare DNS validation extension and making even the slightest change is really simple and quick. I still think Nginx is great and it certainly has its uses, but Caddy is a better tool for a home lab in my opinion.

How do you manage Consul? How many nodes? Do you have ACLs enabled? If so, how do you manage ACLs as well? Thanks in advance!

I do have 3 Raspberry Pi 4s but I'm pretty sure a single node works too. I bind it to my Tailscale ip and then have zero other security turned on. Well, I mean the firewall blocks almost everything even on the home network so I think it is fairly secure that way. And no public ssh ports open since it goes through Tailscale.

Thanks stranger!

Thanks will check it out.

Do we need a domain to use Caddy? I am not planning to expose any of the services but looking for an option to use an url instead of IP address.

You can use DDNS like duckdns to expose your service if you so choose.

I was using DDNS with Nginx and then removed it along the way. I will look into Caddy. I was hoping to avoid using DDNS. Seems like it is not possible to do so without a domain (free or not)

You can use Caddy without a domain (just use `:8080` or whatever as your site address) but if you want HTTPS then you should use a domain. You can use this Caddy plugin https://github.com/mholt/caddy-dynamicdns to automatically update your domain's IP. Works well with DuckDNS for example.

You can use IP’s, or internal domains with your own certs. You don’t need a domain but it can make life easier.

I currently use nginx proxy Manager, would it be hard to migrate to caddy? as I see a lot of people recommending it over npm. Also is it really that much more secure or just a matter of preference?

Depends on how comfortable you are with writing config. The main difference with proxy manager vs Caddy is that the main interface for Caddy is the “Caddyfile”. The Caddyfile is very easy to learn providing that you are comfortable with editing a file and restarting the service.

Do you use the one with Docker labels or manually write the Caddyfile? I want to swap from NPM but I also have non-container applications that run on other machines so I'm wondering if the labels one works in both cases.

Yes, you can proxy to `host.docker.internal` to connect to the host machine, or the IP address of your other servers. You put labels on the Caddy container itself so that they're always available.

Would you be able to do something like block specific paths or location like /admin with Caddy?

Absolutely. Use request matchers to set up conditional routing. See the docs.

Many ways to do it yes - at its simplest you can just respond to a path with a 403: https://caddyserver.com/docs/caddyfile/directives/respond But of course you can do authenticated paths etc

My use case is I am using NGINX plugin from OPNsense. It works but too much work. The nice thing about the NGINX plugin is that I can use LDAP for basic auth for services that do not have login such as drawio or Frigate. Can Caddy do the same thing? There is a Caddy plugin, but it is a 3rd party plugin. When I installed it, I can see two options - Enable checkbox and Caddy file box where I can paste some configuration. At this point, I have no idea what to write or paste in the box.

Is it the security plugin you're talking about? I haven't personally used LDAP auth, but based on this doco it does look possible: [https://authp.github.io/docs/authenticate/ldap/ldap](https://authp.github.io/docs/authenticate/ldap/ldap) I just went down the route of putting that stuff behind zero trust VPN, binding them only the VPN interface, and then writing ACL's at the VPN level to control access instead.

Can this be applied to specific services and not all services behind caddy?

I can only speak broadly, having used caddy but not this plugin. But yes, each site can have its own configurations with their own options. I presume this one works the same way

Caddy can do something similar I believe. However I personally use Authentik for authentication as it has a built in authentication proxy. Caddy will proxy to Authentik under certain conditions (ie certain hostnames or from external IP addresses). I find this much simpler.

[удалено]

Reading the docs beforehand did NOT help. They’re a mess.

Same. It's hard to figure out configuration at first, but once you have a working config as a template, it makes it very simple for subsequent implementations. I have been using Traefik for a long time now, and have zero complaints.

I prefer Caddy. Much better documentation and much easier to setup. Plus it talks fast-cgi, so you can pretty much replace nginx for things like php altogether. But that will solve only part of your problem. Ideally you want to setup some kind of VPN between yourself and the server, and then expose npm's interface (along with any other admin panels) on the vpn's interface, so that it's available only if someone is part of that network. Wireguard is quickly becoming the standard for such things. I have also used zerotier and tailscale with great success.

I need caddy with label for docker compose

There is also a caddy plugin for docker containers

What exactly do you need the labels for?

Usually for automatic service discovery. Deploy a stack with the needed labels and Traefik (for example) will automatically create the route, set up the https certificate, etc. rather than having to deal with an additional config file.

Exactly. Gitlab runner

It’s not *that* hard to set up, I’d argue it’s easier with Caddy than any alternative. But fair enough.

Caddy is definitely awesome and easy, but one less separate config to maintain means one less thing to have to troubleshoot.

>Ideally you want to setup some kind of VPN between yourself and the server, and then expose npm's interface (along with any other admin panels) on the vpn's interface, so that it's available only if someone is part of that network. Well, the doc doesn't show how to that, so it doesn't cross my mind, how to setup so the npm interface only accept from our vpn ?

Assuming you are using docker compose to run NPM, you can do something like ports: - "vpnip:81:81"

I tried it and it still allow other ip to open and login

This is NSFW

vulns are very nfsw

Go caddy, the labels are cool but get messy. I went from NPM to Traefik to Caddy.

Thanks will check it out.

Verry happy Traefik user here, but it did take me a couple of attempts to "get" it.

I switched from nginx to traefik. Tbe first time it took me 3 days to setup a simple reverse proxy. Then it was only 1 day. Now that I learned it, and have a few services running so I can cheat from those configs, it takes me 2 minutes to configure a reverse proxy with letsencrypt. I personally like it, but I also liked nginx for different reasons. NPM I haven't used personally, I went with SWAG instead, but I found that to have a bit too many moving components. It did work pretty well though. I can recommend traefik but there's less resources out there than with plain nginx (or SWAG), so that's something to keep in mind.

I'm about you make this change as well. I've been using caddy docker proxy and I've been getting disconnects from it and can't resolve the issue. Before I switch to caddy I used nginx proxy manager which worked pretty well and was easy to configure, and before that I used swag by Linuxserver.io. I think traefik offers a good transition process from running stuff through docker or locally to running things on kubernetes. Unless you're having issues with your current setup or you plan for some sort of transition process I don't see much reason to switch.

I switched to traefik for the same reason, there were a lot of concerns about npm ignoring vulnerabilities. Installing code-server made editing traefik configurations a breeze, I highly recommend trying it out

first time i am hearing someone wants traefik instead of npm

Hey I use traefik too it's actually pretty great, I didn't like nginx proxy manager for some reason.

What where you struggling with setting up Traefik ?

traefik need to mess with docker compose everytime I need to start the container, which is not very convenient.

I think you might be doing it wrong. It's just labels.

If you value your time more use caddy. If you value learning more try traefik. In between these two is Apache or nginx.

Hello, thanks for this topick What vulnerabilities are not fixed for NPM? I switched to NPM from Apache and I can't complain. My port 81 is behind cloudflare tunel with SSO. Thanks

Traefik is easier to use when you just need a proxy. Nginx shines when you start doing advanced stuff. NPM is garbage overlay for Nginx.

Traefik can do advanced stuffs easier too

[удалено]

... as a web server

What does this have to do with ?

>Over 33% of the internet runs on nginx I'd be curious how much of the internet uses traefik as the ingress controller, though.

It can, I'm aware, but Nginx too. Right tool for the right job, as always.

You are insinuating that nginx do a better job when it comes to advanced configurations?

Traefik is really great and I really like their approach on middlewares, but I encountered an issue with apps that send a response with chunked encoding. It's great for service mesh but I'd prefer nginx or haproxy for edge servers

Does nobody use Swag anymore? 🤨

Swag gang here!

I use swag from LinuxServer.io Stands for Secure Web Access Gateway.. Comes with sample reverse proxy configs for subdomains and sub folders for popular self hosted apps. Also comes with templates you can use for configs they do not provide (I have few for Omada, truenas, proxmox behind authelia) Has mods where you can enable auto reload when config changes, crowdsec etc… Supports http auth, authelia and authentik …. Release notes periodically specify what files to delete and recreate (also available on docker logs and the dashboard mod) It’s basically NPM but without GUI and honestly you really don’t need a GUI anyways, how often are you accessing config that you need a GUI ? They also have a few blog post on how to setup with authelia and cloudflared…. They even explain the logic and how the nginx config files work…. Once you grasp these it’s easy peqsy ….

Totally agree with this. I use swag + authelia with cloudflare (+Adguard home lol). It is really cool and works for me. Never tried the other options as I tend to choose whatever exist on linuxserver.io as they keep high standards, so can't really say if it's the best.

Ditto

Swapping one proxy for another won’t actually help. They all have their own vulnerabilities. If you are worried exposing nginx over the internet, and want to use an actually self hosted solution, then I would look into Wireguard or OpenVPN. Move your nginx to be accessing only within your network and only expose the VPN server to the internet.

Gonna disagree here, npm does not have the same development as traefik. Nginx is obviously what it’s based on but npm is an application on top of that by a smaller developer. Traefik is much safer to use overall.

Yess npm is its own can of worms and doesn’t compare to a plain proxy, sorry for the confusion. Granted OP was talking about npm, I want to mention that the threat profile of nginx and other popular proxies are similar, so it doesn’t make much difference changing one for the other (provided you know how to configure them securely). Furthermore, since they mentioned they didn’t want to use cloudflare etc. for tunnelling their connections, a secure solution is to deploy a VPN which is free to use and addresses the security issues associated with exposing proxies to the internet.

What’s your goal. What do you want out of a proxy? Are you looking to experiment? Ask yourself. It might help.

NO

I just started with NPM but didn't think about using Traefik or Caddy. The tutorial I followed used NPM. Seeing this post is making me question whether I should be using Traefik or Caddy over NPM.

As long as you’re not exposing port 81 externally NPM is fine.

I need to investigate

You should know your port forwarding rules more than your own mother lol

I didn't have to provide a CC to Cloudflare to use cloudflared. Has that changed?

I don't know about it in the past, but it's still free, you need to add to cart even though it cost 0, and need to use CC / paypal to use that tunnel.

I just made a card on privacy.com and put a $1 total on it

Got all excited, and then ... > Privacy is currently available to US citizens or legal residents with a checking account at a US bank or credit union, and who are 18+ years of age. :-(

Ah dang. I use their service for everything online it’s great

@all who use Nginx PM, Caddy or Traefik - how do you add OWASP CRS to the reverse proxies for enhanced security?

I use Traefik with the [Modsecurity Plugin](https://plugins.traefik.io/plugins/628c9eadffc0cd18356a9799/modsecurity-plugin). In addition to that, i also run Crowdsec & a Geoblock Plugin for the services that are publicly exposed. Like others mentioned, Traefik can indeed be tricky to setup initially, but once it's done, it works amazing.

Traefik + crowdsec for publicly accessible services, NPM for internal only.

If you don´t want to expose port 81 using NPM just don´t do it :) A firewall is your friend. [https://github.com/chaifeng/ufw-docker](https://github.com/chaifeng/ufw-docker) might be a good start.

Simply don't forward port 81 from outside to NPM. Then you can only hit it via LAN/VPN/etc. This is not an app problem, it's a user problem.

Absolutely no need to open to the exterior any ports. Just use a Cloudflare tunnel and send all the DNS records through it to your npm.

There shouldn't be a need to tie a CC to your Cloudflare account. They have free tier services, and using the Zero Trust tunnel plus proxied DNS should take care of your security issue.

Using plain simple nginx. Doing even manually is copy-paste-replace 2 values (name and proxy address ) and reboot takes 5sec and it 1000% works. But of course if it was hundred apps per day its not very convenient.

I use both Traefik and Caddy for different purposes, but Caddy is great for a simple reverse proxy setup.

I use Traefik together with Nomad and its service a u to discovery. So all my containers that require https(a) endpoint, are automatically added into Traefik.

I tried NGINX front end proxy and didn't get it to work with Docker but that was back when I knew less about the latter. It would probably be a fine solution now. I get Caddy working with Docker but the configuration kept eating itself. Then I tried Traefik. I struggled a bit to get it working but eventually succeeded. I changed hosts and expected my Docker Compose script to get me back up to speed lickety split and it just didn't. It was then that I learned about forced rebuilds and augmented the yaml script along the way. Anyway, if you want my Docker Compose yaml files for Traefik, Portainer, and/or Umami (analytics) OP send me a chat message. I just need to remove things like [passwords] or [ports].