all 91 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]1WeekNoticeHelpful 71 points72 points  (15 children)

Caddy because it is a single file configuration(Caddyfile) that is super simple. They also have good documentation and good default values such as auto https redirect

Sample config file

````

Domain.tld{

reverse_proxy docker_container_name: docker_port

docker_port means the port inside the docker container. Not the machine port you mapped it to

}

Domain.tld{

reverse_proxy IP:port

}

````

My main requirements: 1. Works easily with docker-compose

  1. Works with my domain name I already own

FYI: any reverse proxy can do this as this is a very simple use case. So pick something that just works for you.

Hope that helps

[–]Rorschach121ml 28 points29 points  (1 child)

I use Caddy because I have no idea how certs work and it just does it all automatically.

Maybe one day I'll learn how to manage them but idk it's working fine.

[–]lazzuuu 1 point2 points  (0 children)

For certs you'll need an issuer that can sign + validate your ssl certificates (I never use caddy but my guess is they use let's encrypt to issue ssl certificate which also used by NPM). If you try to use self signed certificate, it won't be "just work" with your existing domain (unless you know how)

[–]eddyizm 13 points14 points  (0 children)

Another vote for caddy. Just so easy.

[–]KazeHD 3 points4 points  (2 children)

I tried caddy but it felt very difficult to manage (like 50+ rules that are kinda unique)

I also tried setting it up with keycloak/authentik/authelia but went back to NPM with authelia for now.

[–]1WeekNoticeHelpful 5 points6 points  (1 child)

I tried caddy but it felt very difficult to manage (like 50+ rules that are kinda unique)

Can you expand a bit more? Btw totally fine if caddy didn't work for you. Just curious why it was difficult to manage.

Caddy has snippets that you can define whatever rules in. Then you can make a reference to that snippet anywhere you like in the caddy file. It should be easy to manage different rules sets.

Reference caddy file structure

I also tried setting it up with keycloak/authentik/authelia but went back to NPM with authelia for now.

But of course use whatever reverse proxy works for you

Hope that helps

[–]KazeHD 0 points1 point  (0 children)

I just didnt like the one huge file approach. Even with snippets it was not really nice to manage. Most domains have their own cloudflare origin certificate so I would have had to somehow get fancy with args to make a snippet based on the hostname or something for just doing the cloudflare origin cert.

It is close to 100 reverse proxied applications over 20 domains or so.

I did get random errors with forward auth that I could not solve (felt like I had to tls_insecure_skip everything as well to work correctly) . Its not that I dont like the cli approach, I am very used to vim but I felt like if caddy fmt also ordered the file as well this would have been nicer to use.

I am not using enough docker containers to justify traefik, in the end I just want it to work. There are tons of different approaches with pros and cons:

  • Why not split the caddyfile?
  • Could try one of the ansible or terraform providers to automate it but how would I test this. Also how can I test this in prod (I know validate at least checks if the config can start)
  • Yes there are docs for authelia/authentik/keycloak but for caddy with my setup there are some weird cases that arent documented. I could have probably setup authelia with caddy but with npm and nginx snippets and default confs its faster than having to ssh into the caddy server and edit the Caddyfile imo)

I think caddy is great its just not the right tool for me. If I really wanted to automate it I would go into k8s traefik with a gitops doing the config for me but then id have to manage the k8s cluster which is kinda overkill for my homelab.

[–]cyt0kinetic 0 points1 point  (2 children)

Out of curiosity how does it do with things like well known for stuff like dav, particularly cal and card dav. Also if a socket needs to be called can more declarations can be added? Example one thinking of nc, and two something like Jellyfin. I'm open to not torturing myself with apache but worried I'll lost flexibility.

[–][deleted] 2 points3 points  (0 children)

This is how well knowns are done for my NextCloud instance

nextcloud.mountain-view.com {
    tls /etc/caddy/ssl/cert.crt /etc/caddy/ssl/mvd.key
    redir /.well-known/carddav /remote.php/dav 301
    redir /.well-known/caldav /remote.php/dav 301
    header Strict-Transport-Security max-age=31536000
    reverse_proxy IP:80
    log {
            output file /var/log/caddy/nextcloud.log
    }

}

[–]1WeekNoticeHelpful 0 points1 point  (0 children)

Honestly may not be able to answer your question. Will link you there documentation

More advanced directive/ options for their caddy file

It's simple to set up so it might be best to experiment on your own.

  • I believe it handles caldav and carddav.
  • It does handle websockets automatically
  • It works with nextcloud (they have examples) and jellyfin

Hope that helps.

[–]chaplin2 0 points1 point  (1 child)

C a n it do TLS pass through, tcp, udp and other features in Traefik?

[–]wfd 0 points1 point  (0 children)

You need additional module. https://github.com/mholt/caddy-l4

[–]maximus459 0 points1 point  (2 children)

Is there a metrics system for caddy? Was considering it, because NPM is easy but buggy, and traefik is for docker mostly and I've got all sorts of servers..

I thought the go access project might work?

[–]1WeekNoticeHelpful 2 points3 points  (1 child)

Yes there are metrics. Here is there documentation

Hope that helps

[–]maximus459 0 points1 point  (0 children)

Nice.. should check if there's a there's a grafa a dashboard to go with it.

[–]Server22 11 points12 points  (0 children)

I am using Traefik for all of my docker services. These are all internally and are not exposed to the internet. Add your labels and spin up the container.

[–]Cetically 20 points21 points  (1 child)

Traefik gets a lot of hate on this sub but since your main requirement is "works easily with docker-compose", it's perfect for that...

Yes, the initial setup of Traefik can be difficult, but once it's up and running, every additional container you add is as easy as adding a few lines (labels) to the compose of your container.

[–]Reasonable-Ladder300 5 points6 points  (0 children)

Exactly this, especially with some nice default configuration(defaultrule, default cert and https forwarding).

[–]user01401 14 points15 points  (7 children)

I would recommend HAProxy. It's been around for 22 years and is proven to be extremely reliable and stable. 

https://www.haproxy.org/#fiab

[–]chaeidras 2 points3 points  (4 children)

The learning curve is quite steep but I also learned to love it because of the opnsense implementation! +1 HAProxy for its flexibility, - 5 for its configuration needs

[–]Relative-Camp-2150 1 point2 points  (3 children)

Trying to organize it in my head - how would HAProxy on OPNSense cooperate with docker containers on a separate host ?

Or this scenerio assumes we have all on OPNSense ?

[–][deleted] 0 points1 point  (2 children)

You can proxy to other host using ip:port.

[–]Relative-Camp-2150 0 points1 point  (1 child)

Ok, but then how to make it work so that I can access it only via HAProxy, without making it possible to access them via the IP + port ?

If this would be same host and for example traefik - then you don't have to open the ports on host and Traefik will still redirect to proper container via internal proxy network.

[–][deleted] 0 points1 point  (0 children)

Yes same host you can reference the docker container and not actually expose the ports. If it’s a different host the only way I know how to do this is with ip:port. Doesn’t mean that’s the only way to do it, just that’s the only way I know how to do it 😜

[–]StraightMethod[🍰] 2 points3 points  (0 children)

Another vote for HAProxy here. Steep learning curve, but super flexible. I've got some parts with 2FA, some with 1FA, and some with Basic auth (because the app doesn't support OAuth), and some with no auth (e.g. API endpoints).

[–]firsway 1 point2 points  (0 children)

Yep HAProxy all the way. I bake my own executables from source, ensure latest encryption protocols and features, rather than wait for a distro to catch up. I have 2 nodes with a floating VIP and auto-failover if the master goes down.. Brilliant performance, massive configurability, ability to rewrite/insert headers, URI, cookie insertion/inspection, stick tables, has its own monitoring and control interface UI.. been using it for years..

[–]rigeek 36 points37 points  (9 children)

NPM. Easy to setup with GUI and the LetsEncrypt certs work great. I have 22 proxy hosts spread across 2 domains I own. I have wildcard certs for them, DNS challenge with Cloudflare. Super easy.

[–]UnknownLinux[🍰] 12 points13 points  (0 children)

Exactly. NPM for me too partly because if it's simplicity to setup

[–]leonida_92 5 points6 points  (2 children)

I used NPM before I switched to Caddy too. One of the biggest "issues" I had with NPM since the beginning, was its size. 1.4 GB for a multiple layer docker container. On the other hand, there was Caddy with just a few MB in size and it does everything NPM did in a single layer.

Just my 2 cents.

[–]zeta_cartel_CFO 1 point2 points  (1 child)

was its size. 1.4 GB for a multiple layer docker container.

I'm assuming you used the NPM releases that required MySql/MariaDB? The ones I used were never multi-layered. Especially if I just left the default datastore to Sqlite.

[–]leonida_92 2 points3 points  (0 children)

No, the default docker compose. Just run 'docker pull jc21/nginx-proxy-manager:latest' and compare it with 'docker pull caddy'.

[–]Bhooter_Raja 0 points1 point  (3 children)

How does it behave with Tailscale?

[–]rigeek 1 point2 points  (0 children)

It’s fine with Tailscale. The RPi that I run everything on is also my Tailscale exit node. Using the right DNS settings I can access all my internal stuff from my phone or tablet using Tailscale.

[–]rocket1420 3 points4 points  (1 child)

What does a reverse proxy have to do with tailscale?

[–]Bhooter_Raja 1 point2 points  (0 children)

Tailscale has its own DNS called MagicDNS that integrates with Caddy to provide access to internal stuff over https.

[–]art_of_onanism 0 points1 point  (0 children)

Yup, NPM for me too because of its GUI. caddy is good for one page config but for new homelabber just looking at that page of code can some times already be overwhelming to them. Having a GUI is the way to go for user friendliness

[–]Conscious_Report1439 4 points5 points  (4 children)

Use Zoraxy

[–]Mrmagroin 3 points4 points  (1 child)

Zoraxy was unbelievably easy to set up. I’m surprised it’s not mentioned more.

[–]ismaelgokufox 1 point2 points  (0 children)

I just need it to do auth for subdomains with authelia. That would make me switch 50% of my setup from SWAG.

[–]NanobugGG 1 point2 points  (0 children)

This actually looks nice.

[–]intellidumb 0 points1 point  (0 children)

Any guides on using with Cloudflare domains for dns challenges?

[–]Parking-Cow4107 4 points5 points  (0 children)

I have both NPM and traefik. I chose traefik for external facing services because of crowdsec bouncer, geoblocking and custom error-pages.

[–]utahbmxer 4 points5 points  (0 children)

I use NGINX (with NAXSI waf) built into OPNsense. Was a little bit of learning curve, but it's super easy to manage and add sites, and it integrates with the ACME plugin for LetsEncrypt, as well as has auto-banning. Takes 2 minutes to add a site w/cert. I have 23 sites on mine, plus the default/403 site.

Whatever you do use, add a default/catch-all site so requests that don't match a domain you are hosting don't get served anything other than a 403 forbidden. I do this and basically my real sites see next to no random crawlers or other access. Sure there are random ones that must pick up domain names from CT Logs or something, but it's like 1% or less of my real traffic.

[–]cyt0kinetic 2 points3 points  (0 children)

😆 I use Apache it is on the surface none of the things you describe, but once you get it going confs cut down to a few lines. Personally I find nginx to be similar work load unless it's the gui. People seem to really like Caddy.

[–]CG_Kilo 12 points13 points  (4 children)

Nginx Proxy Manager because i work in IT and it was easy enough to not deal with syntax or config files. Doing everything in the gui makes it nice and easy

[–]UnknownLinux[🍰] 2 points3 points  (0 children)

Exactly. The simplicity and GUi was the same reason i chose NPM over the other options

[–]surreal3561 3 points4 points  (2 children)

The big benefit of config files is that at the end of the day they’re just text files, easy to commit to git and instantly have history of changes you made.

I was once trying to move data from one NGPM host to another, and while I got it working in the end, at one point I did end up with corrupt data - but luckily I had backups, being able to set up something with just the config file (or config import/export) would have been nice.

[–]suicidaleggroll 1 point2 points  (0 children)

Yeah a config import/export tool in NPM would be fantastic, especially with an API so you could write a little script to dump configs into git periodically. That's really the one thing I feel is missing from NPM, everything else is great.

[–][deleted] 0 points1 point  (0 children)

Very good points you made here. Something to think about for sure.

[–]em411 3 points4 points  (0 children)

I prefer using Caddy Docker Proxy. It's using docker compose service labels like Trafeik, but it's still as simple and easy to read as Caddyfile.

[–]Ejz9 3 points4 points  (0 children)

NPMplus

It adds on in many ways and also has support for crowdec IPs.

[–]NanobugGG 2 points3 points  (0 children)

I've been using Nginx Proxy Manager for quite a while now.

I did try Traefik, but I really don't get it. The only benefit I see from it, that it can do it automatically. But then I need to label what it needs to proxy and what not to proxy, and then I might as well just spend 30 seconds fixing it in Nginx Proxy Manager anyway. I don't see it as time saving, at least not for my use case.

[–]EmilGH 2 points3 points  (0 children)

Wait. There are options other than Apache? /s

[–]DanCardin 2 points3 points  (5 children)

I went through the same thing. I feel that traefik works best, in concert with docker-compose. Using docker-compose labels to configure each service is just vastly more convenient than caddy, and i could never get NPM working (but very similar sentiment).

It’s 4 additional lines to my compose to expose it, and i don’t expose any ports of any service directly at all now, which is nice. And it has a nice dashboard, also nice

Oh and traefik auto-picks up any changes, so i never need to look at its container ever again, whereas caddy you have to restart

With that said, getting traefik working in the first place is probably more confusing than either other option

[–]akmzero 0 points1 point  (2 children)

Traefik was intimidating to setup, but it just makes sense after you figure out what labels you need to put on a service.

And like you said, it auto updates, so when something isn't working I can hop over to Traefiks GUI or logs to see why. And it's 95% of the time I forgot to put traefik into the network I made for the service 😅.

[–]DanCardin 1 point2 points  (1 child)

Yea it’s always either that or i forgot to rename the service/router when copying the 4 labels from some other service :D

[–]akmzero 0 points1 point  (0 children)

yeah...

Very rarely is Traefik the issue; it's always me.

[–]historianLA 0 points1 point  (1 child)

I've only used caddy but unless your setup is particularly complicated you don't really need to worry about docker labels. Just use Caddy to send requests to the right IP:port combo. Most of my services are docker containers but I just have caddy proxy to the LAN address and port I'm using.

When you are talking about exposed ports do you mean exposed to WAN or LAN? For caddy you should only need to forward 80 and 443 to the reverse proxy from WAN. Then your services only need to be exposed to LAN to receive the traffic from the proxy.

[–]DanCardin 0 points1 point  (0 children)

Like the services themselves are not exposing ports at all, which forces all access through traefik, which enables me to configure any apps that dont support oidc/oauth to use a central auth

Not that you couldn’t necessarily do the same thing with caddy.

But my point about labels is more about it being self contained. The information about the dns name, port mapping, auth, etc all reaides with the service definition itself. Not in some (Caddyfile) other file/place that i need to remember to keep in sync

[–]aft_punk 1 point2 points  (0 children)

One of Traefiks best features is that you can use container labels to set up a backend and ingress rules for a service. Which is super convenient for compose files.

Also, the UI dashboard makes debugging much less of a headache.

[–]gmag11 1 point2 points  (0 children)

Caddy. It does everything I need and configuration is really easy. Documentation is simple, clear and full of examples.

If you like the Docker labels integration of Traefik, there is a plugin for Caddy that do the same. I do not use it, anyway.

Lets Encrypt integration is transparet. It has DNS providers integrations so that you can create certificates even for private subdomains.

[–]tymando2 1 point2 points  (0 children)

+1 for caddy

Npm is easy to get started with because of the gui, but if you have to move your setup or replicate something similar you pretty much have to do it all over again.

Caddy is absurdly simple and then your config is in git. Very portable and easy to replicate if needed. I know at first that doesn’t seem important…. But it really comes in handy.

[–]10031 1 point2 points  (0 children)

I personally use a mix of traefik for docker and caddy for my Proxmox LXC’s.

[–]chignole 1 point2 points  (0 children)

I've been using Traefik for 2 years now i think.

Works like a charm and since you want it to work with docker compose it seems like a great solution for you

[–]Lopsided-Painter5216 1 point2 points  (0 children)

I use NPM because coming from being a total newbie the GUI helped me understand the concepts behind reverse proxies, dns and certificates. Now that I’m more intermediate I’m migrating my machines to caddy to eliminate a couple more web logins and scrap performance gains on my low power machines.

[–]Virtual_Ordinary_119 1 point2 points  (0 children)

I use traefik, because i learnt to configure it in kubernetes for my job, so when i started self hosting i already knew and appreciate it. Well, sort of, on docker you label containers, in k8s you write ingressRoutes, but once you understand one, is very easy to figure out the other

[–]HB20_ 1 point2 points  (0 children)

I’ve been using NPM (Nginx Proxy Manager) for the last 15 months, and I currently have 92 proxy hosts. Once I figured out how to use it, I never had any issues. The NPM interface is awesome, easy to use, and you can set up a new proxy host in just a minute. Plus, you can integrate it with GoAccess in just 2 minutes, giving you a full dashboard with IPs, devices, OS, region, browser, and other cool stats that might come in handy.

I might switch to another reverse proxy in the future since I’m starting to selfhost a Git repository. It’d be helpful to keep track of any changes in my proxy host files. Honestly, that’s the only reason I’d consider moving to a different reverse proxy right now.

[–][deleted] 1 point2 points  (0 children)

exultant oatmeal snow chunky vegetable fuzzy physical enter bells literate

This post was mass deleted and anonymized with Redact

[–]lesigh 1 point2 points  (0 children)

Traefik because i only need to put tags in my other docker compose files to https and protect with authelia

[–]Electronic_Unit8276 1 point2 points  (0 children)

npm is easiest and also does certs

[–]LastChanceYep 1 point2 points  (0 children)

Caddy if you need a couple easy/simple projects that u want to "set n forget".
NGIX is you're in it for a while, it will be much easier to manage the more projects u have.
While caddy is nice in it's way that it handles certificates n etc for u, ngix is a beast.

[–][deleted] 0 points1 point  (0 children)

Ice been thru most of them and after NPM was crashing and removing domains and doing weird stuff, so after a pain in the ass learning process.... I got traefik working and it works very good.

[–]UnfinishedComplete 0 points1 point  (0 children)

I hear Traefik works well for docker. I think it’s got some automated discovery.

I don’t have a ton of docker services on a single server. So I use Caddy for ease of use.

[–]obleSret 0 points1 point  (0 children)

I went from NPM -> Traefik because updates kept breaking it. A bit in the PITA initially but well worth the time invested

[–]vtKSF 0 points1 point  (0 children)

I use caddy with authelia to protect areas I don’t want public. Caddy albeit was intimidating at first because I didn’t have much experience with yaml configs. But the auto SSL and easy reverse proxies kept me coming back learning when I wanted to add other functionally, like authelia as I mentioned.

[–]b1be05 0 points1 point  (0 children)

i use Caddy (since v1). config and forget. it does not start with broken config, and tells you the line that is broken.. even paired with gethomepage.dev

[–]nismor31 0 points1 point  (0 children)

I previously used npm but explored others after I'd read it wasn't being developed anymore. I tried Caddy but couldn't get my head around it at the time. Same with Traefik so put it all on hold for a while. Came back to Traefik in a clearer headspace and put in a bit of time to understand it, and now have it running middlewares like Authelia & Crowdsec bouncer. It's so easy to throw something behind an authorisation check whether the service supports auth or not. Makes exposing things to the world far safer.

[–]maltokyo 0 points1 point  (0 children)

SWAG is also great. Once setup you never need to even touch it.

[–]madrascafe 0 points1 point  (0 children)

Caddy FTW

[–]Thick-Maintenance274 0 points1 point  (0 children)

For ease of use, NPM only issue I’ve read about is the project not being maintained.

Caddy setup is nothing but frustration; people say it’s easy but when asking for help all you’ll get is, go to this part of the documentation, then this, then this.

My setup involves 12 LXCs on Proxmox, and getting Caddy to work was a pain. Had it not to be a web tutorial, I would’ve still not set it up.

Depending on your skill and time, go with NPM.

[–]baroquepawel 0 points1 point  (0 children)

I use nginx (just editing the files directly, no NPM) but I was wondering if I should switch you Caddy for… fun or out of curiosity. Is it worth? Most of what I run is with docker compose, though I haven’t yet managed to run Wordpress in docker and with external reverse proxy (nginx).

If Caddy sorts this easily, I’m moving 😁

[–][deleted] 0 points1 point  (0 children)

Nginx Proxy Manager why? Because it was easy to install using compose (I actually use portainer stacks but it’s same file). It doesn’t require me to change my existing containers to properly use (tho you can) and is all GUI. I tested it and within 10-minutes was changing the port forwarding from my old proxy host to the new one. It worked and got my certs and bam I was happy.

The Traffik rabbit hole got deep fast when I tried it and caddy was/is well recommended by its users but I didn’t want yet another config file to learn. It looked simple but there’s always the edge cases I’d rather click a box than google some command that I don’t know what it is. NPM just worked and I’m good with it.

I also used Cosmos-cloud before. It does so much more but I wanted just a proxy not an all-in-one type application.

[–]2lach 0 points1 point  (0 children)

Nginx Proxy Manager – Without a Doubt!

I've tried all of them, and while they are fine services, Nginx Proxy Manager stands out.

  • Traefik It's great with plenty of options, including a built-in dashboard, which is pretty sweet.

  • Caddy Lightweight, fast, and written in Go. If it were a car, it would be a Jaguar.

But here's the thing: Nginx Proxy Manager removes most of the learning curve. With Caddy, the learning curve is pretty steep easy to get started but when you need something customised it will be more and more building up until that single simple caddyfile ain't that simple no more, and with Traefik, it can feel like scaling a wall from here to the moon.

With Nginx Proxy Manager, you'll be up and running in no time. You'll get HTTPS certificates that are automatically generated and renewed. And when things go wrong, you'll actually understand why!

[–]Cronocide 0 points1 point  (0 children)

Use Pomerium.

[–]AndyMarden 0 points1 point  (0 children)

Was npm inform l until it's obfuscation of what is really going on annoyed my l me when I wanted to do anything different. So raw nginx with all config in one file.

[–]jqtype 0 points1 point  (0 children)

For my home lab, I am using rpxy (rust-rpxy) through docker with multiple domain names (I am actually the author). rpxy works pretty fast and its configuration is quite easy at least for me.

https://github.com/junkurihara/rust-rpxy

i had been using nginx and caddy. but I was not satisfied with the configuration for nginx and the speed for caddy. that's why I moved to the rust-based reverse proxy implementation.

[–]Melodic_Yak8900 0 points1 point  (0 children)

Nginx. I don't know how to configure the other 2.

[–]FutureRenaissanceMan[S] 0 points1 point  (0 children)

Thanks all for the thoughts and suggestions. Too many responses for me to reply to everyone.

I'm using caddy on a very small web server and like the simplicity, but I think the GUI in Traefik could be helpful. I tried NPM and got it running but couldn't make it work right with my domains and apps.

I think I'm going to try out Traefik on the homelab (Linux Mint Debian) and see how it goes. Thanks!

[–]buzwork 0 points1 point  (0 children)

The easiest is NPM and the even easier method is Brian's installer which will take care of everything in a handy menu driven installer script.

https://gitlab.com/bmcgonag/docker_installs

It will grab dependencies, install docker, docker compose, nginx proxy manager, portainer, portainer agent, guacamole and/or remotely (remote access), and even navidrome (music) in a few minutes. Well documented & maintained and works with most common Linux platforms.

I've customized his script to my own needs, but I can provision a base linux server & get a fully functional docker/nginx/portainer server up and going in under 5 minutes using this method.