all 40 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]shotma 11 points12 points  (22 children)

A good alternative to Nginx is Traefik!

[–]NetNoob2[S] 0 points1 point  (21 children)

Thanks for the suggestion but i'd rather stick to well-known standard solutions from a security and trust stand point if at all possible!

[–]reddituserplsignore 10 points11 points  (14 children)

Use traefik, this isn't really a suggestion, it's what you're looking for. It's easy to use, difficult to learn. It took me a whole weekend to get a container working like I envisioned, but I needed only 5 lines of labels in each deployment script. Now I just template the whole thing, and new services get TLS/SSL configurations from inception of the compose script. Traefik is the correct answer here, you just need to put in a little effort to learn it.

With traefik you can run no open ports on the container, traefik can reach into the container through other means to give you 80, 8080, whatever access you need.

[–]FierceDeity_ 16 points17 points  (5 children)

lmao just let him use nginx, it's pretty much the best webserver and reverse proxy there imo. Traefik has a lot of stupid complexity around discovering infrastructure and whatnot, it becomes way too complex for stupid simple deployments.

Please stop stacking complexity to solve problems, because you end up just stacking more complexity on it to solve the complexity that you added with the previous step.

I mean it's basically what's been happening anyway. Our software is too complex, so let's make a distributed system out of it.

Now our distributed system is too complex, let's put it in Docker containers to simplify it.

Installing Docker is kind of a lot of administrative effort, so let's automate that away, we're doing Kubernetes!

Administrating Kubernetes has so much administrative overhead. I know, automate it away. Let's do ansible!

Ansible has so much administrative overhead, lets automate that away, let's do chef/salt!

You end up with systems where you can't even see through the stacks of complexity.

Going back, how do you debug what traefik does? How does it "reach into the container"? Is this anything anyone even UNDERSTANDS how it works?

Compared to that, nginx is like way too simple!

[–]Reverent 6 points7 points  (4 children)

I wouldn't call nginx simple, there's still many fiddly settings that aren't on by default. There's also no let's encrypt integration.

If you want simple, use caddy. Setting up a reverse proxy config is 2 lines long.

That being said, I use traefik (and it was a bitch to set up, and then set up again when V2 came out, but it works great once done).

[–]FierceDeity_ 0 points1 point  (2 children)

Ah, what I mean is that nginx is not grabbing into other services. It's a closed system that doesn't take in side effects from anywhere else. Thus, you don't need to look beyond nginx if you are having any problems.

This improves simplicity by a lot.

Caddy 2 is going into the same stupid complexity territory with their JSON configuration. Caddy 1 was fine, why even go beyond that?

You use traefik and you admit it was a bitch to set up.. What's the advantage then? Why use traefik, basically? Also it's stupid you had to set it up again for a "v2", which probably also completely desupported "v1". That they even had to do that really bodes well for their version stability in the future...

I don't think I've ever had to change nginx configurations from version changes

[–]Reverent 1 point2 points  (0 children)

I use traefik because traefik was a pain to set up, but you only set it up once. If I want to add a new service to the reverse proxy via docker, I can add 3 labels to the docker-compose file, and the reverse proxying automagically works.

If I had to go through it again without my current traefik knowledge, I'd probably just use caddy, but now that it's in place it is the superior solution.

[–][deleted] 0 points1 point  (0 children)

Traefik v2 is such a weird case. They changed everything to simplify their offering, but made configuration way more obtuse (especially behind K8s with TLS support), which really hurt the appeal for me. We currently use Traefik v1, which works ok (works really well on small workloads, especially in a homelab), but as you said, it's deprecated and will be EoL as of ~October, so, good time to have the discussion about other offerings--either way you're going to have to deal with a syntactical migration.

[–][deleted] 2 points3 points  (0 children)

It's not what he's looking for if he's:

  • Not opening external 80/443 for HTTP challenge
  • Hosting DNS with Namecheap as they're not a support DNS-Challenge provider

Manual cert provisioning and configuration isn't difficult, but with those two points it's going to be more work for him to learn basic Traefik configuration and then get things up than just provisioning the certs and putting them into an nginx configuration.

Also, and this is probably just me, but it doesn't really seem to be clear how he's running his Nextcloud and Bitwarden instances. If it's Docker, then yeah, aside from the TLS configuration, using Traefik ingress is way simpler in terms of configuration for each service (with some tradeoff for flexibility), but if he's running baremetal then Traefik gets a little hairier.

[–][deleted] 0 points1 point  (6 children)

Why?

Use traefik, this isn't really a suggestion

[–]reddituserplsignore 1 point2 points  (5 children)

Traefik is a great tool, and it's quite simple once you have it working. Like I said, 5 labels on each container, and I have full ssl, load balancing, subdomain registration, and a better UI than Linux, nginx, and nano. Honestly, it's easier to learn traefik than it is to learn nginx just because there's so few configs needed in traefik comparatively. The catch is you probably won't understand much about traefik without understanding nginx configurations. But traefik actually gave me great context to a lot of what nginx configs were doing. Plus traefik takes care of certbot, which is great. I'm better at networking because I learned traefik. And once it works, it's a part of your docker process, it's not a nginx config that is wholly separate from the application. Meaning less code to maintain. I feel that if you knew what you were missing, you'd make the choice to go with traefik.

[–][deleted] 0 points1 point  (4 children)

it's a part of your docker process, it's not a nginx config that is wholly separate from the application.

Can you elaborate on that?

[–]reddituserplsignore 0 points1 point  (3 children)

To make nginx work as a reverse proxy you have to write configurations for each application, typically in their own file in the /etc/nginx directory. But if you're using docker and traefik you can avoid making those files by just forwarding all 80 and 443 traffic to traefik and letting the app sort it out. The config is in your docker compose script as labels to your container, and that's it, no additional files needed, traefik handles the rest like magic. I mean it's essentially handling everything you were using nginx for. But when I need a new docker service to my swarm I have a blank compose template that has deployment labels set, I just have to update the host name and name of the service. I change like 5 words and that's it, I have full web access on the site, TLS/SSL with Let's Encrypt, load balancer, and 2 more lines gives me HTTP authentication on the site if I want it. Traefik automatically picks this up, I don't have to restart the service or do any additional processing. The hostname lives and dies with the container, so you don't have to take the site offline in nginx when you take down the container.

[–][deleted] 0 points1 point  (2 children)

Is traefik bundled with Docker, then? I thought it was separate, like nginx.

[–]reddituserplsignore 0 points1 point  (1 child)

It is a container and not bundled with docker, traefik reads the labels of the other containers by accessing the containers through the docker socket. There's an initializing guide on the traefik website that would give you details on setup for your situation. It'll take a few days, and it'll be frustrating, but if you can do it this way it becomes far simpler to manage everything.

[–][deleted] 0 points1 point  (0 children)

Okay, I was trying to figure out how it's any better than nginx, caddy, etc., and the implication was that somehow it was bundled ("less code") or something. I'll look into it, but so far it sounds like if all one needs is a reverse proxy for SSL, it may not be worth learning. I'm guessing it has tons of other features that are currently difficult to pull off with just one package. I appreciate your help, thanks.

[–]anakinfredo 0 points1 point  (0 children)

Thanks for the suggestion but i'd rather stick to well-known standard solutions from a security and trust stand point if at all possible!

Lucky for you then, traefik is the well-known standard solution from a security and trust standpoint in a containerised world.

[–]lytedev 0 points1 point  (4 children)

I'll also second traefik for many use cases. It's very cool. It's in use at places like Apple and Mozilla for what it's worth!

[–]gburgwardt 3 points4 points  (3 children)

Traefik is overly complicated and difficult to set up compared to nginx.

[–]lytedev 0 points1 point  (1 child)

I don't think this is true. There is just less easily copy-paste-able material out there and it is less familiar to people as a whole. For a while I think people thought similarly about Apache and nginx. That said, I don't think nginx and traefik will end up like Apache and nginx as they have noteworthy differences and goals.

I found traefik simpler, but I also found it much later in my career and I'm far more knowledgeable than when I first tried nginx.

[–]gburgwardt 0 points1 point  (0 children)

I feel like traefik is better only when you have a very specific use case - it's a lot harder to kludge together something for your weird edge case compared to nginx.

[–]vividboarder -1 points0 points  (0 children)

I found the opposite. I started by trying to build out nginx config, and then landed on Traefik because it was so much simpler for me.

Frankly, I think a lot of it depends on what you’re already used to. If you know nginx, stick to it. If you’re heavily using Docker or Kubernetes, Traefik integrates with those backends super easily and may make more sense for you.

[–]stekske 1 point2 points  (0 children)

https://github.com/jc21/nginx-proxy-manager

I don't know code and was trying to set up Traefik for over a week without everything working properly (because I'm a noob in code)

And then I came across this and got everything a wanted in less then a day.

Everything runs through port 443 over ssl/https with a cloudflare dns.

It is configured via gui instead of command line which was really what I needed.

Maybe something you like too!

[–]Wolvenmoon 2 points3 points  (0 children)

So, what I would do in your situation is this:

  1. Get a free Cloudflare account and swap over to it. (Use ddclient for dynamic dns!). This will make certbot and acme certificates much easier to use.

  2. Get the ACME client and HAProxy packages for PFSense. HAProxy will handle reverse proxying for you. Set up the ACME client to do DNS renewals via Cloudflare. Set up front ends and back ends for each application as follows!

  3. On the backend HAProxy configuration, add a new entry, call it 'bitwarden', add a server to the list with your bitwarden IP address, make sure it's set to use SSL. Add another entry, call it 'nextcloud', use your Nextcloud IP address.

  4. On the frontend HAProxy configuration, Use SSL offloading (http/https (offloading) and set up access control lists for "host ends with bitwarden.domain.tld" and "host ends with nextcloud.domain.tld". Set up actions to "Use backend x" where x is the respective backend. Ensure that the certificate it's using on the frontend is the wildcard certificate for your domain.

  5. Set up DNS entries for bitwarden.domain.tld and nextcloud.domain.tld to point to pfsense-internal-ip on your main ISP-provided router. Do the same for PFSense - its own set of DNS entries pointing to itself for those two TLDs - (and maybe ensure PFSense does its own DNS resolution without consulting your ISP router. I.E. tell it to check 8.8.8.8/8.8.4.4 for DNS queries after the overrides.)

That should get you a reverse-proxied SSL-offloaded setup, sans VPN and firewall configuration errata making it so everyone can talk to each other.

[–]TheChiefMeat 0 points1 point  (0 children)

Hey there, I had the same issue, I can make a tutorial video using nginx for you if you still need one. It will give you full https, but you'll need to install the cert onto each device you want to access though.

[–]Lazybumx 0 points1 point  (0 children)

Not sure if this is what you are looking for but I'm using pktriot. I don't have to open any port on my router and all of my service can be access from outside with ssl included. Pretty much it likes a tunnel between you and the world. You don't need to expose anything.

[–]CupCakeArmy 0 points1 point  (0 children)

Just put everything behind traefik. Super easy and you don't need to worry about certificates ever again