TUTORIALS Reverse proxy

NGINX
Credit: http://nginx.org

Access services with

Nginx reverse proxy
Nick Peers discovers how to open your network services to the
internet with this user-friendly implementation of Nginx.

f you’re looking for a way to

I access self-hosted services

from outside your home, you
have two basic choices. For maximum
security, you’d set up a VPN tunnel that
you’d need to dial into every time you
OUR wanted access, but if you’d like a simpler
EXPERT option that’s still secure, and gives
Nick Peers others access, you want a reverse proxy.
Is obsessed with One of the best-known tools for the
self-hosting. job is Nginx (https://nginx.org), but it’s
From Bitwarden not the most user-friendly, even when
and Jellyfin to wrapped up in deployment-friendly
Nextcloud and containers like Linuxserver’s Swag. If the
MotionEye, all idea of messing around with separate Creating subdomains for each of your services makes them easier to configure for
his services are config files for each service you want remote access using Nginx Proxy Manager.
so much easier to open up sounds too much like hard
to configure for work, you’ll love Nginx Proxy Manager. It enables you to works. Nginx Proxy Manager can be installed on any
remote access set up, view and administer all your connections via a machine on your network, but we’re assuming you’ll
with Nginx Proxy pleasingly easy-to-use web front-end. want it running 24-7, so you’ll want it on your dedicated
Manager. He is Like Swag, Nginix Proxy Manager is distributed as a server where it’s likely most other shared services are
the life of the Docker container. We’re assuming you have Docker set also running, many of which may be running in Docker.
party, too! up and configured, and have some knowledge of how it Nginx Proxy Manager can redirect traffic anywhere
on your network, but if you want to direct traffic to
other Docker containers, they must all be on the same
INSTALL NGINIX PROXY MANAGER (custom) bridge network as Nginx Proxy Manager. If
you’ve not yet set up this shared bridge, it can be done
The quickest and easiest way to change it to -p 82:81 to access with a single Docker command, substituting shared-
deploy Docker containers is by Nginx Proxy Manager through net with your choice of shared network name:
pasting the setup script into a http://192.168.x.y:82). $ docker network create shared-net
text editor, then saving the file docker run -d \ You need to then connect your existing Docker
in plain text so you can easily --name=nginx-proxy-manager \ containers to this network – if you’re administering
copy and paste it into a terminal --net=shared-net \ them through the Portainer web interface, this is
window, plus make edits -p 443:443 \ simple enough. Navigate to the container’s details
whenever required. -p 80:80 \ page, scroll down to Connected Networks, where you
The script here, of course, -p 81:81 \ can select your new network and click Join Network.
needs adapting to your personal -v /home/dockeruser/ If you’re managing Docker from the command line,
setup, namely the name of your containers/nginx/data:/data \ you need to stop and remove each container in turn,
shared network under --net and -v /home/dockeruser/ then insert the following line into the setup script you
the location of your config and containers/nginx/letsencrypt:/ use to recreate it:
LetsEncrypt certificate folders letsencrypt \ --net=bridge-for-all-seasons \
under -v . You may also need to --restart unless-stopped \
adapt the -p 81:81 \ line if port jc21/nginx-proxy- Get your domains in order
81 is already in use (for example, manager:latest You’ve configured Docker, but before you install Nginx
Proxy Manager, there’s a couple more prerequisites to

56    LXF306 September 2023 www.linuxformat.com

 Reverse proxy TUTORIALS

satisfy. The first is that you need access to a suitable
domain to provide access to your servers from the
outside world – this can be your own domain, from
which you can optionally create separate subdomains
for each service you have, such as jellyfin.domain.com,
or you could make use of a dynamic domain like that
offered by NoIP (www.noip.com).
If using your own domain, start by making a note of
your current public IP address (use www.whatsmyip.
com), then log into your domain provider and make
sure the domain (plus any relevant subdomains if
applicable) are pointing to the same IP address.
Unless this is a fixed IP address, you also need to
install a DNS updater, so when your ISP changes your
IP address, your domains are automatically redirected.
Check your domain provider – many support DDClient
(https://ddclient.net/protocols.html), either as a
standalone tool or via the Linuxserver Docker instance
(https://docs.linuxserver.io/images/docker-ddclient).
With your domains set up and pointing towards your
home, it’s time to configure your router to redirect all
web requests to the server you’ll install Nginx Proxy
Manager on. Consult your router’s documentation for
full details, but look in the port forwarding section and
direct traffic on both port 80 (http) and 443 (https) to
your server’s private IP address (192.168.x.y). This
reveals another benefit of a proxy – you don’t need to
configure lots of ports in your router; simply funnel
everything through standard web ports to your server,
then let Nginx Proxy Manager distribute them.
Nginx Proxy Manager
It’s time to add Nginx Proxy Manager to your server.
The install box (opposite page) reveals the script you
need to adapt to your own setup, but first you need
to create two folders, inside which you’ll store your
Nginix configuration data and SSL certificates – in the
example script, we’ve set up an nginx parent folder,
inside which are two subfolders: data (for config) and
letsencrypt (for the SSL certificates).
A quick summary of what the script does: it pulls
and installs the latest version of Nginx Proxy Manager,
joins it to the shared network you set up earlier and
redirects three outside ports into Nginx: 80 and 443,
as we’ve already explained, while port 81 is used to
connect to its web-based interface.
If you’ve set things up correctly, the container starts
without a hitch and should be available within seconds.
Browser-based access
Once installed, Nginx Proxy Manager can be accessed
through any device on your network via any web
browser. Simply navigate to http://192.168.x.y:81,
substituting 192.168.x.y with your server’s IP address,
which takes you to a login screen.
Log in using [email protected] as your
username, and changeme as your password. You’ll
then be prompted to change the email address (as well
as provide a name and nickname). Click Save to change
the password – make it a secure password generated
by (and stored in) your password manager, even if you
only intend accessing Nginx Proxy Manager locally.
Once done, you’ll find yourself at the Users screen.
Above this you’ll see there are seven distinct sections
to navigate – start by clicking Dashboard for an
NGINX PROXY MANAGER OVERVIEW
1 3 5
2
4
6
Overview View summary
1 Click on the Dashboard tab to get a 4 Get an overview of each proxy host with
quick overview of how many proxies you this handy and easy-to-read list.
have set up.
User access
Hosts 5 Click Users to give others access – this
2 Nginx Proxy Manager enables you to set can be read-only or administrator, depending
up one of four different types of proxy. on your level of trust.
Audit log Quick actions
3 Click here to get a complete – and 6 Click the vertical ellipsis to make
detailed – list of all the operations and changes to existing proxies, plus disable them
changes you’ve performed. temporarily or delete them.
overview. Here you’ll see Nginx Proxy Manager
supports four types of proxy: Proxy Hosts, Redirection
Hosts, Streams and 404 Hosts.
Your very first proxy
Let’s start with Proxy Hosts. The step-by-step guide
(next page) reveals how to set up a simple proxy host,
which enables you to redirect traffic from a specific
domain, subdomain or dynamic domain to your choice
of IP address and port. When choosing the scheme
(http or https), stick with whatever you use to connect
locally – for example, the self-hosted Bitwarden Docker
instance Vaultwarden only uses http. Don’t worry, this
If you’re unable
doesn’t mean your connection is insecure – that’s to get Access
configured separately. Lists working
You have a choice between hostname and IP the way you
address of the machine you’re redirecting to – if your want them
service is on a machine with a static IP address, use to, consider
that; if it’s on machine with an IP address allocated to it examining
by your router, try the hostname route. If that doesn’t other possible
work, tie that machine down to a static IP address. solutions – for
When bad actors try to attack websites, they often example, your
router’s firewall
use rather basic techniques, such as attempting to
might offer a
inject malicious text into insecure web forms. When way of blocking
you open your servers up to internet access, you put unwanted
them at risk from such attacks, which could have wider traffic from
consequences for your network. known bad
Nginx Proxy Manager offers a Block Common actors or
Exploits switch for all proxy and redirection hosts, restricting
which offers protection against the most common access to IP
forms of attack. These are listed in the block-exploits. addresses from
conf file, which can be found by navigating to https:// a specific part
of the world.
github.com/NginxProxyManager/nginx-proxy-manager

www.techradar.com/pro/linux September 2023 LXF306   57

TUTORIALS Reverse proxy

and then drilling down to docker/rootds/etc/nginx/
conf.d/include. You’ll see it’s a simple script that
Select Users intercepts both SQL and file injections, as well as
on the Nginx common exploits, spam and user agents.
Proxy Manager If you’re using a single domain with subfolders, as
dashboard to outlined in step three of the walkthrough, you can
give others configure all those subfolders in a single proxy host.
access to Nginx. You still need to fill in redirection details for the parent
You can give domain on the Details tab, so consider where you’d like
them view-
people entering that address to be redirected.
only access to
When you come to secure outside web connections
your proxies or
give them full to your server, you need an SSL certificate. While you
administrative can provide this yourself, Nginx Proxy Manager has
access – built-in support for requesting free certificates from
ostensibly LetsEncrypt. Not only does it configure these
for their own automatically, but it also handles the otherwise
services, but arduous chore of remembering to renew the certificate
they also have every three months. Once added, you can view (and
full access manage) your SSL certificates via their own dedicated
to yours, so
section – you get a handy summary of each, including
be warned.
the certificate provider, its expiry date and options to
renew manually now, download the certificate to your
PC, test the server reachability and remove if you have
no further use for it.
Adding user credentials
Opening local services to access from outside your
network comes with obvious risks, only some of
which can be mitigated using the switch to block
common exploits. While some services may have
built-in authentication (for example, Nextcloud or
Jellyfin), others may give anyone with knowledge of
your domain name unfettered access. Nginx Proxy
Manager’s Access Lists offer you two ways to mitigate
this: simple http authorisation, which forces anyone
visiting the site to enter a username and password
before they can proceed, and a combination of
whitelists and blacklists, enabling you to restrict
access to specific clients only.
Here’s a simple example that uses http
authorisation. Select Access Lists in Nginx Proxy
Manager, then Add Access List to get started. Give

SET UP A PROXY HOST

Configure basic settings Set optional switches

1 Click X Proxy Hosts followed by Add Proxy Host. The New
Proxy Host window opens to show four tabs. Start by entering
the domain, subdomain or dynamic domain you’d like to use for
this proxy into the Domain Names field, clicking Add when done.
Next, enter the details (scheme, host and port) of where you’re
redirecting the domain.
2 There are three more switches: Cache Assets can speed
things up if the service is on a different computer from Nginx
Proxy Manager and pulls in lots of static content. Block Common
Exploits is discussed in the main copy – it’s worth switching on
for security reasons. Leave Websockets Support disabled until
you’ve tested the connection; try enabling it if it doesn’t work.

Define custom locations Add SSL certificate

3 If you want to connect to a domain using subfolders (such 4 Switch to the SSL tab to add an SSL certificate for the site.
as https://domain.com/bitwarden), switch to Custom Locations Click None under SSL Certificate and select Request A New SSL
and click Add Location to fill in the details – it’s self-explanatory: Certificate (going forward, you can select previously configured
choose a path name, then select the scheme, hostname/IP certificates from here, too). Provide your email address, agree to
address and forwarding port as in step two. Leave a / after the the terms and – if required – enable the Force SSL switch to only
hostname or IP address (such as 192.168.x.y/) or it won’t work. allow secure (https) connections before clicking Save.

58    LXF306 September 2023 www.linuxformat.com


your list a suitably descriptive name and flick
the Satisfy Any switch to On. Now switch to the
Authorization tab and enter your desired username
and password. You can, if you wish, add multiple
usernames and passwords, in fact, any of which will
allow visitors to access the server.
Click Save, then test your new rule by switching
back to the Proxy Hosts tab. Click the vertical ellipsis
button next to one of your proxy hosts and choose Edit
to make changes. Click under Access List and select
your new rule before clicking Save. Now browse to the
web address associated with this proxy host and you
should see a prompt asking you for a username and
password. Enter the details you created, and you
should gain access to your server.
Keep it local
Our second example prevents anyone from outside
your local network accessing your server. Create a new
rule, but this time leave Satisfy Any switched off. This
time, switch to the Access tab and type the following
into the allow box: 192.168.0.0/24 (substitute
192.168.0 with whatever’s used by your network,
such as 192.168.1).
Click Save, add the rule as before to a proxy host,
then test: try connecting through your local network
using the URL, which should work as normal. Once
confirmed, try connecting from outside your home
network (by using your mobile’s cellular data, say),
where you should find access is now denied.
You can combine both examples in a single rule
(make sure Satisfy Any is enabled), which would mean
anyone on your home network can access the service
without limits, while those connecting remotely would
SET UP STREAMS
If you want to manage non-web traffic,
such as a Syncthing peer-to-peer
connection or a game server, you need
to set up Streams. These funnel TCP
and/or UDP traffic from a specified port
outside your network to a specified
device within your LAN.
First, you need to configure your
router to forward any traffic on those
ports to the server running Nginx Proxy
Manager. Once in place, you need to
shut down and destroy the container:
$ docker stop nginx-proxy-manager
$ docker remove nginx-proxy-manager
Next, edit the Docker script (see first
box) to add the necessary -p lines to
open the required ports – note the
use of /udp and /tcp to denote the You need to configure individual Streams for every single port you want to redirect UDP and TCP traffic on
protocols used. This example opens port
1000 for both UDP and TCP traffic: your terminal window to recreate
-p 1000:1000/udp \ the container with the port(s) now
-p 1000:1000/tcp \ accessible, then navigate to Hosts >
Copy and paste the edited script into Streams. Click Add Stream to set it up
ACCESS US INSIDE YOUR HOME… Subscribe now at http://bit.ly/LinuxFormat
www.techradar.com/pro/linux
Reverse proxy TUTORIALS
be prompted for a username and password before they
could gain access.
Thoroughly test that the services continue to work Visit https://
as you’d expect after setting up your rules – some may nginxproxy
no longer function correctly, as we discovered while manager.
trying to access our Audiobookshelf libraries. The rules com for a
may render access from outside your web browser – comprehensive
introduction
such as through a mobile app – impossible, too.
to Nginx Proxy
Access Lists is a little basic in that it only works with
Manager. You’ll
IP addresses and IP address ranges. There’s a push find setup
among the Nginx Proxy Manager community to include instructions
GeoIP2, a module that can be used to restrict users by as well as a
geographical location, enabling you to – for example – link to the
block access from outside your home country. Another project’s GitHub
workaround – if your router supports it (Synology ones page, where
do) – can be found in the Quick Tip (page 57). you’ll discover
an engaged
Beyond proxy hosts community
and a project
Proxy hosts are specifically designed for web (http/
frequently
https) traffic that needs directing to a specific device updated with
and port. A broader option for non-web traffic can be new features.
found using Streams (outlined in the box below).
Nginx Proxy Manager supports two further types of
host. Redirection Hosts enable you to redirect traffic
from one domain to another (the domain redirected
must be configured to point to your home network),
while 404 Hosts allow you to redirect domains pointing
at your home network to a customised error page.
This error page is defined under Settings > Default
Site – by default, you redirect users to a simple (and
irrelevant) congratulations page that’s a reminder to
set up the host for access, but you can replace it with
a generic 404 error page, redirect to another site or
insert your own message using custom HTML code.
in a similar way to a proxy host, except
this time all you need to do is supply the
incoming port, forward host and port,
plus which protocols to use. Click Save.
September 2023 LXF306   59