So, I have some idea on what a reverse proxy does and will be using nginx (with the neat proxy manager UI) for my setup.
However, I’m not completely clear what exactly I want it to do and how I cn use it to run different services on one machine. I’m especially unclear on the ports configuration … tutorials will say things like “change the listening port to xxx for that service and to port yyy for the other service”
How does this work, which ports can I use and how do I need to configure the respective services?
EDIT: thanks everybody, your replies did help me a lot! I have my basic setup now up and running using portainer + nginx + fail2ban.
A reverse proxy is a service that takes incoming traffic on an IP address and port. It reads the URL the connection came into and passes it to the service it is configured for.
Example: A server runs Plex. There is a DNS entry plex.myhome.nework that points to the IP of that server. Nginx listens on port 80 and 443. If a client connects to port 80 using plex.myhome.network nginx will pass it to Plex. If it comes in on 443 nginx will still pass it to Plex but it will also provide the configured SSL cert to the client connecting to Plex.
If the server is also running jellyfin and DNS is setup for jellyfin.myhome.network with the same IP. The user connects to jellyfin.myhome.network on port 80 Nginx instead passes it to jellyfin.
So from our example you can see that we have both jellyfin and Plex using the same IP address and port 80.
deleted
@remindme@mstdn.social 1 day
One big thing they’re used for is sort of multiplexing port 80/443. You have one daemon listening on them, and you can have multiple domains pointing at the same IP. The reverse proxy will figure out which backend service to forward requests too.
Proxies like Caddy and I think Traefik also automatically manage SSL certificates. In many cases you could have your application server handle SSL, but usually it’s a good idea to have dedicated software for this.
Could you have a look at my answer to the poster above - would multiplexing mean, that I configure my internal IP 0.0.0.0:XXXA for one service and 0.0.0.0:XXXB for another?
Yeah that’s exactly right! You have the proxy listen on 80/443 and use the subdomains to proxy to the respective other services that you have listen to other ports. Make sure those other ports are not open to the outside, though, as that would allow someone to bypass the proxy. In you example, you would change away from 0.0.0.0 to 127.0.0.1, which means the port is only open to the loop back interface, not the other ones. This happens accidentally especially when using docker for the app service. Also you should probably run some firewall to block all ports that you don’t wish to expose.
I’d really suggest you take a look at Caddy for the reverse proxy. It completely handles SSL certificate creation and renewal so you don’t have to do anything.
thank you, that clears things up a bit. Now it’s to play around with it, until I get it up and running :)
You can already do that without a reverse proxy.
A reverse proxy allows you to have multiple services running on 0.0.0.0:XXXA
For example you might have two websites at a server on 192.168.0.123
Your server will be setup to show those websites at two different ports, say “192.168.0.123:123” and “192.168.0.123:321” - with foo.com on 123 and example.net at 321
Your reverse proxy will listen to requests on port 80 (where websites are usually served) and look at each request. If it’s a request for the website at foo.com, it’ll send it to port 123. If it’s a request for example.net it will send it to port 321
But the client who is requesting the sites will only see port 80, at the same IP address for both sites.
So a reverse proxy is sort of like a phonebook or directory, it routes outside requests to the appropriate place. So imagine your reverse proxy is a receptionist, someone comes in and says “hey I am looking for plex.mydomain.com” the receptionist would then use the phonebook and say “ok if you are looking for plex.mydomain.com, go to building 192.168.1.10 (the ip), room 9000 (the port)”
Since you are asking about dockerized services, the networking for those can be done in several different ways, but the one thing that really matters is that each service needs to have a unique combination of ip and port, because only 1 service can live at each address. With docker, you could set up multiple services that use the host server’s ip, in which case each container will need to be on different ports, or you could have it so each container has its own ip, in which case the port can be anything.
This makes it clearer to my, would you mind helping me to understand all steps for my usecase. I want to run a lemmy instance and a mastodon instance on the same VPS, using the same domain but different subdomains - lmy.my-domain.tld and mstdn.my-domain.tld. I have my VPS IP address and setup the 2 subdomains with my domain provider (both subdomains are resolving the same IP).
I also did setup nginx on my server and can install SSL certificates for both of these domains. I’m now at the step where lmy.my-domain.tld should by directed to the lemmy service and mstdn.my-domain.tld to the mastodon service. As I understand it, both services listen to the ports 80 (http) and 443 (https). Do I now setup a room/building for Lemmy / Mastodon respectively where I tell nginx that lmy.my-domain.tld is at 0.0.0.0:3001 and mstdn.my-domain.tld is at 0.0.0.0:3002 for example. And in the config files for each of these installs I’d specify “0.0.0.0:300x” respectivly? (also have to make sure, that these docker installs don’t mess with my nginx config by themselves, right?)
It sounds like what you need to do at this point is find what IP address your lemmy instance and mastodon instance containers are using on your VPS. you can do “docker inspect containername” and look for the IP address in there. it might be something like 172.16.0.1 for lemmy and 172.17.0.1 for mastodon. then you want to set up your reverse proxy to point lmy.my-domain.tld to 172.16.0.1:80 (or whatever port you set lemmy to use) and then mstdn.my-domain.tld to point to 172.17.0.1:80 (again, port might be different, i dont know what the default port is)
-IF- both of the containers are using the same IP, then you will need to make sure that they are using different ports. if they are on the same ip and same port, whichever container loads 2nd will fail to properly load, because when a port is taken on an IP address, it is reserved and nothing else can try to listen on that port.
