Discopter Pi Guide

Chapter 13: Using a Reverse Proxy

A reverse proxy is an extremely versatile tool for someone self-hosting. With a reverse proxy, you'll get these benefits:

• Port obfuscation. All of our web services using a domain name will each be running on a different logical port. Normally, we would have to open the port in our firewall to allow access. With a reverse proxy, only ports 80 and 443 need to be opened. Requests to another service, like Vaultwarden, will get channeled through the reverse proxy. Anyone outside of the network will not know what port the service is using. A malicious actor scanning for open ports will not find the Vaultwarden port.
• Subdomain routing: With our Top Level Domain (TLD), we can manage all of our web services easily using our single public IP address. Our reverse proxy can be configured for whichever subdomains we are using and route the traffic accordingly. With this approach, we can have warden.MyAwesomePi.com for our password manager and media.MyAwesomePi.com for our media server.
• SSL certificate management: All of the major reverse proxies also allow you to request SSL certificates. Unlike the self-signed certificates you may have used for the local-only Vaultwarden implementation, these certificates will be trusted by your browser.
• Authentication redirection: If desired, you can put a web service behind an authentication service like Authelia. A reverse proxy is where you would configure the redirection to the authentication portal.

Three services in particular are used by self-hosting Pi enthusiasts: Nginx Proxy Manager (NPM), Traefik, and Caddy.

NPM (not to be confused with the similar npm, or Node Package Manager), is as close to a default as you can get. On a Raspberry Pi, it is typically run as a Docker container. It runs on port 81 by default and allows for easily adding sites and requesting certificates. It also breaks all the time. As of the writing of this guide, the latest Docker image is a buggy mess that frequently locks you out. As easy as it is to use, I don't recommend it. It not only adds another web service and Docker container for us to worry about, but there's a good chance it'll stop working at some point while you're trying to conduct maintenance.

Traefik is very similar to NPM. Most users consider it a bit more complex to manage, but it also offers a GUI option for configuring a reverse proxy. Although not considered as buggy as NPM, we're going to forgo this option for the same reason.

Caddy is an open source alternative to NPM and Traefik. Unlike the others, Caddy is a CLI-only application, so very much on theme for our setup. Although the command line interface may make it seem more difficult, it's in some ways the easiest to use of the three. Configuration is done using a text file named Caddyfile (no file extension) where reverse proxy settings can be defined. As a low overhead, easy to use option, it's what we will go with.

Step 1: Install and Configure Caddy

1. Installation is done with just a normal apt install command.
   sudo apt install caddy
2. You can make a new directory to contain your Caddyfile, or just write it on your home directory. Make sure you capitalize the C in Caddyfile.
   nano Caddyfile
3. Copy and paste the below in the new file. Replace <url> with your Vaultwarden domain. If accessing it by warden.MyAwesomePi.com, put that instead of <url>. If you used a port other than 8080, replace that as well.
   # Vaultwarden
<url> {
    reverse_proxy localhost:8080
}
4. Make sure you are in the same directory as your Caddyfile and reload Caddy to have the configuration take effect.
   caddy reload
5. If you get a formatting error, use the following commands to fix your Caddyfile and then reload it.
   caddy fmt Caddyfile >' Caddyfile.formatted
mv Caddyfile.formatted Caddyfile
code caddy reload

That's it. Your Pi is now a reverse proxy server. Caddy will automatically request an SSL certificate from Let's Encrypt and proxy requests to the appropriate port. Any additional services can be easily added to the Caddyfile. If you added a Nextcloud instance and a website using a www subdomain, your Caddyfile might look like the below: