this post was submitted on 26 Jul 2024
162 points (94.0% liked)

Selfhosted

40478 readers
294 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

I see so many posts and people who run NGINX as their reverse proxy. Why though? There's HAProxy and Apache, with Caddy being a simpler option.

If you're starting from scratch, why did you pick/are you picking NGINX over the others?

(page 2) 50 comments
sorted by: hot top controversial new old
[–] Shimitar@feddit.it 3 points 4 months ago

Nginx "just works(tm)" had never got into the way, its been rock solid and has not changed significantly over the years.

Why would I need something else?

There's a lot of good resources for Nginx, it's fast (faster than Caddy), and has a ton of features, so you can use it for pretty much anything HAProxy, Apache, or Caddy can do, and not sacrifice much in performance.

That said, I mostly use HAProxy and Caddy. Here's my basic setup:

  1. HAProxy at the edge VPS - routes requests to machines based on SNI
  2. WireGuard VPN - connects my internal devices to my VPS
  3. Caddy in Docker - runs on internal network on my NAS/homelab - manages LetsEncrypt renewals and reverse proxies to internal Docker network
  4. Nginx in Docker - FE for NextCloud; this simplifies things so all my TLS is handled in one place, and Caddy doesn't need to touch files

I use a local DNS server on my router so my domains can route directly to Caddy instead of going over the internet when on my network, otherwise I may just have HAProxy handle LetsEncrypt certificates.

From what I can tell, Nginx is a little more efficient than Caddy, but Caddy is plenty fast for my needs. I'm considering switching from NextCloud to the new ownCloud Infinite Scale, and if I do, I'd ditch nginx completely.

[–] Decronym@lemmy.decronym.xyz 3 points 4 months ago* (last edited 4 months ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
CA (SSL) Certificate Authority
DNS Domain Name Service/System
HTTP Hypertext Transfer Protocol, the Web
HTTPS HTTP over SSL
IP Internet Protocol
NAS Network-Attached Storage
NAT Network Address Translation
SSL Secure Sockets Layer, for transparent encryption
TCP Transmission Control Protocol, most often over IP
TLS Transport Layer Security, supersedes SSL
UDP User Datagram Protocol, for real-time communications
VPN Virtual Private Network
VPS Virtual Private Server (opposed to shared hosting)
nginx Popular HTTP server

[Thread #888 for this sub, first seen 26th Jul 2024, 04:25] [FAQ] [Full list] [Contact] [Source code]

[–] aurelian@lemmy.ml 3 points 4 months ago (1 children)

What about envoy proxy?

Nothing else on the market has as low latency implications to workloads that I am aware of.

[–] Findmysec@infosec.pub 2 points 4 months ago

I have heard a lot about Envoy proxy from Istio but never looked into it for baremetal usage. I'll keep an eye out, thanks

[–] fmstrat@lemmy.nowsci.com 2 points 4 months ago

Because modsec.

[–] bmarinov@lemmy.world 2 points 4 months ago* (last edited 4 months ago) (1 children)

I use Traefik because it solved a problem with the static configuration approach which Nginx had / still has.

In a scenario with multiple services behind Nginx, taking one down or replacing an instance is massive headache. I tried to script around it, but basically the Nginx container would choke on the fact that a service does not [yet / anymore] exist, and together with the docker networking stack it turned out to be an insurmountable problem.

Traefik otoh discovers services based on (in my case) labels on the docker containers running locally. And then updates the configuration on the fly.

Basically the static approach to configuration resulted in massive headache when I needed to enable zero downtime deployments and updates behind Nginx. And Traefik handled it perfectly without dropping a single request.

Nowadays I manage my dynamic configuration with ansible and update the values in for the file-based configuration provider with a playbook. I don't need a UI to manage my inventory, I use ansible for that. Traefik handles the rest perfectly.

[–] loudwhisper@infosec.pub 1 points 4 months ago

Completely agree, which is why I do the same.

Additional bonus: proxies that interact with the docker API directly (I think also caddy can do it) save you from exposing the services on any port at all (only in the docker network). So it's way less likely to expose a port with a service by mistake and no need for arbitrary and unique localhost ports.

[–] brygphilomena@lemmy.world 2 points 4 months ago

I learned nginx when I was hosting websites. I had it set up and running when it was time to add reverse proxies into my setup. It didn't take much more from the virtual hosts I was already using.

Now, I don't host many individual sites anymore and haproxy has a plugin on my firewall for the handful of services I run now.

[–] gravitywell@sh.itjust.works 2 points 4 months ago

Nginx was the easiest to setup for me at the time and I've no reason to fix what isn't broken.

As a security professional, what finally got me to move from Apache to NGINX was OpenResty.

I sometimes still put Apache behind it, depending on my goals.

[–] d00phy@lemmy.world 1 points 4 months ago

I use nginx & docker-proxy. Because the model I copied used that setup. Having messed with it a bit, I’m understanding it more and more. Before that, the last time I messed with a web server (Apache), nginx wasn’t around. Lately, I’ve seen a similar docker setup to mine that doesn’t use docker-proxy. If I find time, I’ll probably play with that some on my dev rig.

[–] levitte@mastodon.nu 1 points 4 months ago (1 children)

@Findmysec
Contrary to most, I never made the Apache-to-nginx switch. I actually don't find nginx that much easier to configure, so the effort of rewriting all my templates was too high.

Caddy is a different story. I can replace swathes of configuration lines with just two? And get letsencrypt automatically without having to give it a single thought? Gimme!

[–] Findmysec@infosec.pub 1 points 4 months ago

Indeed, I don't find NGINX that easy to configure either

[–] s38b35M5@lemmy.world 1 points 4 months ago

I'm reminded of this blog/article on Ars about ripping out OLS and reverting to NGINX. There's some good info there, and also links to other of his posts on the subject and references. Good read.

[–] nickwitha_k@lemmy.sdf.org 1 points 4 months ago

The only reason that I tend to use it is because of the included webserver. It's not bad but the paywalling of functionality needed for it to be a proper LB left a bad taste in my mouth. That and HAProxy blows out of the water in all tests that I've done over the years where availability is at all a concern. HAProxy also is much more useful when routing TCP.

[–] vzq@lemmy.blahaj.zone 1 points 4 months ago

Often I already have nginx running for serving some static content anyway.

Otherwise, I’m traefik all the way.

[–] rglullis@communick.news 0 points 4 months ago
load more comments
view more: ‹ prev next ›