There have been a few Reddit, Lemmy and Youtube posts over the past week or so about Nginx Proxy Manager and their shortfalls, mostly towards CVEs and other security issues.

The problem is that unlike Traefik, NGINX Proxy Manager is actually easy to use. And before you recommend Caddy, that also has no GUI.

What do you use, if you have stuff exposed to the outside?

  • Zeku@feddit.de
    link
    fedilink
    English
    arrow-up
    5
    ·
    edit-2
    1 year ago

    Traefik. Once you set it up (which granted can take a few hours if you’re new) its as easy as adding 4 lines of code to your compose file to add a new service. I started with NPM but I don’t regret switching to Traefik at all.

    I heard caddy is cool, too.

    • dustojnikhummer@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      With some help from this thread I think I got Traefik working! And from now on I can just add another dynamic.toml/yml file with a new srevice. Thanks!

  • 7egend@lemmy.ml
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    I previously used NPM, it was easy to use and simple, but more robust stuff had to be done in the config area. I ended up having to edit configs more often than not in the end, so I switched to Traefik so now I just drop some extra blocks of text directly in my compose files and it just handles it.

    • dustojnikhummer@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      I guess once I get Traefik to work it might just click (and I can move my configs into the future). I just wish Traefik had at least a config generator UI similar to NPM. I just want "this IP on this port with this certificate = https://url.tld, if you get what I mean

  • thews@lemmy.oldtr.uk
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    If you are going to programmatically manage the reverse proxy, traefik is much better than NPM.

    You can make NPM’s manager only accessible internally or from a certain IP to reduce your attack surface. I use both.

    • dustojnikhummer@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      0
      ·
      1 year ago

      Obviously I’m not going to expose the NPM control panel to the outside, I’m not insane. Tbf I really only expose Jellyfin because other family members use it, otherwise I would be VPNing in all the way.

  • Qazwsxedcrfv000@lemmy.unknownsys.com
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Okay I use plain Nginx at home and at work mostly. Caddy (or its underlying Go runtime) has some performance regressions with HTTP/2 back then. Not sure if it has been fixed or not. Traefik is more container (docker/kubernete) affinitive imo, though I know it can be configured to function just like Nginx and Caddy.

    P.S. I stopped for a second thinking what NPM you are referring to… (Isn’t that Node Package Manager lol)

  • terribleplan@lemmy.nrd.li
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Traefik. It has a GUI that I can use to see things, and (depending on your setup) you define the routes and stuff as part of your container definitions, minimal extra work required, makes setup and teardown a breeze. It is also nice that you can use it in all sorts of places, I have used it as Kubernetes ingress and as the thing that routed traffic to a Nomad cluster.

    I went from Apache to Nginx (manually configured, including ACME) to Traefik over the course of the past ~10 years. I tried Caddy when I was making the switch to Traefik and found it very annoying to use, too much magic in the wrong places. I have never actually used NPM, as it doesn’t seem useful for what I want…

    Anyway, with traefik you can write your services in docker compose like this, and traefik will just pick them up and do the right thing:

    version: "3"
    services:
      foo-example-com:
        image: nginx:1.24-alpine
        volumes: ['./html:/usr/share/nginx/html:ro']
        labels:
          'traefik.http.routers.foo-example-com.rule': Host(`foo.example.com`)
        restart: unless-stopped
        networks:
          - traefik
    networks:
      traefik:
        name: traefik-expose-network
        external: true
    

    It will just work most of the time, though sometimes you’ll have to specify 'traefik.http.services.foo-example-com.loadbalancer.server.port': whatever or other labels according to the traefik docs if you want specific behaviors or middleware or whatever.

    And your deployment of traefik would look something like this:

    version: '3'
    services:
      traefik:
        image: traefik:v2
        command: >-
          --accesslog=true
          --api=true
          --api.dashboard=true
          --api.debug=true
          --certificatesresolvers.le.acme.dnschallenge.provider=provider
          --certificatesresolvers.le.acme.storage=acme.json
          [ ... other ACME stuff ... ]
          --entrypoints.http.address=:80
          --entrypoints.http.http.redirections.entrypoint.to=https
          --entrypoints.http.http.redirections.entrypoint.scheme=https
          --entrypoints.https.address=:443
          --entrypoints.https.http.tls.certresolver=le
          --entrypoints.https.http.tls.domains[0].main=example.com
          --entrypoints.https.http.tls.domains[0].sans=*.example.com
          --entrypoints.https.http.tls=true
          --global.checknewversion=false
          --global.sendanonymoususage=false
          --hub=false
          --log.level=DEBUG
          --pilot.dashboard=false
          --providers.docker=true
        environment:
          [ ... stuff for your ACME provider ... ]
        ports:
          # this assumes you just want to do simple port forwarding or something
          - 80:80
          - 443:443
          # - 8080:8080 uncomment if you want to hit port 8080 of this machine for the traefik gui
        working_dir: /data
        volumes:
          - ./persist:/data
          - /var/run/docker.sock:/var/run/docker.sock
        networks:
          - traefik
        restart: unless-stopped
    networks:
      traefik:
        name: traefik-expose-network
        external: true
    

    Note that you’d have to create the traefik-expose-network manually for this to work, as that is how traefik will talk to your different services. You can get even fancier and set it up to expose your sites by default and auto-detect what to call them based on container name and stuff, but that is beyond the scope of a comment like this.

    Technically my setup is a little more complex to allow for services on many different machines (so I don’t use the built-in docker provider), and to route everything from the internet using frp using proxy protocol so I don’t expose my home IP… I think this illustrates the point well regardless.

  • chiisana@lemmy.chiisana.net
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Traefik just need container labels. Most of the time it’s only 4 labels for the container you want to expose. Copy to a self hosted wiki and you’re good to go.