Exploring the Benefits of Reverse Proxies in Self-Hosting with Caddy and Hetzner

Dozy Donut Digest Edition 4

CaddyServer.com

TABLE OF CONTENTS

1 Why Do You Need a Reverse Proxy?
2 Example: Nginx Reverse Proxy Setup with Docker Compose
3 Example: Nginx Configuration
4 Combining Multiple Servers
5 How Caddy Can Be Used with Hetzner for Security in Self-Hosting
6 Example: Caddy Configuration

Self-hosting offers numerous advantages, from cost savings to greater control over your data. However, it also brings challenges, particularly around security and resource management. Using a reverse proxy like Caddy in conjunction with Hetzner can help address these issues effectively. In this post, we’ll explore why you need a reverse proxy, how to combine multiple servers, and how Caddy enhances security in self-hosting environments.

Why Do You Need a Reverse Proxy?

A reverse proxy is a server that sits between client devices and your backend services, handling incoming requests and directing them to the appropriate service. Here's why a reverse proxy is essential for a Docker Compose project involving PocketBase and Coolify on Hetzner.

1. Routing and Load Balancing | A reverse proxy can route incoming requests to the appropriate service (PocketBase or Coolify) based on the request's URL or other criteria. This allows multiple services to run on the same server without conflict.

2. SSL/TLS Termination | A reverse proxy like Nginx or Traefik can handle SSL/TLS termination, meaning it manages the HTTPS connections, allowing your backend services to operate with plain HTTP. This simplifies the setup and improves security.

3. Port Management | Hetzner servers typically have a limited number of public IP addresses. A reverse proxy allows you to map multiple services to the same IP address and different ports, which is crucial for managing resources efficiently.

4. Security | A reverse proxy can add an additional layer of security by hiding the internal network structure and filtering out malicious traffic before it reaches the backend services.

5. Performance | It can cache responses from the backend services, reducing the load and improving response times for frequently requested resources.

Example Setup with Docker Compose

Here’s a basic example of how you might configure a reverse proxy (Nginx) for PocketBase and Coolify in a docker-compose.yml file:

yamlCopy code
version: '3'
services:
  nginx:
    image: nginx:latest
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf
      - ./certs:/etc/nginx/certs
    depends_on:
      - pocketbase
      - coolify

  pocketbase:
    image: pocketbase/pocketbase:latest
    ports:
      - "8090:8090"
    volumes:
      - ./pb_data:/pb_data

  coolify:
    image: coollabsio/coolify:latest
    ports:
      - "3000:3000"
    environment:
      - DATABASE_URL=postgres://user:password@db:5432/coolify

  db:
    image: postgres:13
    environment:
      POSTGRES_DB: coolify
      POSTGRES_USER: user
      POSTGRES_PASSWORD: password
    volumes:
      - db_data:/var/lib/postgresql/data

volumes:
  db_data:
  pb_data:

Example Nginx Configuration (nginx.conf)

nginxCopy code
server {
    listen 80;
    server_name yourdomain.com;

    location /pocketbase/ {
        proxy_pass http://pocketbase:8090/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location /coolify/ {
        proxy_pass http://coolify:3000/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

server {
    listen 443 ssl;
    server_name yourdomain.com;

    ssl_certificate /etc/nginx/certs/yourdomain.com.crt;
    ssl_certificate_key /etc/nginx/certs/yourdomain.com.key;

    location /pocketbase/ {
        proxy_pass http://pocketbase:8090/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location /coolify/ {
        proxy_pass http://coolify:3000/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Combining Multiple Servers

When managing multiple services, combining them under a single reverse proxy setup can streamline operations and improve efficiency. Here's how you can achieve this:

1. Unified Access Point | By using a reverse proxy, you can present a unified access point for all your services. This means clients can access different services using the same domain, with the reverse proxy handling the routing based on the URL paths.

2. Simplified SSL Management | Managing SSL certificates for multiple services can be cumbersome. A reverse proxy allows you to centralize SSL management, simplifying the process and ensuring all traffic between clients and the proxy is encrypted.

3. Load Distribution | If one of your services experiences high traffic, a reverse proxy can help distribute the load more evenly across multiple instances of that service, improving performance and reliability.

How Caddy Can Be Used with Hetzner for Security in Self-Hosting

Caddy is a powerful reverse proxy server that simplifies the process of managing SSL certificates and securing your self-hosted applications. When combined with Hetzner's robust hosting solutions, Caddy can significantly enhance your security setup.

Benefits of Using Caddy

1. Automatic HTTPS | Caddy automatically manages SSL certificates for your domains, obtaining and renewing them via Let's Encrypt. This ensures your services are always secure without manual intervention.

2. Easy Configuration | Caddy uses a simple configuration file, making it easy to set up and manage. Its human-readable syntax reduces the likelihood of errors and simplifies maintenance.

3. Advanced Security Features | Caddy includes features like automatic HTTPS, HTTP/2, and built-in rate limiting, providing a strong security foundation for your self-hosted applications.

Example Caddy Configuration

Here's an example Caddy configuration for managing PocketBase and Coolify:

caddyCopy code
yourdomain.com {
    reverse_proxy /pocketbase/* pocketbase:8090
    reverse_proxy /coolify/* coolify:3000

    tls your-email@example.com
}

yourdomain.com:443 {
    reverse_proxy /pocketbase/* pocketbase:8090
    reverse_proxy /coolify/* coolify:3000

    tls {
        dns cloudflare {env.CLOUDFLARE_API_TOKEN}
    }
}

Steps to Set Up

1. Create Caddyfile | Save the above configuration as Caddyfile in your project directory.

2. Deploy Caddy | Use Docker to deploy Caddy alongside your other services. Update your docker-compose.yml to include a Caddy service.

yamlCopy code
services:
  caddy:
    image: caddy:latest
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - caddy_data:/data
      - caddy_config:/config
    environment:
      - CLOUDFLARE_API_TOKEN=your-cloudflare-api-token

  # other services (nginx, pocketbase, coolify, etc.)

volumes:
  caddy_data:
  caddy_config:

By leveraging Caddy with Hetzner, you can ensure your self-hosted services are secure, easy to manage, and performant. Combining multiple servers under a unified reverse proxy setup further streamlines operations and enhances resource efficiency.

For more information on using Caddy, Hetzner, and Cloudflare tunnels, you can explore their official documentation and Hetzner's docs.