Submitted 3 months ago by Findmysec@infosec.pub to selfhosted@lemmy.world
I see so many posts and people who run NGINX as their reverse proxy. Why though? There’s HAProxy and Apache, with Caddy being a simpler option.
If you’re starting from scratch, why did you pick/are you picking NGINX over the others?
Nginx “just works™” had never got into the way, its been rock solid and has not changed significantly over the years.
Why would I need something else?
Me personally, as a newb regarding proxy and homelab, I use nginx because it was super easy to set up (proxmox script) there were many tutorials available and it just works great. I had to debug some things and this also worked great, so just a perfect package.
What about envoy proxy?
Nothing else on the market has as low latency implications to workloads that I am aware of.
I have heard a lot about Envoy proxy from Istio but never looked into it for baremetal usage. I’ll keep an eye out, thanks
Because I have it in use as my main webserver, sure I cut put that behind haproxy too but why? I like to keep my server setup small and easy, without unnecessary duplications. Nginx can everything that haproxy can, and more.
There’s a lot of good resources for Nginx, it’s fast (faster than Caddy), and has a ton of features, so you can use it for pretty much anything HAProxy, Apache, or Caddy can do, and not sacrifice much in performance.
That said, I mostly use HAProxy and Caddy. Here’s my basic setup:
I use a local DNS server on my router so my domains can route directly to Caddy instead of going over the internet when on my network, otherwise I may just have HAProxy handle LetsEncrypt certificates.
From what I can tell, Nginx is a little more efficient than Caddy, but Caddy is plenty fast for my needs. I’m considering switching from NextCloud to the new ownCloud Infinite Scale, and if I do, I’d ditch nginx completely.
Nginx was the easiest to setup for me at the time and I’ve no reason to fix what isn’t broken.
I use Traefik because it solved a problem with the static configuration approach which Nginx had / still has.
In a scenario with multiple services behind Nginx, taking one down or replacing an instance is massive headache. I tried to script around it, but basically the Nginx container would choke on the fact that a service does not [yet / anymore] exist, and together with the docker networking stack it turned out to be an insurmountable problem.
Traefik otoh discovers services based on (in my case) labels on the docker containers running locally. And then updates the configuration on the fly. Basically this resulted in massive headache when I needed to enable zero downtime deployments and updates behind Nginx. And traefik handled it perfectly without dropping a single request.
Nowadays I manage my dynamic configuration with ansible and update the values in for the file-based configuration provider with a playbook. I don’t need a UI to manage my inventory, I use ansible for that. Traefik handles the rest perfectly.
Completely agree, which is why I do the same.
Additional bonus: proxies that interact with the docker API directly (I think also caddy can do it) save you from exposing the services on any port at all (only in the docker network). So it’s way less likely to expose a port with a service by mistake and no need for arbitrary and unique localhost ports.
I learned nginx when I was hosting websites. I had it set up and running when it was time to add reverse proxies into my setup. It didn’t take much more from the virtual hosts I was already using.
Now, I don’t host many individual sites anymore and haproxy has a plugin on my firewall for the handful of services I run now.
NGINX is a bit more hands on than some other options but it’s mature, configurable and there’s a huge amount of information out there for setting it up for various use cases.
in my case, its what I set up when i was first getting into this and it works, so I don’t want to go through setting up anything else.
You want to access you under CG-NAT server from the outside?
You can do that with Wireguard and NAT.
Often I already have nginx running for serving some static content anyway.
Otherwise, I’m traefik all the way.
The only reason that I tend to use it is because of the included webserver. It’s not bad but the paywalling of functionality needed for it to be a proper LB left a bad taste in my mouth. That and HAProxy blows out of the water in all tests that I’ve done over the years where availability is at all a concern. HAProxy also is much more useful when routing TCP.
**
**
Because modsec.
As a security professional, what finally got me to move from Apache to NGINX was OpenResty.
I sometimes still put Apache behind it, depending on my goals.
eager_eagle@lemmy.world 3 months ago
Nginx handles more connections than Apache, given the same resources. HAProxy does not have web server functionality like the former two, so Nginx is the natural upgrade from Apache.