# Reverse Proxy

# What does a Reverse Proxy do?

A reverse proxy connects an app running locally on your server to a web address through subdomains (my-app.example.com) or subdirectories (example.com/my-app). This keeps your links clean and connections secure, since you no longer need to open server ports for accessing apps.

If you wanted to skip the reverse proxy, you would access your services through links with portnumbers, like example.com:8000. This approach would also be very cumbersome, if not impossible to setup when using Cloudflare.

# Common Mistakes

Exposing ports of applications in your Docker Compose files: Many official setup guides for apps include a section in their compose file that would open external ports for app access. These sections should always be removed, unless you know exactly what you're doing.

Not using proper encryption between your server and Cloudflare: When using the Cloudflare proxy, all your traffic is sent from your server to Cloudflare, who pass it on to your users. To make sure that no one can intercept, read or manipulate the datastream between your and Cloudflares server, the data should be encrypted using a CF-generated certificate, and Cloudflare should be set to refuse any connection that is not encrypted with this certificate.

# Which one should I use?

There are a bunch of options, which all vary in how they're set up and used. These are the most common ones.

# Nginx Proxy Manager

A frontend for the popular Nginx proxy, allowing control of your hosts through a slick web interface.

Pro Con
  • Battle-tested proxy over many years
  • Comfortable usage in web UI
  • Hassle-free configuration of SSL certificates
  • High RAM usage compared to other options

Nginx
nginx/

# Traefik

A proxy designed for servers with many apps, controlled through code right in your Docker Compose files.

Pro Con
  • Built from the ground up for this use-case
  • Configuration of your apps and the proxy is in one place - the Compose file
  • The configuration syntax is not easy to remember

Traefik (External Link)
https://doc.traefik.io/traefik/getting-started/quick-start/

# Caddy

Once just a webserver, Caddy has evolved into a fast proxy that has an incredibly easy configuration syntax and uses ridiculously little ressources.

Pro Con
  • Easy configuration with Caddyfiles and easy syntax
  • No-Fuss proxy with high speeds and performance
  • Doesn't scale well when hosting many services

Caddy (External Link)
https://caddyserver.com/docs/quick-starts/reverse-proxy

# Cloudflare Tunnels

Runs as a daemon on your server and is entirely controlled in the CF Dashboard you already use.

Pro Con
  • Automatically handles encryption between your server and Cloudflare
  • Zero-Maintenance on your server
  • Tiny RAM footprint
  • Official Documentation is hard to understand

Cloudflare Tunnels (External Link)
https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/