this post was submitted on 19 May 2025
24 points (96.2% liked)

Selfhosted

46653 readers
396 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
24
Reverse Proxy with WAF and network monitoring (lm.madiator.cloud)
submitted 2 weeks ago by [email protected] to c/[email protected]
3 comments fedilink hide all child comments
 

I'm currently self-hosting several services and looking to harden my setup. I already use Nginx Proxy Manager (NPM) with wildcard Let's Encrypt certs, but I'm thinking of moving to something more robust with:

A proper WAF (Web Application Firewall)

Deep network monitoring (ideally per-container or per-service)

Possibly some bot protection and anomaly detection (ai scrapping is annoying)

I've looked into Traefik, BunkerWeb, and Pangolin. Each has pros and cons, BunkerWeb seems WAF-ready, but has some limitations (SSL setup is nightmare). Traefik is very flexible, but I’d need to add middleware myself (also runing non docker services). Pangolin looks great but werent able to get it work in my setup.

Main goals:

Secure exposure of HTTP(S) services (wildcard certs with Cloudlfare)

Easy rules for blocking bad IPs or patterns

Optional: rate-limiting, automatic fail2ban-style bans

Bonus: nice dashboard or at least logs that make sense

I also have a mix of Docker and bare metal services, so proxying non-container stuff cleanly is important.

My final goal is setup like this: OVH (Reverse Proxy - Firewall) - Tailscale - Hetzner Server)

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 1 points 2 weeks ago (1 children)

I'm currently following this guide to setup caddy reverse proxy with coraza web app firewall.

But be warned, this whole rabbit hole of WAF isn't trivial, some protections don't work well with some apps (e.g. portainer triggers some rules about system command execution) and it needs some tuning. I personally set it up to learn more about WAFs because I believe it will help me in my career, but I would not blindly recommend it to everyone.

Approaches like crowdsec and fail2ban seem much more suitable for selfhosters -- and keep your server software updated.

[–] [email protected] 1 points 2 weeks ago

BunkerWeb For now giving another go to BunkerWeb probably most close thing I'm looking for. In my case proxy is on OVH and the final server on Hetzner. Mostly want to filter out AI bots from scrawling my pages.