this post was submitted on 19 May 2025
24 points (96.2% liked)

Selfhosted

46653 readers
349 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
24
Reverse Proxy with WAF and network monitoring (lm.madiator.cloud)
submitted 2 weeks ago by [email protected] to c/[email protected]
3 comments fedilink hide all child comments
 

I'm currently self-hosting several services and looking to harden my setup. I already use Nginx Proxy Manager (NPM) with wildcard Let's Encrypt certs, but I'm thinking of moving to something more robust with:

A proper WAF (Web Application Firewall)

Deep network monitoring (ideally per-container or per-service)

Possibly some bot protection and anomaly detection (ai scrapping is annoying)

I've looked into Traefik, BunkerWeb, and Pangolin. Each has pros and cons, BunkerWeb seems WAF-ready, but has some limitations (SSL setup is nightmare). Traefik is very flexible, but I’d need to add middleware myself (also runing non docker services). Pangolin looks great but werent able to get it work in my setup.

Main goals:

Secure exposure of HTTP(S) services (wildcard certs with Cloudlfare)

Easy rules for blocking bad IPs or patterns

Optional: rate-limiting, automatic fail2ban-style bans

Bonus: nice dashboard or at least logs that make sense

I also have a mix of Docker and bare metal services, so proxying non-container stuff cleanly is important.

My final goal is setup like this: OVH (Reverse Proxy - Firewall) - Tailscale - Hetzner Server)

top 3 comments
sorted by: hot top controversial new old
[–] [email protected] 4 points 2 weeks ago* (last edited 2 weeks ago)

I’m currently self-hosting several services and looking to harden my setup

If you are looking to harden your server, might I suggest installing Lynis. Lynis will extensively scan your server, and at the end of the scan it will print the output of the test including a score of 1-100 and recommendations on how to fix, secure and harden the server. Not all of the recommendations will be applicable to you.

A proper WAF (Web Application Firewall)

I use Crowdsec. While Crowdsec is not a trad WAf, it is more than capable when set up correctly. I use Crowdsec in conjunction with UFW, Fail2ban, Tailscale, rkhunter, and chkrootkit. I have fail2ban in aggressive mode, since I am the only user, or legit user that is. ;) I have been accused of going overboard on security.

Traefik, BunkerWeb, and Pangolin.

You mentioned these, and I have never used them. I'm assuming you are going for a reverse proxy as part of your hardening methods. I use Caddy, and it's real simple to set up. It also takes care of your cert renewals automatically.

Bonus: nice dashboard or at least logs that make sense

Most of the logging apps like Syslog, Graylog, or similar I've found to be quite heavy as they need a lot of additional modules to run like databases, elastic, et al. I recently discovered lnav, with the help of the kind folks here. It is not a pretty, graphical, dialed out dashboard. You view the logs in the terminal. Very light on resources, and does exactly what it says on the tin. Check it out.

Tailscale

Do it! It's easy to set up and works very well. You can pipe all manner of things through Tailscale like ssh, sftp, etc.

Also, don't forget about using ssh keys. I know there is a lot of discussion about changing the ssh port number and how effective it really is. For about 5 minutes of your time, you can have it all set up, and it will at the very least, cut down a lot of noisy bots. If you want to go even further, you can set up host allow/host deny: sudo host.allow and sudo hosts.deny. Make sure you edit host allow first. LOL

You may want to look into Debsums, AIDE, iptraf-ng, Apparmor Deborphan, unattended updates, Maldet, etc, which will probably recommended by Lynis when you initiate a scan.

[–] [email protected] 1 points 2 weeks ago (1 children)

I'm currently following this guide to setup caddy reverse proxy with coraza web app firewall.

But be warned, this whole rabbit hole of WAF isn't trivial, some protections don't work well with some apps (e.g. portainer triggers some rules about system command execution) and it needs some tuning. I personally set it up to learn more about WAFs because I believe it will help me in my career, but I would not blindly recommend it to everyone.

Approaches like crowdsec and fail2ban seem much more suitable for selfhosters -- and keep your server software updated.

[–] [email protected] 1 points 2 weeks ago

BunkerWeb For now giving another go to BunkerWeb probably most close thing I'm looking for. In my case proxy is on OVH and the final server on Hetzner. Mostly want to filter out AI bots from scrawling my pages.