Over the past year, I have started rebuliding my home lab. One thing about a home lab is you want very little entries into your network. I split off my home lab from my main network using a pfsense firewall. The home network only has 2 ports open on it. That’s 80 and 443. Everything runs through those ports. The whole lab is based on docker. This way I can run mulitple objects on different ports. For example, I have 3 wordpress living on one server. These are for development tests and so on and so forth. The question that needs to be answered is how do I get to those services outside the network? This is where a Reverse Proxy on Docker comes into play.

What is a Reverse Proxy?

Imagine walking into a massive building with hundreds of offices. There are no maps on the wall. The doors have no names and there is no glass to look through each door. All that lives on each door is a number. So, how would you find anything in that building? Well, there is a receiptionist at the front with a security guard. If you ask the receiptionist to see Dr Ross Geller, they will look at their charts. If Dr Ross Geller doesn’t work there. They will look up at you and say nothing. You get no feed back and you can go past that point without the security gaurd’s keys. Even if you got the keys, the lights are off and you need the recipionists keys for the lights.

Now, if Dr Ross Geller is there, She will grab the security guard and whisper the room number into their ear. Then, the guard will hand cuff you to himself and walk you to the office in the dark. Once at the door, he will pat you down for common weapons then open the door for you and you can walk into the meeting with Dr Ross Geller. Remember to PIVOT!

This is how a reverse proxy works. They are the gate keepers of the network. When something comes in on port 80 or 443, the reverse proxy will that the DNS name and check it’s register. If it has the DNS name, it then forwards you to the local port. It doesn’t tell the user about any other active ports. Many proxies will block common exploits and even work with your SSLs.

Ngnix Reverse Proxy Manager

We are going to be working with Ngnix Reverse Proxy Manager. Ngnix Reverse Proxy Manager is a docker friendly reverse proxy that gives you a beautiful ui to work with. Along with connecting to Let’s Encrypt to give you free ssls, it also allows multiple users, redirects, custom 404 pages, streaming services, and more. The Graphical interface helps keep management sustainable.

Install on Docker

We are going to assume you have docker installed on your system. If you do not, you can read on how to do it here and you can learn how to install docker compose here. Nginx proxy Manager has their quick guide that you can read here. This next steps below will match up to this documentation with a few small changes.

The First step is to setup your docker folders. I am in the camp of using a folder for each service. After logging in with SSH we want to make a directory using the mkdir command.

mkdir ReverseProxyManager
cd ReverseProxyManager

Now inside the “ReverseProxyManager” folder we want to create a compose file. On Ubuntu, my server of choice for this, we will use the built in editor, nano. I am a nano fan, some like vi, some like vim. That is a debate for other people. I suggest using what you have access to. So run the nano command and build a “docker-compose.yml” file.

nano docker-compose.yml

This will drop you into a text file. Copy the blow information and past it into the text file.

version: "3.8"

services:
  proxy-manager:
    image: 'jc21/nginx-proxy-manager'
    restart: unless-stopped
    ports:
      - '80:80'
      - '81:81'
      - '443:443'
    volumes:
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt
    environment:
      DB_SQLITE_FILE: "/data/database.sqlite"
      DISABLE_IPV6: 'true'

To save, all you have to do is press ctrl and x and follow the prompts.

Breakdown of the Yml

Here we ahve the service manager making a service called proxy-manager. We are using the offical Reverse proxy for Docker through jc21. We tell it to continue running until someone stops it. Then we tell it the ports we want. Here we want 80, 81, and 443. 81 will be your management port and should only be accessiable internally. The other two will be for the data coming in. Next we have the volumes. We need a data folder. Using ./ to indicate the folder this yml file lives in. We also want a place for the lets encrypt. Finally we are using enviromental tags. Having a sqlite server allows you to do more than without it. Finally, I disable IPv6 because I don’t use IPv6, yet. I will one day.

Starting The Docker

The next step is to start the docker. There is a way to test by using docker-compose up, but it freezes your terminal. adding the -d will make what the docker-compose up perment and give you back your terminal.

docker-compose up -d

# If using docker-compose-plugin
docker compose up -d

now the stack is up and running. The next step is to navigate to the ip address of the server. you can use the ip a to grab the ip address from the server. When you access the Url, you will see the below. Enter the below information.

  • URL: http://<serverIPAdddress>:81
  • Email: admin@example.com
  • Password: changeme

It will prompt you to change your password. Make sure you do that.

What can we learn as a person from Reverse Proxies?

In our lives, we have many different parts of ourselves. What’s interesting about these parts is we don’t know all of them. Imagine the reciptionist from our example above being your sub countinous mind. It knows all the parts of you and can direct you to those parts. But to get to the sub countinous mind, you have to go through the body. Imagine trying to walk into a building and the door handle says push, but every time you push it, it doesn’t open. Many people get mad and give up. The truth behind the door is a pull. Our brains don’t like being pushed, instead they like us to sit and pull them to us. Calm brings the sub countinous to the surface as it changes the state of our minds to allow the sub countinous to communicate back. Once that is achived, you will have access to some of the darkest parts of your mind.

Almost every religion has some reference to being still. In our busy world, being still is like dealing with an alien language. Being still allows you to communicate with your body. It allows you to know who you are and be able to sit with that knowledge. Without that stillness, we end up burning ourselves on our internal fire. This is why vacation times are so important in companies. Companies who give poor vaction time sees a higher turn over because their people don’t have a chance to commucate with themselves and enjoy thierselves.

Over the next week, take moments where you can be still with your thoughts and become aware of yourself. You may see that your internal proxy is hiding some dark secreats that are leaking out in verious of way.