The Reverse Proxy concept

Most of the tools described in these pages have web-based interfaces. It is not a good idea to access them directly for quite many reasons:

• Scalability, since the tools don't come with a fully featured web server
• Security, since the tools don't come with a fully featured web server
• Access control, since the tools don't come with a fully featured web server
• Configuration, since you might want to provide specific URL's for each service
• Organization, since you will want to have a centralized dashboard to manage all the links to the tools

In other words, you want a reverse-proxy even if you are going to use this setup only from inside your home. More so, if you plan to have remote access, a reverse-proxy is a must. But what is a reverse-proxy? Basically a front-end web server that is capable to wrap a series or services together adding login, security, SSL and a common access point for them all.

There are lots of possible software to use. Basically any web server can act as a reverse proxy. Some are more suited than others, and my choice is on NGINX for a few reasons:

• Much easier than Apache to setup as a reverse-proxy
• Much lighter and less features full than Apache
• More complex and more features than Caddy
• Fully integrated in Let's Encrypt SSL infrastructure / CertBot script
• I don't personally know how to setup other similar tools

In general NGINX is fully featured but still very lightweight and secure HTTP server that shines as reverse-proxy. If you need to add more features, like PHP support or FastCGI, NGINX will support you without the need for an additional service on your server.

NGINX installation on the home server is pretty straightforward, but we need to enable one specific authentication module, the pam authentication module, because i will show you how to link NGINX authentication to your home server users directly, without the need to create more users and passwords. If you prefer to use a different authentication, like basic_auth, i leave this out to you.

So create the file /etc/portage/package.use/nginx with the following lines:

app-misc/mime-types nginx
www-servers/nginx NGINX_MODULES_HTTP: auth_pam

(the first line is needed at the time of writing this page, YMMV)

Note: you might want to tweak the second line to your needs, see the flags for nginx and adapt.

Now install nginx:

 > emerge -v nginx

I think it's nice that with NGINX you can authenticate your users directly with your home server users. This means you don't need to add a second set of users, and that the users will only need one password, and no sync is required between HTTP users and server users. This is achieved using the pam_auth module on Linux. You have already built nginx with pam_auth support, but you need to configure it.

Create the file /etc/pam.d/nginx with these lines:

auth required pam_unix.so
account required pam_unix.so

Next to: The *Arr's setup

Prev to: Network setup