The Reverse Proxy concept

Most of the tools described in these pages have web-based interfaces. It is not a good idea to access them directly for quite many reasons:

• Scalability, since the tools don't come with a fully featured web server
• Security, since the tools don't come with a fully featured web server
• Access control, since the tools don't come with a fully featured web server
• Configuration, since you might want to provide specific URL's for each service
• Organization, since you will want to have a centralized dashboard to manage all the links to the tools

In other words, you want a reverse-proxy even if you are going to use this setup only from inside your home. More so, if you plan to have remote access, a reverse-proxy is a must. But what is a reverse-proxy? Basically a front-end web server that is capable to wrap a series or services together adding login, security, SSL and a common access point for them all.

There are lots of possible software to use. Basically any web server can act as a reverse proxy. Some are more suited than others, and my choice is on NGINX for a few reasons:

• Much easier than Apache to setup as a reverse-proxy
• Much lighter and less features full than Apache
• More complex and more features than Caddy
• Fully integrated in Let's Encrypt SSL infrastructure / CertBot script
• I don't personally know how to setup other similar tools

In general NGINX is fully featured but still very lightweight and secure HTTP server that shines as reverse-proxy. If you need to add more features, like PHP support or FastCGI, NGINX will support you without the need for an additional service on your server.

In order for a service to operate correctly behind a reverse proxy, it needs to support at least the base_url concept or, even better, also the authentication pass-trough.

The base_url is the address to the service. Instead of having your media server at https://mediaserver.mydomain.org, using a base_url would have it accessible at https://mydomain.org/mediaserver, where mediaserver is the base_url. Since you will reverse-proxy all your services toward one single server (and you don't even require a domain name for that, the 99.99.99.99 IP address is enough) you will need to specify base_url's for each one of the services. Some services will not support custom base_urls (which is bad practice, but whatever) in this case NGINX comes to your aid with the capability to rewrite the pages (html, javascript, css, etc) to “fix” the base_url for your service.

The authentication pass-trough is great, but it's even less supported by services. It will allow your nginx authentication to get picked up by the service and used without the need for a double authentication, which is annoying. Not many services support this, i am afraid.

NGINX installation on the home server is pretty straightforward, but we need to enable one specific authentication module, the pam authentication module, because i will show you how to link NGINX authentication to your home server users directly, without the need to create more users and passwords. If you prefer to use a different authentication, like basic_auth, i leave this out to you.

So create the file /etc/portage/package.use/nginx with the following lines:

app-misc/mime-types nginx
www-servers/nginx NGINX_MODULES_HTTP: auth_pam gunzip sub

(the first line is needed at the time of writing this page, YMMV)

Note: you might want to tweak the second line to your needs, see the flags for nginx and adapt.

A brief explanation of the above USE flags:

• auth_pam is used to enable PAM based authentication
• sub is used to allow substitutions inside the pages proxied, to fix web applications that don't play well with reverse-proxies
• gunzip is used to unzip the requests and let the sub module works also on compressed requests

Now install nginx:

 > emerge -v nginx

I think it's nice that with NGINX you can authenticate your users directly with your home server users. This means you don't need to add a second set of users, and that the users will only need one password, and no sync is required between HTTP users and server users. This is achieved using the pam_auth module on Linux. You have already built nginx with pam_auth support, but you need to configure it.

Create the file /etc/pam.d/nginx with these lines:

auth required pam_unix.so
account required pam_unix.so

Next to: The *Arr's setup

Prev to: Network setup