Is here a reverse proxy useful and if so, which one?

Falconcrest · 18 October 2024 06:28

Hi,

I would like some suggestions on how to solve a problem in my home network.
There are 2 RPi’s, one with AdGuard installed, the other with Nextcloud.
Both RPi’s require port 80 at times to update the Letsencrypt certificate.
Different DynDNS are set up for both systems.
So far everything has worked fine, except for the error that when it’s time to renew the certificates, I alternately open and close port 80 for the respective RPi in the router.
Certainly a somewhat strange method, but it has worked for me so far.

Now to my question:
Can’t this whole procedure be solved much better with a reverse proxy?
If so, which one should I use, the frp from the DietPi software survey or something with Nginx? Maybe someone has an idea that will help me.
Admittedly, I am not an expert in Linux.

Joulinar · 18 October 2024 07:14

If you want to use 2 devices, you have no choice but to set up a reverse proxy. Theoretically, you can use the Nextcloud web server for this. Or another proxy software. If you like it simple with a graphical interface, NginxProxyManager is a good choice. But this is also based on Docker.
Otherwise, you could also simply run Nextcloud and AGH together on one device. AGH should be so small that there should be no problem running it together.

Falconcrest · 18 October 2024 08:30

Thanks for the info.
The frp from the DietPi pool would not be worth considering?

Then I would use the following instructions as a guide:

An RPi 3 should not be the bottleneck despite only 300Mbit/s in the 1000Mbit/s?

Jappe · 18 October 2024 08:42

Yes you could use frp, config is straight forward IMO.
YOu would need to run the frp client on both devices and on one also the frp server. From your router you forward every connection to frp server. From there the proxy decides what to do.
I think you would need to run the frp server on the device where the certbot runs, since certbot uses your public IP and not a domain for renewal and frp routes depending on the domain

Documentation for frp is also pretty good, see https://github.com/fatedier/frp/blob/9d5638cae6dfecb10bff7c6d3e52625fe264fee1/README.md

I think you would need something like:

[common]
bind_port = 80
[adguard]
domain = adguard.example.com
target = http://192.168.69.1:80
[nextcloud]
domain = nextcloud.example.com
target = http://192.168.69.2:80

Falconcrest · 18 October 2024 08:48

Then I would love to take a look at it. Thank you

Joulinar · 18 October 2024 08:49

before doing this, you would need to clear port 80. Means moving away the app already running on this port.

not for AGH, it is quite lightweight applications

personally I don’t use frp as I have running NPM using this script (DietPi style)

#!/bin/bash
. /boot/dietpi/func/dietpi-globals

# Check for existing NginxProxyManager container
eval container=$(docker container ls -a | mawk '/jc21\/nginx-proxy-manager/{print $1;exit}')
[[ $container ]] && G_EXEC docker container rm -f "$container"
eval image=$(docker image ls -a | mawk '/jc21\/nginx-proxy-manager/{print $3;exit}')
[[ $image ]] && G_EXEC docker image rm "$image"
docker volume ls -q | grep -xq 'npm_data' || G_EXEC docker volume create npm_data

# Deploy the NginxProxyManager container
G_DIETPI-NOTIFY 2 'NginxProxyManager will be deployed now. This could take a while...'
G_EXEC_OUTPUT=1 G_EXEC docker run -d -p '80:80' -p '443:443' -p '81:81' --name=npm --restart=always --env 'DB_SQLITE_FILE=/data/database.sqlite' -v 'npm_data:/data' -v 'npm_data:/etc/letsencrypt'  'jc21/nginx-proxy-manager'

can be used to install and update NPM

Falconcrest · 18 October 2024 09:12

I hope that I am not confusing things too much and that you have largely understood my intention. However, I don’t want to miss the opportunity to be a bit clearer.

Nextcloud runs on an RPi3, which I can access from outside my network.
To update the required certificates to be able to use https, I have to open port 80 for http, as the update does not work via port 443.

I then do this temporarily in the router.

With AdGuard, I think it is only the case that I can access it via https in my network.
That’s why I’m currently using two different DynDNS entries, one for AdGuard and one for Nextcloud.

Certainly a somewhat unconventional solution, but as described, it works except for the annoying switching on and off of port 80 in the router for Nextcloud or AdGuard.

Do your tips still apply?

I still have an RPi3 without use at the moment, can’t I use it separately for my project? I’m a bit worried that I might destroy the Nextcloud or the AdGuard through incorrect configuration!

Joulinar · 18 October 2024 09:55

Turning port forwarding on and off on your router is not eliminated by using a reverse proxy. This is a task outside of DietPi and/or other software. It does not matter how many SBCs and/or applications you operate.

Falconcrest · 18 October 2024 10:59

I thought that I would then permanently enable port 80 for the reverse proxy.
So far I have alternately enabled port 80 for AdGuard and Nextcloud, as it is not possible at the same time.
If possible, the reverse proxy should make port 80 available for both RPi’s so that I no longer have to use the router.
Couldn’t both RPi’s then also use the same DynDNS?

I know I’m digressing from the topic of the DietPi forum, but the original question was if there is a reverse proxy for installation in the DietPi distribution.

Thanks again for the great ideas on how I can implement this.

Joulinar · 18 October 2024 11:34

yes, you can do this. Theoretically a lot of things are possible using a revers proxy like different domains, using sub domains or sub path. All this can be done using the web server you have running Nextcloud on or an own app like frp, HAproxy or apps like NPM.