While Tailscale is technically a vpn, it acts as a type of reverse proxy. You really don’t need both, it’s better than opening up to the www.
Don’t use something like nginx to open it to the www. But I do use nginx internally so I can get domains and ssl.
Only access your network from the www with some type of robust vpn, like tailscale and openvpn. Preferably managed at your firewall (pfsense) for full control and multiple authentication layers before reaching your internal resources.
The big advantage of a reverse proxy is that it’s one centralized point of entry for all your TCP traffic, you only need to set up TLS certs in one place, open one port, etc. This is much less work than setting that up for each individual application you have running.
/r/ZeroTier and /r/TailScale serve a slightly different goal - they essentially make select clients that you’ve whitelisted (usually, your phone, laptop, etc) part of your local network. It doesn’t help you host something for the wider internet to use.
I do expose some things, but really the biggest thing is I can access all my services using http redirected to HTTPS internally so that I don’t have to type port numbers, and the DNS names can be either subdomains or sub directories of the main site. I can then make my main site whatever I want and can potentially put links that go to other pages.
Eg. Example.example.com
Eg. Example.com/example
I can also have my certificate from letsencrypt automatically apply to my reverse proxy and with a wildcard cert it can apply to all my sites, allowing me to use HTTPS without having my browser complain about it being untrusted.
Being able to expose only one server and only http and HTTPS on that one server to the internet is also an advantage, but it’s honestly not the primary advantage, not is it the only one.
Everything already said except a tiny thing: https is much easier to setup for a single endpoint on 443. You don’t have to configure https for every service separately and still benefit from the encryption (from client to proxy, not between proxy and the service, but that’s LAN anyways)
A good reason to use a RP would be like this example:
I have multiple domains which run multiple things. So I set up all domains with A records pointing to my server, even with subdomains. So like I want home.myserver.com to go to myserver:8080, myserver.com to go to myserver:443 and so on, I can implement this using a RP, which will listen on port 80, and passes traffic based on certain set of rules.
Additionally, I have my homelab connected to my remote server over VPN (since I was behind a CGNAT), so I set up a reverse proxy for my remote server to pass traffic like TCP streams (for ssh, vnc) and other HTTP traffic over some other ports. So I could just ssh with hostname as my remote server, with port say 222, I would connect to my homeserver directly.
I will give you my use case…
I ave some services running on ports outside of port 80 and 443 as they either have their own webserver built into them, such as Gitea and Calibre Web.
In order to make my life easier, I use RP in my Apache webserver for this services. This also make my life easier with using Let’s Encrypt, as I can use SSL on port 443 and then standard http from the Apache webserver to the localhost on port whatever.
Why to run a reverse proxy:
The downside of this is reverse proxies can take a while to configure and maintain. By comparison a VPN is easy to setup and provides an authenticated and private connection by default.
The other element that I haven’t seen mentioned directly in the comments is that, without the reverse proxy, if you want to expose some of your services to the internet (i.e. you want to be able to access them from outside as well as inside), you’d have to open and forward ports in your firewall for every one of those services. The reverse proxy removes that complexity by needing only ports 80 and 443 open and forwarded to the proxy host.
It depends on your use case and threat model. RP’s and overlay networks are meant for two completely different use cases. Ultimately, you have to decide how many people should have access to something.
If you’re hosting multiple websites or services that are meant to be accessed publicly by many people from many places, a reverse proxy is what you want. You’re taking on more risk with a RP because anyone on the internet can scan and poke at your proxy and all it takes is one misconfiguration or a fuck-all exploit then you’re toast. Most places that have a legitimate need for RP’s have a much more complex backend infrastructure such as routers, firewalls, IPS’s, DMZ’s, etc. to accommodate for that risk.
On the other hand, if you are the only person that has any business accessing you “stuff”, use an overlay network and just take all the risk of exposing anything to the internet out of the equation period.
Adding two cents on my own setup because I didn’t see anyone call this out specifically-- I use a reverse proxy AND Tailscale together.
In the DNS records for my domain, I setup a wildcard A record for a subdomain (*.lab.mydomain.com), which points to the Tailscale IP of my server which is running the reverse proxy (I’m just using the built-in one on my Synology). In the reverse proxy, I configure all of the redirection and force HTTPS so browsers stop complaining about security issues when I’m using my self-hosted services.
Since the Tailscale IPs aren’t accessible to anyone not connected to my Tailscale network, I’m not exposing any services to the internet unnecessarily AND I get proper URLs for my internal services (once I setup the wildcart certs with Lets Encrypt).
i think its largely because of how docker started - in the beginning things like ipvlan and macvlan weren’t a thing, so people had to use reverse proxies to get things out
after that people just got used to them… i’m personally a fan of just using ipvlan and tunnelling it over a vpn for access but reverse proxies can sometimes be more secure depending on how much access you are letting out.
I still need to set a reverse proxy up, its been something i’ve been meaning to do for quite some time
No reverse proxy
blabla.org which points to your public IP, and through ports 80/443 you get to a web server, running on your machineWith reverse proxy
blabla.org which points to your public IP, and through ports 80/443 you get to a reverse proxy that decides to which of many web servers running on your machine the traffic should continue. So that map.blabla.org goes to to a website showing map of your minecraft server, and mov.blabla.org goes to your jellyfin server with movies and shows,… and some such…I tested several reverse proxy setups, the one I like the best is Caddy for its simplicity while being very feature rich. Here is a guide with examples how to setup Caddy. It includes even monitoring who connects from where.
That entire repo has many docker compose services guides, all using caddy for reverse proxy.
As for the others I tried…
Plain nginx is kinda old timer, too much boilerplate in configs and too much work compared to caddy, with no benefits other than teaching the golden standard of the industry. Traefik is bit more complicated with several abstraction layers, very powerful but more for very dynamic setups. I was also not a fan of how it pollutes compose-files with labels making them uglier. NPM is very popular and a good choice for beginners since it offers web-gui for managemnt. But it hides stuff from users, is pain to backup compared to backing up single readable clean config file of Caddy.
Naw, look into better technology: SASE.
Check out Twingate, don’t expose your services to the Internet at all.
Honestly a remote vpn solution…wireguard…openvpn, tailscale isn’t remotely similar to reverse proxies…traefik, caddy, nginx, haproxy, and if you need to something complex you really need control of your dns records so you’ll need some local dns server…for example pfsense, op sense or other solutions. I don’t have anything open to the world at large except wireguard but a run a lot of rvs locally and use https with ssl certificates for all my local running servers…many running on different vms.
You guys are making me feel bad. I did not find Cloudfare tunnels easy. If you are familiar with the cloudflare milieu it may be easy. It still gives me some fits and starts. In general my home server is not exposed. I will expose for a specific purpose for a limited time then I shut it down. Yeah. I am chicken.
You can use pihole as a quick and dirty home lab proxy for dns resolution. You put the lookups in a file in the config area of pihole. I don’t remember the exact details. Pihole incorporates the DNSs lookups in the file and will “route” traffic appropriately. Not recommended. But it works
It’s for if you want to reach hosted services over the public internet, without a vpn. If you are fine with tailscale, you should stick with that. I have some services that I need to be able to access from random computers, so I use a reverse proxy to expose them.
An RP is an extra layer in front of your service. Multiplexing is one, security is another. You can ensure no requests go to your service without being logged in.
If you’re not planning on exposing your services to the internet, and I wouldn’t unless you have a very compelling reason, you don’t need a reverse proxy
Stick with tailscale
I want to add that it could be fun to setup a reverse proxy for the learning experience, but if you don’t mind the :port numbers on the URL and just want it to work then Tailscale is just fine. Also, Ngrok is really easy to setup too, just don’t really know the difference between it and Tailscale to be honest.
I would also add that a reverse proxy exposed to the internet is also more practical if you want to share your services with a large group of friends or family because it does not require installing/configuring Tailscale on all the client devices.