Homelab Reverse Proxy Guide: HTTPS Without Unsafe Exposure
Tech GuruA reverse proxy is the difference between "I opened ten random ports" and "I have one controlled front door." It lets you publish selected services over HTTPS, centralize certificate handling, route traffic by hostname, add authentication where appropriate, and keep most of the lab private.
Tools like Caddy and Nginx Proxy Manager make the first version feel almost too easy. Caddy can automate HTTPS, and Nginx Proxy Manager gives a friendly UI for hosts and certificates. The danger is that easy publishing can turn into easy overexposure. The architecture matters more than the checkbox.
Design principle: Expose the proxy, not the network. Publish only services that are meant for external users, and keep admin interfaces behind VPN or internal-only DNS.
Decide What Belongs On The Public Edge
| Service Type | Recommended Exposure | Reason |
|---|---|---|
| Family-facing media or photo portal | Maybe public through proxy, with strong auth and app hardening | Useful for nontechnical users, but still needs logs and patch discipline. |
| Admin panels | VPN only | The internet does not need your NAS, hypervisor, firewall, Docker, or backup console. |
| Internal dashboards | Internal DNS or VPN only | Convenience is not worth broad public attack surface. |
| Public website or blog | Public proxy or external host | Designed to be public, but should still be isolated from private lab systems. |
| Experimental apps | No public exposure until reviewed | Lab projects often have weak auth, debug modes, or poor update habits. |
Reference Build
- Register a domain or subdomain and point DNS records at your WAN address or a supported dynamic DNS target.
- Forward only TCP 80 and 443 from the firewall to the reverse proxy host.
- Place the reverse proxy in a server or DMZ-like VLAN, not on the management VLAN.
- Configure one hostname per service, such as photos.example.com or docs.example.com.
- Use HTTPS certificates through Caddy automatic HTTPS, ACME DNS challenge, or Nginx Proxy Manager certificate management.
- Allow the proxy to reach only the backend IPs and ports it serves.
- Add application auth, SSO, MFA, or an auth gateway where the app supports it cleanly.
- Log proxy requests and firewall NAT hits. You need evidence when something looks strange.
Caddy Example
photos.example.com {
reverse_proxy 10.10.20.41:2283
encode zstd gzip
}
docs.example.com {
reverse_proxy 10.10.20.52:8000
encode zstd gzip
}Firewall Rules
| Rule | Source | Destination | Ports | Action |
|---|---|---|---|---|
| Internet to proxy | WAN | Reverse proxy IP | 80, 443 | Allow |
| Internet to anything else | WAN | Internal networks | Any | Deny |
| Proxy to backend app A | Proxy IP | App A IP | Specific app port | Allow |
| Proxy to backend app B | Proxy IP | App B IP | Specific app port | Allow |
| Proxy to management VLAN | Proxy IP | Management VLAN | Any | Deny and log |
Internal DNS And Split Horizon
For internal users, split DNS keeps the experience clean. Inside the LAN or VPN, app names can resolve to the internal proxy or internal service address. Outside the LAN, only public services resolve publicly. This avoids hairpin NAT surprises and keeps private names private.
Header trust caution: If an app trusts X-Forwarded-For, X-Real-IP, or similar headers, make sure only the proxy can reach the app directly. Otherwise clients may spoof identity or source context.
Validation Checklist
- A port scan from outside shows only intended public ports.
- Each public hostname serves a valid certificate and the intended backend.
- Backend apps are not reachable directly from the internet.
- The proxy cannot reach the management VLAN.
- Logs show client IP behavior clearly enough for troubleshooting.
- A private-only app remains unreachable offsite unless connected through VPN.
Useful Gear And Buyer Notes
Affiliate disclosure: As an Amazon Associate, TechGeeks may earn from qualifying purchases. The product links below are buying references, not a requirement to buy a specific brand or seller. Verify compatibility, seller quality, warranty, and current specs before ordering.
| Need | Good Choice | Why It Fits | Affiliate Link |
|---|---|---|---|
| Small proxy host | N100/N150 mini PC or existing VM host | A reverse proxy is light, but a dedicated low-power host or VM keeps the role clean. | Search Amazon: N100 mini PC |
| Security key | YubiKey or FIDO2 hardware key | Useful for protecting DNS registrar, Cloudflare, GitHub, and admin identities. | Search Amazon: YubiKey 5C NFC |
| UPS | APC or CyberPower UPS | Keeps DNS, gateway, and proxy stable through short outages. | Amazon: CyberPower CP1500PFCLCD |
| Known-good cabling | Cat6 patch cables | Public-facing troubleshooting should not begin with mystery patch leads. | Amazon: Cable Matters Cat6 10-pack |
Common Mistakes
- Putting every service behind the proxy just because it works.
- Publishing admin interfaces that should live behind VPN.
- Leaving backend apps reachable directly from other untrusted VLANs.
- Skipping logs until after the first weird request storm.
- Treating HTTPS as authentication. Encryption is not permission.
References
- Caddy Reverse Proxy Quick Start
- Caddy Automatic HTTPS
- Nginx Proxy Manager Guide
- RFC 1918 Private Address Space
Final Thought
A reverse proxy should make public access cleaner and private access stricter. If the proxy makes it easier to publish the right things and harder to accidentally expose the wrong things, you are using it well.
This article is part of the TechGeeks homelab foundation series. The series is designed to build practical home infrastructure in the right order: remote access, segmentation, exposure control, DNS, IoT isolation, and recoverable backups.
Need help applying this?
Bring TechGeeks into the real environment.
If you are working through this on a live network, WordPress site, Linux server, AI workflow, or PisoWiFi deployment, send the context and we can help turn it into a practical plan.
