What is a reverse proxy and how to use it

• Security:
  • HTTPS encryption (TLS offloading/TLS termination)
  • some reverse proxies like traefik and Caddy could automatically enroll TLS cerificates (others like Apache and Nginx require additional software)
  • filtering malicious traffic
  • rate limiting
• Management
  • Single Entry Point: The reverse proxy acts as a single entry point for all your web applications, simplifying administration and configuration.
  • URL Rewriting: You can use the reverse proxy to rewrite URLs for a cleaner and more user-friendly experience.
  • Content Control: The proxy can be configured to restrict access to certain content based on user roles or IP addresses.

architecture for a single application

a reverse proxy is sitting in front of the application is managing TLS certificates (free Let’s Encrypt are most common and recommended), receives incoming requests, optionally performs additional security checks and sanitization.

image894×96 8.33 KB

architecture for multiple applications

especially in self-hosting scenario it’s hard to have dedicated public IP for each application so reverse proxy is used as a single point of entry and distributes incoming requests to different applications based on rules like different hostnames https://app1.mydomain.tld, https://nextcloud.mydomain.tldor URL patterns like https://mydomain.tld/app1, https://mydomain.tld/app2, https://mydomain.tld/nextcloud

image775×391 30.6 KB

Nextcloud configuration

As there is no direct connection from the client, the application could not determine IP address of the client and the domain it wants to access. This results in proxy warnings. The reverse proxy must add specific headers with information about the client and the resource/URL it accessed initially. But Nextcloud doesn’t trust such headers by default and for security reasons requires a trusted_proxy configuration, otherwise malicious actor could spoof the headers and overcome protective measures like brute-force protection.

• Trusted Proxies: Define the IP addresses or hostnames of your reverse proxy servers in config.php for security reasons (only trusted endpoints can inject information about accessing device).
• Proxy Headers: Nextcloud uses X-Forwarded-For header by default to retrieve client IP address behind the proxy.
  • You can configure other headers if needed
• Overwrite Parameters: If Nextcloud doesn’t automatically detect hostname, protocol, or webroot path,
  • use overwritehost, overwriteprotocol, and overwritewebroot options in config.php
  • use environment variables for containers (All-inOne and community microservice)

official reverse proxy documentation

Popular Reverse Proxy Options:

• Apache → apache
• NGINX → nginx
• Traefik → traefik
• Caddy → caddy

Additional Resources:

• Using Nginx proxy manager with an already NCP installation (no docker)
• Putting Nextcloud snap behind a reverse proxy