I started to do it the VPS - Wireguard - Home way recently. The advantage is that you do not need to expose an inbound port at home.
Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
Agreed, though recommend nginx as proxy, have it do ssl, can set it up with letsencrypt, but mostly you can run multiple services off multiple internal hosts as subdirectories (assuming they cooperate).
Works great for me.
Yup, NPM on the VPS here.
One of the main reasons to do this is if you are behind CGNAT and cannot port-forward. However, giving out your home IP isn't ideal regardless. If you decide to not use a VPS as a reverse proxy, then you might want to look into using cloudflares proxy, which hides your IP and also serves your content more efficiently. However, I'm not quite familiar on how matrix works so this might not be possible if you need ports other than 80 and 443 as all other ports are not forwarded by the cloudflare proxy.
I do the very thing that you are seeking to do. I have a free Oracle Cloud VM running nginx as a reverse proxy. Between the reverse proxy and my home server is a WireGuard tunnel. There are some benefits in that ports do not need to be opened on your home network's firewall so you don't have to do any port forwarding. If you want to go this route, the advice I have for you is to get a free Oracle cloud VPS, install NGINX Proxy Manager on it, and configure a WireGuard tunnel between it and the actual server that the service you want to provide resides on. NGINX Proxy Manager is actually not hard to get going and there are plenty of YouTube videos on it. In fact, for people new to self-hosting I really recommend NGINX Proxy Manager as I started out that way. NGINX Proxy Manager has a well designed GUI. In fact it is so well designed that most of the options are self-explanatory.
As I learned nginx and became better with it, I decided to decommission NPM in favor of a pure nginx environment because I am actually faster on the command line than a GUI. The hardest part for me was getting the WireGuard tunnel built between my home server and my cloud VM. That more pointed out to the fact that I didn't have a good grasp of how firewalld works and firewalld is used in Alma Linux which is on my cloud VM. That was the real challenge.
I'm sure it's also doable via your own vps, but I think most people are talking about managed systems like cloudflare tunnels https://www.makeuseof.com/use-cloudflare-tunnel-expose-local-servers-internet/
Just wanted to add this link explaining how to use tunnels in a more privacy respecting way
https://help.nextcloud.com/t/is-cloudflare-tunnel-safe-privacy-focused/150268/2
Problems with TLS (free option of routing on cloudlfare tunnels)
interception (or HTTPS interception if applied particularly to that protocol) is the practice of intercepting an encrypted data stream in order to decrypt it, read and possibly manipulate it, and then re-encrypt it and send the data on its way again. This is done by way of a “transparent proxy”: the interception software terminates the incoming TLS connection, inspects the HTTP plaintext, and then creates a new TLS connection to the destination.
I’ve used this and it’s really easy