3 Methods to Set Up a Reverse Proxy on a Home Network

A reverse proxy sits between the internet and your home-hosted services—websites, media servers, IoT dashboards—and routes incoming requests to the correct internal server based on domain or URL path. It provides a single public endpoint, handles SSL/TLS, adds security controls, and can cache or load-balance traffic. This guide walks through three popular options—NGINX, Apache, and Caddy—with crystal-clear steps so even total beginners can set it up.

What is A Reverse Proxy?

A reverse proxy is a gateway server that:

• Receives all external requests at a single public address
• Forwards each request to the appropriate backend service (e.g., Plex, Home Assistant)
• Returns the response from the backend to the client

Unlike a forward proxy (which hides client identities), a reverse proxy hides your internal network structure and consolidates access.

Why Set Up a Reverse Proxy on a Home Network?

1. Single Access Point

Consolidate multiple services under one domain (e.g., home.example.com/media → Plex, /iot → Home Assistant).

2. Centralized SSL Management

Terminate HTTPS once at the proxy using Let’s Encrypt, rather than on each service.

3. Enhanced Security

Shield backend servers behind firewall rules, enforce authentication, and filter traffic.

4. Load-Balancing & Caching

Distribute requests across multiple instances or cache static content to save bandwidth.

5. Dynamic DNS & NAT Traversal

Works seamlessly with dynamic IP services—no manual reconfiguration if your ISP IP changes.

Planning Your Setup

Use Cases

Remote access to Plex, Nextcloud, Home Assistant

HTTPS termination via Let’s Encrypt

Single entry-point for multiple apps (subdomains or subpaths)

Software Choices

NGINX: High performance, extensive community support

Apache: Familiar for those with LAMP stacks, rich module ecosystem

Caddy: Automatic HTTPS, minimal config

Prerequisites

A home server or Raspberry Pi with a static LAN IP (e.g., 192.168.1.10)

Router port-forwarding set for TCP 80 and 443 → that IP

Up-to-date Ubuntu/Debian or similar OSbash

bash

sudo apt update && sudo apt upgrade -y

Method 1: NGINX Reverse Proxy

1. Install NGINX

bash

sudo apt install nginx -y

2. Configure HTTP Proxy

Edit /etc/nginx/sites-available/reverse.conf:

nginx

server {

    listen 80;

    server_name plex.example.com;

    location / {

        proxy_pass http://192.168.1.20:32400;   # Plex on LAN

        proxy_set_header Host $host;

        proxy_set_header X-Real-IP $remote_addr;

    }

}

Enable the site and reload:

bash

sudo ln -s /etc/nginx/sites-available/reverse.conf /etc/nginx/sites-enabled/

sudo nginx -t && sudo systemctl reload nginx

3. Add HTTPS with Let’s Encrypt

bash

sudo apt install certbot python3-certbot-nginx -y

sudo certbot --nginx -d plex.example.com

Follow prompts; Certbot will edit your NGINX config, handle renewals.

Troubleshooting

• 502 Bad Gateway → ensure target service is running on the LAN IP/port.
• Port 80 in use → stop conflicting services or change its port.

Method 2: Apache Reverse Proxy

1. Install Apache & Enable Modules

bash

sudo apt install apache2 -y

sudo a2enmod proxy proxy_http proxy_balancer lbmethod_byrequests ssl

2. Configure Virtual Host

Edit /etc/apache2/sites-available/reverse.conf:

apache

<VirtualHost *:80>

    ServerName nextcloud.example.com

    ProxyPreserveHost On

    ProxyPass / http://192.168.1.30:8080/

    ProxyPassReverse / http://192.168.1.30:8080/

</VirtualHost>

Enable and reload:

bash

sudo a2ensite reverse.conf

sudo systemctl reload apache2

3. Enable HTTPS

bash

sudo apt install certbot python3-certbot-apache -y

sudo certbot --apache -d nextcloud.example.com

Apache will configure SSL directives automatically.

Troubleshooting

• Check /var/log/apache2/error.log for detailed errors.
• Ensure mod_proxy_http is loaded.

Method 3: Caddy Reverse Proxy

1. Install Caddy

bash

sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https

curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo apt-key add -

curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list

sudo apt update

sudo apt install caddy -y

2. Write Your Caddyfile

Edit /etc/caddy/Caddyfile:

css

plex.example.com {

    reverse_proxy 192.168.1.20:32400

}

nextcloud.example.com {

    reverse_proxy 192.168.1.30:8080

}

Caddy handles HTTPS automatically.

Reload Caddy:

bash

sudo systemctl reload caddy

Troubleshooting

• DNS must point *.example.com → your public IP.
• Check journalctl -u caddy for runtime errors.

Advanced Topics

1. Geo-Routing & Failover

Use DNS-based load balancing to route traffic through the fastest edge node before it hits your reverse proxy.

2. Security Hardening

Add HTTP headers in NGINX (add_header X-Frame-Options SAMEORIGIN) or Apache (Header always set Strict-Transport-Security "max-age=31536000;") to reduce attack surface.

3. Monitoring & Logs

Feed NGINX/Apache/Caddy logs into Grafana via a local metrics exporter for real-time dashboards.

Conclusion

Each solution has strengths: 

• NGINX: Best for fine-tuned performance and flexibility.
• Apache: Great for those already on LAMP stacks.
• Caddy: Ideal for newcomers—automatic HTTPS and minimal config.

On a home network, Caddy’s simplicity is ideal for novices, while power users may prefer NGINX’s fine-grained tuning. Keep systems updated, secure your TLS keys, and monitor access logs to catch anomalies early.

FAQs

1. What’s the difference between a forward and reverse proxy?

A forward proxy sits between client and internet, while a reverse proxy sits between internet and your servers.

2. How to secure the reverse proxy?

Enforce HTTPS, add security headers, limit allowed hostnames, and enable rate limiting.

3. Which router ports must be forwarded?

Forward TCP 80 and 443 from WAN to your proxy server’s LAN IP.

4. Can one reverse proxy serve multiple domains?

Yes—use multiple server_name (NGINX) or VirtualHost (Apache) blocks, or list them in your Caddyfile.

5. How to fix “502 Bad Gateway” errors?

Ensure the backend service is running, correct proxy_pass IP/port, and check firewall rules.