A place to share, discuss, discover, assist with, gain assistance for, and critique self-hosted alternatives to our favorite web apps, web services, and online tools.
Reverse Proxies on OpenWRT
I currently have quite a few self hosted services running on two machines on my home network; docker, not k8s. Some are LAN-only (or VPN, of course), but quite a few are exposed to the internet via a reverse proxy. I stream media, and have a decent uplink with no ISP filtering, so my current solution is HAProxy on my router, pointing to the various backends.
This works perfectly, and gives better reliability than running something like NPM, Traefik, Authelia, or Authentik on one of my nodes, with port forwarding; in case one node is down, services on the other remain accessible. However, HAProxy on OpenWRT can be a bit limited, and I'd like to be able to get more visibility into traffic as well as add addition authentication.
Has anyone had any luck running a more advanced reverse proxy on the edge device? I have a Nano PI r4s, so it should be more than powerful enough to handle the load, though for simplicity's sake, I'd prefer to stick to relatively vanilla openwrt.
For a router, forwarding a port is far more lighter than reverse proxy.
I would forward port 443 and 80 to reverse proxy running beside all other services. The probability of nginx/apache (or maybe traefik or caddy) to go down far lower that OpenWRT hardware getting in trouble.
If i was crazy... perhaps even go down this route:
https://github.com/yrutschle/sslh
It's definitely lighter; agreed about that.
My concern is that it adds another point of failure. My router is pretty much rock solid, but even if it's not, if it's down, game over; nothing will work. That's unavoidable. But what if, say, I had a HD failure, or a power outage and my machine boots to single user mode, or I want to add more RAM, or I accidentally shut it down remotely (yes, those are all true stories!). No reason for services on the second node to be inaccessible.
And I've actually run sslh in the past when I had a rather strict firewall at work :-).
Have you considered running your apps on k8s (or k3s), and then if a node goes down, the apps would be moved to a different node? If you put your reverse proxy with a higher priority than regular apps, it will always find space.
interesting idea! I need to figure out how persistent volumes would work here... I've only used them on AWS where they're EBS volumes. But that's something to think about.