Reverse Proxy Architecture: Nginx Proxy Manager and SSL in a Homelab

This post focuses on the reverse proxy layer in my homelab, using Nginx Proxy Manager to manage routing and SSL.

As more services were introduced, managing access via IP addresses and ports quickly became impractical. A reverse proxy provides a central entry point, allowing services to be accessed via clean domain names while also handling TLS encryption.

Reverse Proxy Architecture

Traffic flows through the system as follows:

• Client → Cloudflare
• Cloudflare → Nginx Proxy Manager
• Nginx Proxy Manager → internal services

Internet
   ↓
Cloudflare (DNS + Tunnel + SSL)
   ↓
Nginx Proxy Manager (Reverse Proxy)
   ↓
-------------------------------------
|           Docker Host             |
|-----------------------------------|
|  Ghost (blog)                     |
|  Next.js (site)                   |
|  Other services                   |
-------------------------------------

Internally, services are accessed using local DNS records that resolve to the proxy.

Why Use a Reverse Proxy

Without a reverse proxy, each service would require direct access via IP and port.

Using a reverse proxy allows:

• Clean URLs (e.g. blog.domain.com)
• Centralised SSL management
• Simplified routing to services
• Reduced exposure of internal ports

This significantly improves both usability and control.

A reverse proxy becomes essential once multiple services are running, as it standardises how they are accessed and secured.

Nginx Proxy Manager

Nginx Proxy Manager provides a simple interface for managing reverse proxy rules.

Key capabilities include:

• Host-based routing
• Automatic SSL certificate provisioning (Let's Encrypt)
• HTTP to HTTPS redirection
• Basic access control

It removes the need to manually configure Nginx for each service.

SSL and TLS

SSL certificates are managed through Let's Encrypt.

Each service is exposed over HTTPS, with certificates issued and renewed automatically.

This ensures:

• Encrypted traffic
• Trusted connections in browsers
• No manual certificate management

Internal vs External Access

Services are accessible both internally and externally:

• External access is routed through Cloudflare and the proxy
• Internal access uses local DNS and resolves directly to the proxy

This ensures consistent access patterns regardless of location.

Issues Encountered

One challenge was ensuring that internal DNS and external routing behaved consistently.

Misconfigured DNS or proxy rules can result in services being reachable externally but not internally, or vice versa.

Understanding how DNS resolution and proxy routing interact was key to resolving these issues.

Key Learnings

• Reverse proxies simplify service access significantly
• Centralised SSL management reduces operational overhead
• DNS and proxy configuration must be aligned
• Small misconfigurations can cause hard-to-diagnose issues

What’s Next

The next area to explore is how services are deployed and managed using Docker, including container structure and networking.