I’m currently self-hosting several services and looking to harden my setup. I already use Nginx Proxy Manager (NPM) with wildcard Let’s Encrypt certs, but I’m thinking of moving to something more robust with:
A proper WAF (Web Application Firewall)
Deep network monitoring (ideally per-container or per-service)
Possibly some bot protection and anomaly detection (ai scrapping is annoying)
I’ve looked into Traefik, BunkerWeb, and Pangolin. Each has pros and cons, BunkerWeb seems WAF-ready, but has some limitations (SSL setup is nightmare). Traefik is very flexible, but I’d need to add middleware myself (also runing non docker services). Pangolin looks great but werent able to get it work in my setup.
Main goals:
Secure exposure of HTTP(S) services (wildcard certs with Cloudlfare)
Easy rules for blocking bad IPs or patterns
Optional: rate-limiting, automatic fail2ban-style bans
Bonus: nice dashboard or at least logs that make sense
I also have a mix of Docker and bare metal services, so proxying non-container stuff cleanly is important.
My final goal is setup like this: OVH (Reverse Proxy - Firewall) - Tailscale - Hetzner Server)
I’m currently following this guide to setup caddy reverse proxy with coraza web app firewall.
But be warned, this whole rabbit hole of WAF isn’t trivial, some protections don’t work well with some apps (e.g. portainer triggers some rules about system command execution) and it needs some tuning. I personally set it up to learn more about WAFs because I believe it will help me in my career, but I would not blindly recommend it to everyone.
Approaches like crowdsec and fail2ban seem much more suitable for selfhosters – and keep your server software updated.