Cloudflare tunnel vs reverse proxy reddit

Hello Reddit! Recently I've got myself back into the self-hosting hobby and setup Nextcloud on a server i built myself. com (or something like that). 1. Just make sure the SSL setting in your Cloudflare dash is correctly aligned with the security of your backend. That Cloudflare server accepts any incoming connections, and relays the connection through the VPN back to your home server. So, I implement something like this using SSH. This can help to reduce the attack surface of your network, as you are not exposing any ports directly to the internet. hey, i'm still a noob in the homelab area and i tried to make some apps like nextcloud publicly available thorough reverse proxy and port opening with Nginx proxy manager (NPM) but i knew that this is a security risk so, i said that i will access my home network with a vpn so i was wondering if i setup headscale with cloudflare tunneling Cloudflare Tunnel stops Reverse Proxy from working. com you would rename your swag container: swag. Thanks. It’s a lot easier to remember because if you want to access Portainer you just type portainer instead of a number you associate with portainer. It only does TLS hop-to-hop encryption, not end-to-end. To add a service to my proxy I just create a cname and remove the . markv9401. Cloudflared is more like a cloud-hosted reverse proxy. Cloudflare Argo Tunnel is a well a tunnel - you connect to it rather than it connecting to you. home. Your endpoint is a random IP address that's (AFAIK) not indexed and certainly not easily guessible. Twingate's connector is ok, but flaky in my experience. web browser) requests to those web servers. cloudflare tunnel -> authentik proxy -> sonarr, radarr, proxmox, etc Most things will be running in containers, virtual machine, or both. p. Because WARP creates a tunnel to my home In cloud flare tunnel create the *. To. 17. Award. I have a container called Cloudflare-DDNS that updates mine. You can access your homelab services via your real domain without internet, whether those services need internet or not to function is another story. More secure and private Subway container connects to the Docker daemon, and if a container with the subway. Nabu Casa also provides direct access to the HA device. On your local, you can then use, ssh -R *:80:localhost:8000 remote. When used in conjunction with identity and endpoint security providers, a reverse proxy can be used to grant network access to web-based applications. I've never used Authelia. Allow access to specific computers and not the entire subnet - even if those computers are on DHCP. The NPM admin page runs on port 40081. I almost go nuts looking through security logs. So, basically I have a reverse proxy on the VPS pointing everything to the reverse proxy on the Raspberry PI. Pair that with cloudflare and use their DNS and SSL (there are other things they offer you can implement but those are the main 2 imo). sample from the config file. If you run the reverse proxy on the VPS then the VPN tunnel should be very easy to configure since then the home server only needs to accept specific addresses used by the VPS via the tunnel. com and maybe subdomain for your service. The only way you'll get around opening up a port of some kind (whether it's configured directly in Plex, a reverse proxy, a VPN, etc. 0. My intuition has been that Tailscale is more secure but less convenient. com A reverse proxy is a server that sits in front of web servers and forwards client (e. 1 app to access my Plex Server + all my work and school resources from anywhere. We would like to show you a description here but the site won’t allow us. I first started off with Ibracorp's video NGINX Proxy Manager: How to Install and Setup Reverse Proxy on Unraid which does require you to have the ports forwarded. me ). And the information with maintain encryption out of cloudflares prying eyes? No, Cloudflare will see everything, including passwords, 2FA codes, and session cookies. Com cname with target to the tunneluid. • 2 yr. Get an account at https://tailscale. The logical plan here would be either: host Tailscale (no need to bother with a VPS) and watch most of your problems go away. Select the domain you wish to protect. CloudFlare is vulnerable to this by default as well. I used to use Both… VPN for me to access things like Radarr, Sonarr and system stuff. Requires a VPS as far as I understand it. Proton Pass is a free and open-source password manager from the scientists behind Proton Mail, the world's largest encrypted email service. You have one tunnel, and you configure multiple endpoints based on where the tunnel daemon is running. The main technical difference between Nabu Casa and Cloudflare is in privacy, not security. Additionally, Cloudflare tunnels include security features haproxy running (for proxy protocol), which passes incoming traffic to localhost:something on that machine Hi! I'm doing the same except I don't use haproxy. I setup a Cloudflare tunnel and have my subdomains point to that record as cname records (so sub1 next step (i am thinking) is to get a cheap vps, setup vpn between that and unraid and forward requests from vps to unraid with something like nginx. Cloudflare is "easier" because you don't have to worry about updating your public IP address in DNS. If we stick to the example with Portainer you can call the url portainer. So it was a no-brainer for me to stick with Nginx as my load-balancer / ssl termination / reverse proxy at home too. Every service to each own example. I would like to avoid vpn's, just a reverse proxy that points directly to my router/network. It feels like you just click a few buttons and save hours of configuration time. I currently use Cloudflare Zero Trust, but I've got authentication set up at Cloudflare to protect Immich and my other apps from being viewed publicly. cdhamma. No thank you. This may be true in your case as well. Another one it offers is Gateway, by which you can use to encrypt your entire DNS traffic and also can use it for The tunnel should be as dumb as possible, let the config go direct in NPM and then you can concentrate on that alone, as the community and documentation behind NPM is orders of magnitude better than it is for the Tunnel. If so, then a reverse proxy is probably better. The Synology DDNS certs allow for easy wildcard signing too, meaning you only need the one cert for ALL of your reverse proxy hosts. ADMIN MOD. I don't have snapshots setup yet but it's something I might do in the future. Best not to make things complicated by having to many level of proxies. net) and one for the domain cloudflare points If you want a Cloudflare Tunnel alternative, the Self-Hosted Gateway is what I'm using to expose Jellyfin without opening ports 80 and 443 on my network. com). (With local Cloudflare Tunnels Are So Awesome. At this point, the containers should be accessible via the addresses https://tautulli. 2. So not applicable with other protocols on other ports like ssh. Its actually easier to troubleshoot without the proxy. Apache c. com pointing to the proxy manager, on the dns setting for the domain create the *. s. Secondly, there are THOUSANDS of tutorials out there on reverse proxies. Cloudflare Tunnel is not a very good practice for security: first of all it leaves your origin server in your local network unprotected, and it also let CLoudflare see all your decrypted network. Tailscale is really helpful if you need to: Setup a private network among computers who are not on the same network. 0 release that includes a new TMDB API/image caching system, I was struggling with very slow Don't recommend this by default. Of course proxy is fine for internal access via friendly names - example: plex. (Ryzen 7 5700X, Nvidia RTX 2060 Super, 50 GB RAM XMP enabled - orwhatever the name is on AMD side) Running Debian Stable Bookworm. Then, assuming it acts as a reverse proxy, you can have it proxy the connection to the backend apps. Proxy. cfargotunnel. NGINX Proxy Manager will give you more control, because you're not relying on any third-party infrastructure. GatewayPorts yes. WARP tunnel is essentially an overlay network (like tailscale but a bit different) using wireguard and you do NOT need to add firewall rules to use it. If you are pushing all of your internet through the VPN when you are remote, you'll see some slow down most likely. I use the vpn in combination with the reverse proxies. If you need a reverse proxy for your self hosted stuff I recommend and use nginx proxy manager aka npm. i haven't actually done this yet but people have similar setups so I think it would work. VPS to Reverse Proxy using VPN. ) Essentially a mesh based VPN. User-Friendliness: Cloudflare Tunnels excels in ease of setup, especially for users already utilizing Cloudflare services. lsio-test. I use Cloudflare's proxy professionally, and it's fantastic. g. This in theory should work however. Cloudflare is a reverse proxy on its own. Some remote locations will block types of VPN ports/URLs, so you could be SOL if you can't connect. Unraid is nowhere in my reverse proxy or externally facing strategy. Learn how to use Cloudflare Tunnel with Nginx Proxy Manager on Reddit, with user discussions and questions. I also have Authelia set up to provide additional security for certain services. I see no benefit in going through a reverse proxy for CF tunnel. mydomain. Despite a lot of reverse proxy methods in the world, unfortunately, none of them are actually easy-to-use in my opinion. cloudflare. Most homelabs won't have as much bandwidth their remote location. I use traefik, but unless you focus on ONE reverse proxy, and learn it, you're going to just be spinning your wheels here. It should be possible to do though on your servers end with a reverse proxy. Conversely, Cloudflare Argo is used to provide a private tunnel from a target server to Cloudflare’s network, allowing the server to be publicly available while hiding the true endpoint. These issues may or may not be relevant for you, but I ended up using Cloudflare with Cloudflare Tunnel (free tier). I installed cloudflare tunnel, and put the internal ip (10. You have Nginx/Traefik in your network. About a half dozen sites are INTENTIONALLY tunneled to allow CloudFlare is already a reverse proxy as it can help to regulate traffics to your server and also block attacks. Then you go into your reverse proxy and forward specific subdomains to specific things you want to be accessible. At the moment, I use Cloudflare Tunnels, but I may switch to NGINX Proxy Manager or Traefik someday. My solution here was to set up another reverse proxy on the Raspberry Pi. 222:51821) with public host name (wg-easy. You run a program on your server that punches out to Cloudflare, then Cloudflare sends traffic they receive back down that tunnel. YOU create the origin certificate locally (not Cloudflare). hey, i'm still a noob in the homelab area and i tried to make some apps like nextcloud publicly available thorough reverse proxy and port opening with Nginx proxy manager (NPM) but i knew that this is a security risk so, i said that i will access my home network with a vpn so i was Cloudflare Tunnel as reverse proxy and exposed ports on HTTP. 0. That being said, I didn't changed the proxy_pass from http to https. example. See full list on blog. To be clear, I am running my domain on cloudflare. For whatever reason, VPN cramps limits network speed so incredibly bad and VPN is flaky on staying connected, even when using apps like Viscosity w/ OpenVPN. 1 app to access my work/study resources while in lockdown. The solution is not to reverse DNS at all! HTTPS and http have the “host” header. I use Cloudflare Tunnels (with cloudflared) and create a tunnel directly to my Plex machine IP (no need for Synology DDNS, nor Cloudflare certificate). Cloudflare points several subdomains as CNAME records to the Synology DDNS-domain ( mydomain. Cloudflare Tunnels (or any DNS setup with a reverse proxy) will get you convenience. I simply created the following DNS policy, and followed this tutorial, and now I can use the 1. Now that is changed, works well. It's (exactly) like connecting to a VPN and then they reverse proxy traffic to you through the VPN, for a specific set of ports. use the command in second command block in the link i gave under step1/ip forwarding to unraid The reason why i recommend running your own reverse proxy (even in addition to using cloudflare tunnels for remote access) is for the local access and without the network latency. mycustomdomain. I've set this up using OAuth2_Proxy and Keycloak. I work with Big-IP F5 at work (a fancy expensive specialized hardware about Nginx and then some more, basically). On the other hand if you already use Cloudflare as your DNS you could configure your firewall/ISP-modem to only allow traffic coming from the public IPs from Cloudflare so you won't need Cloudflare Tunnel. Configuration took ~10-15 min and the UI/UX is top notch. ) Still figuring out how to add additional services to the gateway. With that said, it won't help you much with your intranet - and if you're going to configure a reverse proxy for your intranet, I'd point the cloudflare If the tunnel terminates in a docker container on the docker on the raspberry pi, it is unable to connect to the NAS, despite it having a bridge network. While Nginx Proxy Manager doesn’t have integrated security features, it supports SSL/TLS certificates for encrypted connections. me name. yaml to create the tunnel. Caddy d. e. Running some services at home in docker environment and having a (free) VPS which is connected as a VPN client to my local network, running a reverse proxy (nginx proxy manager) and exposing my services to the internet over this VPN. Then on the proxy manager do what you always do. ago. 1. Port forwarding and global API key with cloudflare and wildcard certs. Externally your connections to public names (Cloudflare or Tailscale) connects to the same servers as everyone else. I found an article on how to do this by using a cloud VPS that would cost around 5 Euros per month (Hetzner, Contabo). SWAG Both NPM and SWAG leverage nginx and other tools to make the process easier and/or faster, sacrificing control (mostly). Email nags about needing to update the connector and having to go through all that. I had my swag set up in about 5 minutes. In the DNS settings, make sure that all A, AAAA, and CNAME 24 records are proxied through Cloudflare. 2 options to open up WireGuard: Tunnel from a Cloudflare tunnel proxy into a docker container host Open a port on router and forward Just setup it up so it points directly to the IP & port of the app you want to expose via CF tunnel. There's no reason to even use a custom domain since Plex automatically handles TLS certificates issued for the plex. Original way that I learned was to use cloudflared docker and then configure on config. Swedophone. domain. The authentication part, Geoblocking and the fact that I don't need to open any ports on my firewall were the major factors for me switching. One of the biggest reasons not to use Cloudflare tunnels or proxy if you are concerned with that. The Cloudflare connector is a service as well Cloudflare Proxy vs Cloudflare tunnel performance. Main advantage being is that I can have multiple services running on multiple subdomains without opening any ports, especially ports 80/443. com. Yes, this sets up an outgoing VPN connection to a Cloudflare server. The public key is advertised by Cloudflare so the encryption happens at the client and the decryption at the reverse proxy. I have reached a wall with selfhosting a git server and that is using it with SSH However for HTTP/HTTPS services, CloudFlare works great, is free, and is very cheap in terms of yearly domain renewals. My local ISP has stupid routing. Before the latest 1. EDIT2: 2nd problem also solved, as somebody here on Reddit said, the issue was between the chair and keyboard. Hey guys, I recently found out that my ISP is blocking ports and have therefor decided to expose my services via Cloudflare's Argo Tunnels instead (since that requires no ports to be exposed). And that Nabu Casa supports the development of HA. This is indeed particularly useful if your IPv4 is behind CG-NAT (i. Cloudflare tunnels work by creating corresponding DNS records for each service. Linkerd is for load balancing between cloudflared -> app servers in cluster. Let me know if you want me to post my tunnel config file for reference. Reverse proxy using NPM or SWAG (or traefik or caddy) in a docker container (Syno inbuilt reverse proxy is ok, but you get more functionality from the others). (If you are going to forward a port via the VPN tunnel then the home server needs to accept any source address. Cloudflare tunnels can be a useful way to securely expose services running on your home network to the internet without the need for port forwarding on your router. com and install the client on both computers. The method I was using was pointing to SWAG in which SWAG will point back to a container. HAProxy b. Jun 19, 2022 · Reverse proxies are typically implemented to help increase security, performance, and reliability. direct domain. FYI - If you're running Overseerr behind cloudflare and a reverse proxy. So I guess my question is about the potential dangers of making the Immich app accessible publicly via Cloudflare Tunnel with no authentication. If you don't have an own public IP or some sort of DynDNS solution, Cloudflare Tunnel should be the easiest way to expose things. “Cloudflare Load Balancer” can help load balance traffic from Cloudflare PoPs to your cloudflared instances. If you see a gray cloud icon, click on it to switch to the The tunnel acts as dynamic dns of sorts too, so that even if your WAN IP is dynamic the tunnel will maintain the connection when it changes. My Plex configuration is very simple: Remote Access: Not enabled/configured For the reverse proxy, I installed Nginx Proxy Manager as a Docker container (using Portainer) on my Ubuntu server with port 40443 forwarding to port 443 and 40080 to port 80 using an SSL Certificate through Let’s Encrypt. Reverse proxies are typically implemented to help increase security, performance, and reliability. By stacking it on top of NGINX Reverse proxy you are essentially double reverse proxying. I'm using traefik reverse proxy with cloudflare DNS. Do all VPSs have static IPs or do I still need DDNS? But they get pointed to the reverse proxy, not to the unraid management interface. Nobody knows your IP but Cloudflare. Traefik e. nginx e1. However, I was also reading that such a functionality exists for free on CloudFlare, there's no need to pay a VPS for that. Then used Reverse proxy with SSL for things like Overseerr and Ombi for a few family members. Direct link to my cloud instance in Frankfurt has an average speed of 60 Mbit/s, but when I use CloudFlare WARP the speed exceeds 200 Mbit/s. I'm just sad they made it a paid feature. You can also utilize dynamic DNS (DDNS) for your home server via a DDNS script (i. , where you can set up outgoing connections, but cannot accept incoming connections). Both allow you to pick ports from a limited list. (I'm using a $5 Linode VPS, so it's cheap to run it. Slower internet. I would say a revrse proxy is AS much work to set up as this is. (I don't know if it does; I'm just suggesting the kind of questions you should consider). You need to settle on one and find a tutorial just for that reverse proxy method. homemade or DuckDNS) for auto-updating your IP address and domain on CloudFlare and also utilize a Lets Encrypt (LE) script for auto-renewal If you want to be able to communicate directly with your server, that server will need to open something up to allow incoming connections. Just realized this is method works for per subdomain - container. Traffic is then forwarded to nginx proxy manager to route internally (and most importantly log the traffic) then crowdsec parses the logs to check for any malicious activity and will auto-ban any that it I have a Cloudflare Tunnel that connects to NPM using a Cloudflare Origin Cert. Tailscale is a better alternative, but not quite in the "self-hosted" philosophy as it relies on distant cloud servers. Koto137. They work together. Reverse proxies are a standard way to expose internal services, and as long as your using tested software to do this, its no riskier than a VPN. use a vps (oracle has a very generous free tier) and run wireguard, then use some iptables rules to forward inbound traffic that hit the vps on certain ports to the correct system's ip over the wireguard tunnel Cloudflare tunnels Reverse Proxy (like NPM) w/ DDNS provider (like cloudflareddns by hotio, or duckdns by linuxserver) and Cloudflare as the DNS provider The last method I have heard of is Cloudflare DNS to VPS to Reverse Proxy to Unraid. Assuming youve got your NGINX Reverse proxy working and have a DNS record setup pointing to NGINX on Opnsense, then you should just point your cloudflare proxy to the same. As title suggests, I just spent a few hours getting local RP to work only to find that even on Tailscale, WiFi, or Tailscale with ( (LOCAL)) WiFi, my reverse proxy only works on desktop machines (MacOS, a local Pi, and Windows). As in the past, many Uptime Kuma users kept asking how to config a reverse proxy. I followed these steps to configure NPM with Overseer https://smarthomepursuits Apr 28, 2022 · Both will have proxy turned on. My services are hosted as docker containers You can avoid using reverse proxy 100% (I use dashy in my LAN segment) and "punching holes" by using Cloudflare WARP tunnel which is on overlay network over cloudflared. I saw a poll on here asking how people access their selfhosted resources and only options were VPN or exposing to the web. Cloudflare Tunnel and reverse proxies are two different things. Allow VPN connectivity even if one/more/all of the machines is/are behind NAT. It's setup from the inside out next to your server and doesn't require ports ro open like a rp does. It forwards http/s traffic for a host name directly to a device in your home network. I want to use wg-easy on my server and want to access its web panel from outside. synology. server. You either expose these reverse proxies to internet, with DNS names pointing to your public IP, or you can use cloudflare tunnel to hide your public IP behind the tunnel. However you likely don’t need this load balancing since cloudflared hardly uses any resources in the first place. The benefit of bypassing nginx is that you don't even need to bother with the Let's Encrypt certs if you don't want to. In order to *not* enable "No TLS Verify" in the cloudflare console you can rename your swag container to match the domain on your certificate (I am assuming you are using a wildcard cert). Yes, direct all traffic from the tunnel to your Authelia host (assuming it works as a reverse proxy, I've never used it). Since your uni network is dropping incoming connections, Cloudflare Tunnel's incoming connections would also be dropped. Eventually you might get rid of the said reverse proxy as it isn’t really necessary There are a few reverse proxy solutions, most people use one of these: a. However there will be no authentication yet. Cloudflare Zero Trust has many useful tools offered for free. NPM (Nginx Proxy Manager) e2. You can shorten your request matchers by making them one-liners (removing the braces) if they only use one type of matcher. ) is routing all your streams through Plex's bandwidth-limited relay, which is not a good experience unless you're okay with . Cloudflare One includes one of the world’s most-used reverse proxies, which processes over 1. If you are worried about this, skip the cloudflare tunnel and/or the cloudflare proxy and set up a wireguard vpn tunnel home. GatewayPorts no. HeadScale without reverse proxy under Cloudflare tunnel. Best reverse proxy. I no longer use the Reverse Proxy I switched to a Cloudflare tunnel so no more opening ports for the proxy. com and https://overseerr. No need for nginx proxy manager Bypassing a CGNAT. It's somewhat difficult as I am using btrfs and Proxmox support for btrfs is limited. Cloudflare Tunnel is basically a reverse-proxy managed by Cloudflare. But while I was going through that I saw people mention the updated process using cloudflare's argo tunnel, which you correctly said does not require forwarding ports. All you need is 80 and 443 open. My reverse proxy at home starts an ssh connection to the VPS and forwards packets destined to ports 80 and 443 of the VPS back to itself. All of these services are used by other people. There is always a risk, but both Nginx and OpenVPN will have security issues discovered at some point, you need to make sure you keep on top of watching regardless. I personally use the Traefik reverse proxy that I've configured with Oauth which proxies user if you want a tunnel to expose ports behind CGNAT or something and wanna make sure it's secure, just roll your own solution. Running some services at home in docker environment and exposing them to the internet using cloudflare tunnels. With Cloudflare Tunnel, you don't need any reverse proxy, also you don't even need any self hosting service for authentication, as you can use Cloudflare access for it. I want to point out another option that few people in the homelab/selfhosted community seem to talk about. After seeing a ton of people recommend cloudflare tun's I had to give this a try, and I must admit I am amazed at how incredibly easy this was to set up and how awesome it is. You either forward ports 80 and 443 from your router to your nginx reverse proxy, or you can do a cloudflare tunnel and no ports are required to be forwarded. It should only be used if you're absolutely sure Caddy can only be reached through another proxy which protects you from XFF spoofing. With Tailscale, your services on your UnRAID server can have a lower level of security since you need to be connected to your local reverse proxy with ssl would cloudflare be able to see Oh, sorry, I missed that part. Literally the way they both work is you send your data to Cloudflare and they send it to the client. Meaning, my really secure stuff gets a subdomain, but you have to be assigned an internal IP to access it. Subway container will establish a Subway tunnel for the hostnames supplied in the subway label. I messed around with it for a bit just now, but ran into some trouble. All in all that takes about 30 seconds. Jan 15, 2024 · Security: Cloudflare Tunnels offers built-in security features such as DDoS protection and WAF. If not, and you control all the client devices, then TailScale may be better because it may offer better security. There is no way to reverse lookup a name when they all have the same IP. Here’s a step-by-step guide to help you: Sign in to your Cloudflare account and go to the dashboard. OP, the easiest way is to just drop the CF tunnel either on Docker or standalone and point it to your reverse proxy. Reply. Pass brings a higher level of security with battle-tested end-to-end encryption of all data and metadata, plus hide-my-email alias support. Granted they do offer handy features like free TLS, geolocking, DoS protections, edge caching, hiding your IP, and have a fancy and easy UI around it all. Still need to figure out why all local clients are seen with NGINX reverse proxy IP, but hey, I'm on the right track. You modify on your server ssshd_config changing. I'm quite new at this, and i'm trying to set up a nextcloud instance for a group that lives outside my house Believe it or not, I was already using the Cloudflare WARP / 1. Recently, I just discovered that Cloudflare has added a web GUI for Cloudflare Tunnel which make it super easy to use. Now, I've set up two reverse proxys for each service in the Synology Login Portal: One for the actual domain ( service1. Hi, I need a little help. - Can automatically configure certs for Cloudflare proxied services - No open WAN ports to be compromised Tunnel Cons: - Far fewer configuration options compared to full fledged NGINX or NGINX reverse proxy - Requires several UI clicks to disable certs for services that you'd like to run with SWAG/NPM and LetsEncrypt certs You won’t be able to do it on Cloudflare’s end. So if your domain is: mycustomdomain. Cloudflare as CDN, their free tier is really good. This is indicated by an orange cloud icon. Don't turn on any cloudflare optimization or cache settings other than the defaults that cloudflare puts in place when you import your domain/DNS. Think of it as a VPN provider if you will. . The problem is, the web panel of wg-easy is also But for just regular tunneling you just mark everything with an origin certificate. But I personally think that, for a selfhoster, using their global CDN is just overkill, and can cause more headache than it's worth. Reverse proxies are for http/https traffic. For testing, start a web server, python -m http. Cloudflare tunnels works similarly to a reverse proxy, and negates the need for one. The downside is that your endpoint is a random string of numbers. With a reverse proxy you set up a domain example. I'm using Nginx as a web server everywhere. I've never used HAProxy, Caddy or Traefik. 31. hostname label is active, the tunnel and related DNS are instantly updated. Just pick a random high port number and forward it to Plex's port 32400. When we access Cloudflare's Zero Trust dashboard, we will see the tunnel listed. I was just struggling with this myself, and after Cloudflare is, after all, a proxy and cloudflared is a simple conduit from them to your backend. (Configured on CF). It's more a vpn than a cloud hosted rp. I use my router (dnsmasq) to point all these subdomains to the Traefik reverse proxy. In fact there's no advantage to using a reverse proxy at all since Plex does not need to run in port 443 and manages its own TLS. Then you can reach the other computer by it‘s private IP/MagicDNS name. ca ql ky ni oe dw tv ru wo nr