I see so many posts and people who run NGINX as their reverse proxy. Why though? There’s HAProxy and Apache, with Caddy being a simpler option.

If you’re starting from scratch, why did you pick/are you picking NGINX over the others?

  • MangoPenguin@lemmy.blahaj.zone
    link
    fedilink
    English
    arrow-up
    39
    arrow-down
    1
    ·
    4 months ago

    It just works and it’s in every distros default repo, it’s pretty easy to set up and can be a webserver for static files, PHP sites, etc… It can be a reverse proxy for HTTP(s) traffic or just forward TCP/UDP.

    There’s also endless documentation out there for how to do something in nginx.

    HAProxy is a nightmare to use in my experience. It just feels so clunky and old.

    Caddy is nice, but downloading and updating it is a pain because you need modules that aren’t included in the repo version.

    • ____@infosec.pub
      link
      fedilink
      English
      arrow-up
      10
      ·
      4 months ago

      Right there with you on “just works,” as well as the simple fact that the config snippets you need are readily available - either in the repo of whatever you’re putting behind the proxy, or elsewhere on the internet.

      I consistently keep in mind that it’s ultimately an RU product, of course. But since it’s open source and changes relatively infrequently, that’s mitigated to a large degree from where I sit.

      Nothing against Caddy, though Apache gets heavy quickly from a maintenance standpoint, IMHO. But nginx has been my go to for many, many years per the above. It drops into oddball environments without having to rip and tear existing systems out by the roots, and it doesn’t care what’s behind it.

      Ages ago, I had a Tomcat app that happened to be supported indirectly by an embedded Jetty (?) app that didn’t properly support SSL certs in a sane way on its own.

      That was just fine to nginx and certbot, the little-but-important Jetty app just lived off to the side and functionally didn’t matter because with nginx and certbot, nothing else gave a crap - including the browser clients and the arcane build system that depended on that random Jetty app.

  • rysiek@szmer.info
    link
    fedilink
    English
    arrow-up
    30
    ·
    4 months ago

    HAproxy cannot serve static files directly. You need a webserver behind it for that.

    Apache is slow.

    Nginx is both a capable, fast reverse-proxy, and a capable, fast webserver. It can do everything HAproxy does, and what Apache does, and more.

    I am not saying it is absolutely best for every use-case, but this flexibility is a large part of why I use it in my infra (nad have been using it for a decade).

  • wjs018@lemmy.world
    link
    fedilink
    English
    arrow-up
    27
    ·
    4 months ago

    Some good answers in here already. It boils down to a couple points for me:

    • Back when I started selfhosting, it was either nginx or apache, and I found nginx better and easier to set up
    • All the nginx knowledge I learned years ago still works just the same as it did back then, so why potentially mess things up by switching if it all still works
    • Basically every project has an example nginx config for reference, that can’t be said about other proxies
    • It is easier to find support online for edge cases that might pop up with nginx due to the ubiquity of its use and years of history
  • kolorafa@lemmy.world
    link
    fedilink
    English
    arrow-up
    19
    ·
    edit-2
    4 months ago

    Because Nginx Proxy Manager exists.

    And also because for me it started from web hosting where Apache and Nginx dominate and later because of many easy to understand example configs from the net including many “docker letsencrypt” examples.

    • Takahe@lemmy.nz
      link
      fedilink
      English
      arrow-up
      5
      ·
      4 months ago

      Very much became it exist. Its way simpler to do in the GUI.

      Did not have to learn anything specific, and can work for things not in docker containers too, like the Nextcloud Snap.

  • ngn@lemy.lol
    link
    fedilink
    English
    arrow-up
    16
    ·
    4 months ago
    • simple config & setup
    • good performance
    • popular/packaged by every single distro
    • just works
  • Possibly linux@lemmy.zip
    link
    fedilink
    English
    arrow-up
    9
    arrow-down
    1
    ·
    edit-2
    4 months ago

    Security

    Caddy is good but it tried to do to much. This means that security bugs could be way more common. It has been audited by outside people and the issues they found were fixed but I am will very doubtful that it is secure yet

    • tmpod@lemmy.pt
      link
      fedilink
      English
      arrow-up
      1
      ·
      4 months ago

      I think security is a fair point, given caddy’s younger age compared to nginx, but I wouldn’t say it tried to do too much.

  • miau@lemmy.sdf.org
    link
    fedilink
    English
    arrow-up
    8
    ·
    4 months ago

    Honest question: why not use nginx?

    I have run it in so many different scenarios, both professionally and personally, its crazy. Nginx has never failed me, literally. My homeserver is quite limited but nginx has a very small footprint, it performs beautifully well and it satisfies all my hosting, proxying, redirecting and streaming needs.

    It works for modern and legacy applications, custom code, webhosting, supports all the modern features and its configuration is very easy with literal thousandsof examples available online.

    Apache probably can do all that but I hate how unintuitive its configuration is to me personally. HAproxy cant do half the stuff nginx does.

    As for caddy Ive heard of it but never really used it. What does it offer that nginx doesnt?

    • 486@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      4 months ago

      What does it offer that nginx doesnt?

      Automatic HTTPS, you don’t have to use certbot or something similar to get/renew certificates. Also, its configuration is really simple and straight forward.

      • miau@lemmy.sdf.org
        link
        fedilink
        English
        arrow-up
        2
        ·
        4 months ago

        Thank you for your reply!

        Personally I am fine with nginx configuration, at least when using containers. The syntax is fine and all I need to do is map one file into the container

        But I took a look at the automatic cert feature and wow, that is very, very nice. I may give caddy a try for this feature only - it would simplify my current setup.

        I am also surprised it allows using HTTPS over port 443 for cert renewal. I didnt even know this was possible, so I was always stuck with DNS challanges.

        So again, thanks for your reply!

  • cheddar@programming.dev
    link
    fedilink
    English
    arrow-up
    7
    ·
    edit-2
    4 months ago

    Why not? Why should I use Apache instead of Nginx? I don’t know about Caddy, Nginx is simple enough not to care about simpler solutions. But in general, I know Nginx and it does the job.

  • ruse8145@lemmy.sdf.org
    link
    fedilink
    English
    arrow-up
    6
    ·
    4 months ago

    Caddy certainly was the easier option but it’s as complex as nginx now and id argue it’s hard to to use.

    • tmpod@lemmy.pt
      link
      fedilink
      English
      arrow-up
      1
      ·
      4 months ago

      Why do you say that?

      I’ve used both plenty and only once I thought Caddy was harder: caching. It requires you to install a plugin that also doesn’t have the easiest of configs. I think there’s a new and simpler one nowadays, but haven’t tried it yet.

      I now use Caddy by default for everything new I make/host.

  • tills13@lemmy.world
    link
    fedilink
    English
    arrow-up
    6
    ·
    4 months ago

    Caddy’s developer gives me the ick. He’s way too pompous in PRs on GH. nginx is just a constant – it does exactly what you need to and does it well.

  • computergeek125@lemmy.world
    link
    fedilink
    English
    arrow-up
    5
    ·
    edit-2
    4 months ago

    TLDR: probably a lot of people continue using the thing that they know if it just works as long as it works well enough not to be a bother.

    Many many years ago when I learned, I think the only ones I found were Apache and IIS. I had a Mac at the time which came pre installed with Apache2, so I learned Apache2 and got okay at it. While by release dates Nginx and HAProxy most definitely existed, I don’t think I came across either in my research. I don’t have any notes from the time because I didn’t take any because I was in high school.

    When I started Linux things, I kept using Apache for a while because I knew it. Found Nginx, learned it in a snap because the config is more natural language and hierarchical than Apache’s XMLish monstrosity. Then for the next decade I kept using Nginx whenever I needed a webserver fast because I knew it would work with minimal tinkering.

    Now, as of a few years ago, I knew that haproxy, caddy, and traefik all existed. I even tried out Caddy on my homelab reverse proxy server (which has about a dozen applications routed through it), and the first few sites were easy - just let the auto-LetsEncrypt do its job - but once I got to the sites that needed manual TLS (I have both an internal CA and utilize Cloudflare’ origin HTTPS cert), and other special config, Caddy started becoming as cumbersome as my Nginx conf.d directory. At the time, I also didn’t have a way to get software updates easily on my then-CentOS 7 server, so Caddy was okay-enough, but it was back to Nginx with me because it was comparatively easier to manage.

    HAProxy is something I’ve added to my repertoire more recently. It took me quite a while and lots of trial and error to figure out the config syntax which is quite different from anything I’d used before (except maybe kinda like Squid, which I had learned not a year prior…), but once it clicked, it clicked. Now I have an internal high availability (+keepalived) load balancer than can handle so many backend servers and do wildcard TLS termination and validate backend TLS certs. I even got LDAP and LDAPS load balancing to AD working on that for services like Gitea that don’t behave well when there’s more than one LDAPS backend server.

    So, at some point I’ll get around to converting that everything reverse proxy to HAProxy. But I’ll probably need to deploy another VM or two because the existing one also has a static web server and I’ve been meaning to break up that server’s roles anyways (long ago, it was my everything server before I used VMs).

  • Max-P@lemmy.max-p.me
    link
    fedilink
    English
    arrow-up
    5
    ·
    4 months ago

    NGINX can really do a lot of things out of the box while being pretty easy to configure. NGINX can serve static files, it can proxy emails, it can do FastCGI, it can do UWSGI, it can do HTTP proxying, you can run Lua code inside NGINX to do things, there’s a module for RTMP live streaming. You can also implement some stuff like external authentication to protect your services/authenticate them at the proxy level. It can also do caching. Not all that useful with all those Rust and Go apps with their own built-in web server but if you run large legacy apps at scale it’s great, you can offload a lot of stuff away from your slow ass PHP app.

    Caddy’s simpler but the current battle tested popular option is NGINX.

    HAproxy is good at what it does but it’s only good at proxying and simple rules. For the most part, it’s used as a load balancer and router and doesn’t really process the requests itself. It can alter some things in it but it’s limited, and it only does HTTP and TCP. So you can’t really run PHP or Python or Ruby or whatever applications directly behind HAproxy. That makes NGINX a better choice there because NGINX deals with HTTP and only passes the request details to the application which doesn’t have to do HTTP on its own. I usually see HAproxy load balancing to NGINX hosts with some PHP/Python/Ruby app behind them.

    Apache is old. It’s gotten better but the way it works just doesn’t reflect most modern use cases. I remember when NGINX popped off like 15 years ago and just how much more resource efficient it was and how happy I was with the upgrade. So it exists and still works but not very popular anymore. It’s a bit easier to set up but also a bit weird with things like mod_php which runs directly inside Apache instead of a dedicated user that can be better sandboxed.

    Traefik is getting traction in big part because it fits well with the Docker ecosystem and just sets itself up automatically.

    There’s also Envoy if you want some serious proxying and meshing but setting that one up is truely headache inducing.

    They’re all pretty good web servers regardless, it comes down to preference. There’s no right choice because everyone’s needs are different.

    • db0@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      2
      ·
      4 months ago

      Not sure why you say haproxy can’t serve python. I do it all the time. You just use something like python waitress and then point haproxy to it’s port.

      • Max-P@lemmy.max-p.me
        link
        fedilink
        English
        arrow-up
        1
        ·
        4 months ago

        It depends on what you use on the Python side. Classically that would have been uWSGI or one of the *SGI interfaces, and lately ASGI.

        Sure, one can totally make Python apps that serve HTTP directly. The same can be done with PHP (and Ruby and others) as well, but most people still run their PHP through PHP-FPM over FastCGI because you can offload a lot of the work to the much faster NGINX side. A fair amount of apps make use of X-Accel-Redirect to serve private files, so you don’t tie up a PHP worker for an hour serving the user’s 2GB file.

        But yes, as those languages all move to async computing and away from worker pools, it’s more common to see those serve HTTP directly, and there’s less and less need for a proxy that supports those other protocols. The async event loop is what made NGINX special when it came out, so naturally languages that moves to that model greatly reduce the need for that as well, they too can easily handle thousands of concurrent connections no problems. Plus these days people slap a CDN in front anyway so static file performance doesn’t matter quite as much.

        • db0@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          1
          ·
          4 months ago

          Ye pretty much. I was just quite astounded at that statement as the AI Horde is basically just a lot of python processes behind a very low powered haproxy server.

          Personally, I understand people like to stay with the familiar, which is perfectly fine for a non-demanding service, but when something becomes demanding, I find the haproxy specialization serves better. I wish lemmy deployment by default utilized haproxy myself.

    • d2k1@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      1
      ·
      4 months ago

      HAproxy is good at what it does but it’s only good at proxying and simple rules. For the most part, it’s used as a load balancer and router and doesn’t really process the requests itself.

      To add something here: HAProxy’s ACLs are more powerful than anything nginx, Apache or even Envoy can do. Of course HAProxy is not a web server but “just” a reverse proxy that speaks HTTP (and TCP) but what you can do with its ACLs is often extremely impressive in its simplicity and elegance. A single-line ACL in HAProxy would require loading additional modules in nginx and writing a screenful of configuration directives. Though the average self-hoster will probably never need any of the power HAProxy offers.

      In the past 20 years I have professionally used all four of these as web servers and/or reverse proxies and I am pretty confident that HAProxy beats all others when it comes to request processing. Though Envoy might be getting there.

      • SpazOut@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        4 months ago

        Having used HAProxy for 15 years commercially, I absolutely agree with this. There are lots of complex features of HAProxy that only a dedicated proxy can provide. The acls, deep packet inspection and stick tables are a few.

        Whilst it doesn’t directly “serve” PHP or Python - it’s a load balancer so can just have regular Apache or nginx backends serving content which is arguably its main use case. For homelab this doesn’t always make sense but I would pick nginx for high traffic commercial environments.

    • lidstah@lemmy.sdf.org
      link
      fedilink
      English
      arrow-up
      1
      ·
      4 months ago

      HAproxy is good at what it does but it’s only good at proxying and simple rules.

      It’s possible to write very complex rules/ACLs with HAproxy… stick-tables, ACLs with regexes on whatever HTTP header, source or destination ACLs, map files, geoblocking, lua scripting, load-balancing from round-robin to host header load balancing, dynamic backend servers provisionning through DNS… Not that you can’t do it with Nginx (it started as a reverse-proxy before becoming a jack of all trades), nor that nginx isn’t a great tool (it is!), but HAProxy can do very complex things too. It also follows the good ol’ UNIX philosophy of “one program to do one thing and do it well” and thus doesn’t try to be a webserver, hence why you need a webserver behind it to serve anything from static files to PHP/Python/whatever.

    • Findmysec@infosec.pubOP
      link
      fedilink
      English
      arrow-up
      0
      ·
      4 months ago

      Traefik’s marketing as the “Docker reverse-proxy” put me off since I like technologies to stay agnostic of each other (personal preference).

      Your arguments are correct, and usually I’d run a separate web server but I suppose for a homelab having less things to manage is great

      • bmarinov@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        4 months ago

        Traefik does auto discovery and you can register different configuration providers. Don’t need docker? Then don’t use the docker label-based provider. It is really flexible and has sensible defaults. Other than a few quirks in the basic auth support I haven’t had any problems. And at work it powers our globally utilized infrastructure without any hiccups.

    • N0x0n@lemmy.ml
      link
      fedilink
      English
      arrow-up
      4
      ·
      edit-2
      4 months ago

      Traefik gang here 👊 !

      But only because it works so easily with docker !! I remember a time where I though that you need a diploma and read/learn/understand a 10000 page dictionary to make nginx work properly.

      Also hated the syntax of nginx… It can look so ugly and gibberish :/.

      But I do believe Nginx is superior and more mature in many more aspects than Treafik. Still, Traefik is a breeze and is in IMO way easier to configure with docker than Nginx.

      • Crogdor@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        4 months ago

        Yeah it’s Traefik for me as well! Heavy docker user, of course - it’s nice just tossing some labels into my Portainer stacks and letting Traefik figure it out. If I wasn’t so invested with containers I’d be using nginx.

      • witten@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        4 months ago

        I use Traefik as my main reverse proxy as well for the same reason—container niceties. But then I actually also use nginx… inside container images, like for containers that just serve static files for example.

        Use the right tool for the job!

    • AustralianSimon@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      4 months ago

      I used to use traefik back when it was new and less complex and the 2.0 complexity forced my hand to drop it for my homelab.

  • Shimitar@feddit.it
    link
    fedilink
    English
    arrow-up
    3
    ·
    4 months ago

    Nginx “just works™” had never got into the way, its been rock solid and has not changed significantly over the years.

    Why would I need something else?