Seeking guidance for secure wireguard and reverse proxy (swag) setup

Recommended Posts

I'm hoping this is in the right location. I've been doing lots of searching on the forums, googling and watching SpaceInvader One's videos for setting up reverse proxies and have successfully gotten things up and running but I need a bit of clarity on what is exposed to the internet. I've read that opening ports 80 and 443 from your router is not the best thing to do which swag requires. But on the other hand, I've read that it's ok if it's more isolated to individual docker containers. If this is not the best way to do this what would be?


Please let me know if there is further documentation I could read about best ways to setup safe remote access. My overall goal is to setup NextCloud for home use but fear the risk of exposing too much to the internet.


Thanks for reading and looking forward to learning more!

Link to comment

After reading lots more tutorials and watching more YouTube videos, I think I'm going to setup Authelia with SWAG using this tutorial:

I'd also like to setup LDAP but I'm finding it a bit complicated to setup/understand. Could anybody point me in the right direction for setting this up in a docker for unraid if you own your own domain? I believe I need OpenLDAP and LDAP Auth but I'm not sure how to set them up. I'll continue to read the projects documentation in the mean time and try out some configs this weekend!

Thanks for reading!

Link to comment

I am not an expert in this space, but the first thing we would need to help you is your use case: for what are you trying to solve?


If you want to access your server or assets remotely, consider setting up a VPN on your server and connecting exclusively with that.


The reverse proxy makes me think you want to be able to route requests from subdomains to specific applications, most likely for publicly hosting access to your server. In that case you do need to open port 80 and 443 to the reverse proxy app.


LDAP makes me think you want to set up user management to one or more apps... maybe to have them register for your blog and also allow a user to use some completely separate front end app? It's a complicated process, for sure.

Link to comment

Thanks for the reply! The case I'm trying to solve is secure user access for my family to NextCloud from locations outside the home network (Maybe sonarr and radarr down the line too). I don't think I want remote access to the server itself yet but if I do I'm going to set that up through wireguard vpn (is that correct?)


What's pulling me to LDAP are the walkthroughs and videos I've been looking at. Most say that LDAP is the recommended way to setup?


The last constraint I want to work around is to setup everything using the domain I own. No other paid services other than the domain registration.

Let me know if I've answered your queries @mattz!

Link to comment
  • 2 weeks later...
Posted (edited)

That's a classic use case.  It has not gone well for me personally, due to my ISP blocking incoming port 443 requests. I need to use a different port to forward requests via a Reverse Proxy.  For example, I need to enter (notice the port number).  Most ISP's lock down port 443, ISPs I have been with across the country locked 443.  so you won't be able to use any domain without appending the port number you are using as a substitute (e.g. 1443 or something).  It works, but it is not the super clean option I wanted.  Other consideration is static vs. dynamic IP address - you can use a service like to get around that, and link to that with an ALIAS or A record from your domain.


LDAP (or any Single Sign On) is not necessary and would be overkill for a family.  You will not be managing users on a regular basis (you add them and they stay, right?).  You would use NextCloud's built-in user management and separate logins for each Sonarr and Radar.


If you want to remote access to YOUR server from outside, you would need to set up a VPN server to access your network. Check out OpenVPN Sever to do that.  Wireguard VPN would be more about securing your server's outgoing connection.


Edited by mattz
modified port 443 statement
Link to comment
On 5/17/2021 at 12:19 PM, jonathanm said:



Blocking 25 and 80 are semi common, but 443 tends to be open in my experience.

Redacted... In my experience: currently on Centurylink Fiber in Portland, OR. and I can't crack the nut.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.