← 🏠

Reverse Proxy

Reverse Proxy is a reverse proxy which can be used for SSL termination and/or subdomain multiplexing. Reverse Proxy is similar to Traefik or Nginx, but aims to be simpler and easier to use.

Click here to download the zip file containing binaries for the following platforms:


In this example, we would like to set up two subdomains, myapp.example.com and echo.example.com.

I recommend acme.sh for getting LetsEncrypt SSL cerficates. This demonstrates how to install and run acme.sh. This requests a certificate in standalone mode, which requires socat and sudo (in order to listen on port 80).

$ curl https://get.acme.sh | sh
(exit then log back in to enable acme.sh)
$ sudo apt install socat
$ sudo setcap 'cap_net_bind_service=+ep' /usr/bin/socat
$ acme.sh --issue --standalone --server letsencrypt \
  -d example.com \
  -d myapp.example.com \
  -d echo.example.com

After running, acme.sh will set up a cron job to automatically renew the cert. Because the cron job also listens on port 80, we will need to keep that port free. In addition, we would like to redirect myapp.example.com to port 8000 and just echo any request to echo.example.com. We need setcap again to listen on port 443. So the full command is:

$ sudo setcap 'cap_net_bind_service=+ep' /usr/local/bin/rp
$ rp 0 -ssl 443 \
  /home/aaron/.acme.sh/example.com/example.com.key \
  /home/aaron/.acme.sh/example.com/example.com.cer \
  -map myapp.example.com 8000 \
  -map echo.example.com -1

Generating a Self-Signed Certificate and Key

If you don't want to use a public certificate authority, you can generate self-signed certificates like so:

openssl req -nodes -new -x509 -keyout server.key -out server.crt -days 36500 \
  -subj "/CN=localhost"

Note that this will cause SSL warnings on most browsers.


	rp [port] -ssl [ssl_port] [key] [crt] -map [host_header] [local_port]
	-[port] is the http port
	-if -ssl is specified, [ssl_port] is the https port and [key] and [crt]
	 are the key and certificate file paths
	 -if [port] is non-zero, it will redirect to [ssl_port]
	 -if [port] is zero, it will be ignored
	-if -map is specified, incoming requests with [host_header] are forwarded
	 to [local_port]
	 -if [local_port] is -1, the [host_header] is mapped to an echo handler, which
	  is useful for debugging
	 -multiple -map flags can be specified

How is this better than Traefik/Nginx?

It's smaller, simpler, and easier to use.