Here is my setup:
I have multiple DuckDNS domains (and subdomains) pointing to my home IP. My home router has port 80 and port 443 forwarded to Nginx Proxy Manager on my home server. Nginx Proxy Manager points to the appropriate docker container and each one is encrypted with Let’s Encrypt.
Am I missing anything here or is this how I’m supposed to be doing it? Every app that has a DuckDNS url has a password in some shape or form.
You must log in or # to comment.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters HTTP Hypertext Transfer Protocol, the Web IP Internet Protocol TCP Transmission Control Protocol, most often over IP VPN Virtual Private Network nginx Popular HTTP server
4 acronyms in this thread; the most compressed thread commented on today has 13 acronyms.
[Thread #71 for this comm, first seen 7th Feb 2026, 20:10] [FAQ] [Full list] [Contact] [Source code]
My usual additions:
- Have the router to block portscanners
- fail2ban on internet facing services.
Thanks I’ll look into these. Quick question: how does fail2ban use port 80 if that’s already used by nginx?
It does not. It does not uses ports at all. Fail2ban monitors your logfiles and activates the firewall to block IP’s that matched your rules.
t.ex. You can block an IP that tried to access https://<url>/admin. You can block an IP that used wrong credentials x times to login on an ssh port. Or block one that tried to relay via your mailserver. The duration is configurable and alternative duration can be configured for recidivists.
And yes, you can whitelist IP’s to avoid locking yourself out. The possibilities are endless.
I see, the default docker installer for fail2ban gave me an error because “Port 80 was already in use” (by NGINX Manager).
Fail2ban does not listen on any port for it has no user interface. No interface at all actually. It’s just a process that monitors your logfiles and changes firewall rules and writes to syslog if you tell it to.
I run it on internet facing servers so I use a ‘regular’ install and never docker. I see no advantage for docker in this case, but one huge disadvantage: Docker changes a lot on the network side. It creates bridges, and picks IP’s all by itself. I hate that. (I know you can put in a lot of effort to manage it, but no thanks keep your ‘hands’ of my network config thank you)
If any service has only username and password instead of mfa or password less then it’s not safe.
You also didn’t mention if you have automated patching or immutable backups enabled.
If any service has only username and password instead of mfa or password less then it’s not safe.
None of them do
You also didn’t mention if you have automated patching or immutable backups enabled.
I do not. I don’t even know what those are tbh
