SSL Reverse Proxy Stack

The Problem — You're Exposing Services Without Protection

You're exposing services to the internet without WAF protection and that keeps you up at night. Self-hosted apps, APIs, databases — each one needs TLS, rate limiting, and security against SQLi, XSS, and brute-force attacks. If you're using self-signed certificates (or no certificates at all), every service you expose is a liability.

Manual SSL renewal every 90 days? That's a reminder you'll ignore until your users see "Not Secure" in their browser. No WAF? Your services are one unpatched vulnerability away from compromise.

What This Stack Does For You

Deploy a hardened reverse proxy that automatically secures every service behind it — TLS termination, behavior-based WAF, rate limiting, and auto-updates — in one command.

What Happens When You Deploy

1. Point your domain's DNS A record to the server
2. Set DOMAIN=example.com and EMAIL=you@example.com in .env
3. Run docker compose up -d
4. Nginx obtains a Let's Encrypt certificate via Certbot within 30 seconds — every service gets TLS automatically
5. CrowdSec starts analyzing traffic patterns immediately — blocking SQLi, XSS, and brute-force attempts before they reach your services
6. Certificates renew automatically every 12 hours — expired certs are someone else's problem
7. Watchtower auto-updates all containers — security patches apply without manual intervention

What You'll Be Able To Do After Deploying

• Secure any service automatically — Every HTTP service behind Nginx gets TLS termination with Let's Encrypt certificates. New services just need a config block and they're protected.
• Block attacks before they reach your apps — CrowdSec uses behavior-based detection (not just signature databases) to identify SQLi, XSS, brute-force attempts, and anomalies. The Nginx bouncer enforces bans at the proxy layer.
• Never think about SSL renewal again — Certbot checks every 12 hours and renews automatically. No calendar reminders, no expired certificate panic.
• Rate limit intelligently — Nginx built-in rate limiting + CrowdSec ban decisions protect your upstream services from abuse and scraping
• Apply security headers automatically — CSP, HSTS, X-Frame-Options, and other security headers pre-configured. One less thing to forget.
• Stop worrying about container updates — Watchtower auto-updates all containers with security patches. Zero-downtime by default.

Why This Beats a Naive Setup

| Aspect | Naive Self-Signed | This Stack | |--------|-------------------|------------| | SSL renewal | Manual every 90 days | Automatic, 12h check cycle | | WAF protection | None | CrowdSec behavior-based (SQLi, XSS, brute-force) | | Rate limiting | Manual iptables | Nginx built-in + CrowdSec ban decisions | | Security headers | Usually missing | CSP, HSTS, X-Frame-Options pre-configured | | Updates | Neglected | Watchtower auto-updates all containers |

What You Get

Includes: Nginx, Certbot, CrowdSec + bouncer, Watchtower

• Production-grade Nginx reverse proxy with TLS termination
• Let's Encrypt automatic certificate management via Certbot
• CrowdSec behavior-based WAF/IPS with Nginx bouncer
• Watchtower for zero-downtime auto-updates
• Pre-configured security headers (CSP, HSTS, X-Frame-Options)
• Rate limiting configuration

Requirements

• Docker Engine 24+ with Docker Compose v2
• A domain name with DNS pointing to your server
• Ports 80 and 443 accessible from the internet

Your Outcome

5 minutes from now, you'll have a hardened reverse proxy securing every service you run — automatic TLS, CrowdSec WAF blocking attacks, rate limiting, security headers, and zero-downtime updates. Every exposed service is behind a single secure ingress point. No expired certs, no forum-scrolling for Nginx config snippets.