Production-grade reverse proxy with automatic SSL certificate management (Let's Encrypt), behavior-based WAF/IPS via CrowdSec, and zero-downtime auto-updates. Deploy once, secure every service behind it.
What You're Getting
This stack turns a bare Docker host into a secure ingress point. Every service you run — web apps, APIs, databases — sits behind a hardened Nginx reverse proxy with automatic TLS termination.
Includes: Nginx, Certbot, CrowdSec + bouncer, Watchtower
Why This Beats a Naive Setup
| Aspect | Naive Self-Signed | This Stack | |--------|-------------------|------------| | SSL renewal | Manual every 90 days | Automatic, 12h check cycle | | WAF protection | None | CrowdSec behavior-based (SQLi, XSS, brute-force) | | Rate limiting | Manual iptables | Nginx built-in + CrowdSec ban decisions | | Security headers | Usually missing | CSP, HSTS, X-Frame-Options pre-configured | | Updates | Neglected | Watchtower auto-updates all containers |
How It Works
- Point your domain's DNS A record to the server
- Set
DOMAIN=example.comandEMAIL=you@example.comin.env - Run
docker compose up -d - Nginx obtains a Let's Encrypt certificate via Certbot within 30 seconds
- CrowdSec starts analyzing traffic patterns immediately
- Certificates renew automatically every 12 hours
CrowdSec uses a behavior-based detection engine — it learns what normal traffic looks like and flags anomalies without relying solely on signature databases. The Nginx bouncer enforces ban decisions at the reverse proxy layer before requests reach your upstream services.
Who This Is For
Anyone running self-hosted services that need a secure public-facing ingress. Particularly valuable if you're already running Docker services and want to consolidate behind a single TLS-terminated entry point with minimal configuration overhead.