There is a small Docker habit that causes a surprisingly large security problem on home servers: ports: - "8080:80" It looks harmless. It looks like a normal Docker Compose example. It is in half the tutorials on the internet. Then you check UFW and it says the firewall is active. Default incoming traffic is denied. Port 8080 is not allowed. Everything looks fine. Except the container may still be reachable. This is one of those Linux home server problems that feels like a bug the first time you see it. It is not really a bug. It is Docker doing exactly what Docker is designed to do: create its own firewall and NAT rules so published container ports work. That is the part many people miss. Last updated: June 2026 This guide is for the usual homelab setup: Ubuntu, Debian or a similar Linux server, rootful Docker Engine, Docker Compose, UFW enabled, and a few self-hosted services running on an old workstation, mini PC, laptop server or small VPS. If you are ...
Most home servers do not start with a reverse proxy. They start with one service on one port. Then another one appears. Then Uptime Kuma is on :3001 , a dashboard is on :8080 , something else wants :9443 , and before long the router has more port forwards than I am comfortable admitting. That is the point where a reverse proxy stops being a nice extra and becomes part of the basic plumbing. A reverse proxy gives you one clean front door for web services on a home server. It listens on normal web ports, handles HTTPS, receives requests for names like uptime.example.com or photos.example.com , and forwards each request to the right container or local service behind the scenes. Last updated: June 2026 This is not an enterprise load-balancer guide. It is a practical homelab comparison of Caddy , Nginx Proxy Manager and Traefik for Linux home servers, Docker hosts, old workstations, mini PCs and self-hosted services that should be reachable without exposing chaos. If you are ...