What a reverse proxy does (and why it’s useful at home)
If you’ve ever tried to access a self-hosted service from outside your house and ended up with something like http://your-ip-address:8123, you’ve already run into the problem a reverse proxy is meant to solve. It’s the classic self-hosting speed bump: you have the service running, but getting to it is clunky, insecure, and requires memorizing a string of random numbers.
A reverse proxy is a small piece of software that sits at the edge of your network and acts as a single “front door” for your apps. It can route requests to the right place, handle HTTPS certificates in one spot, and give you a central place to add a little safety—like access logs, basic authentication, or IP allowlists.
Reverse proxy, in plain English
When you type a web address into a browser, your browser connects to a server somewhere. A reverse proxy is a server that accepts that connection first, then forwards it to the actual app that should handle it. Think of it like a receptionist in a large office building; you tell them who you’re looking for, and they point you to the right floor.
Here’s the mental model:
Internet → reverse proxy → (service A, service B, service C)
This is different from a “forward proxy,” which sits on the client side (for example, a workplace proxy that your laptop uses to reach the internet). If you want a more formal definition, Cloudflare’s glossary entry is a solid reference: https://www.cloudflare.com/learning/cdn/glossary/reverse-proxy/
Why a home user would want one
Most home networks don’t need a reverse proxy. If you’re not hosting anything, there’s nothing to proxy. However, if you’re running even one or two services like a photo server, Home Assistant, a personal wiki, or a NAS web interface, a reverse proxy starts to pay off quickly.
1) One public “front door” instead of a mess of ports
The default way people expose a home service is port forwarding: you forward a port on your router to a device inside your network. While this works, it gets clunky fast; you’re left with multiple forwarded ports, URLs with port numbers, and inconsistent security.
A reverse proxy lets you publish multiple services through the same standard web ports (typically 80/443) and route by hostname:
https://home.yourdomain.com→ Home Assistanthttps://photos.yourdomain.com→ your photo libraryhttps://notes.yourdomain.com→ your notes app
Behind the scenes, those might be on totally different internal machines and ports (like 192.168.1.50:8123 and 192.168.1.60:2342). The proxy is the traffic director. This is also the “quality of life” win: you can hand a family member a normal-looking link that works from any device.
2) HTTPS in one place (TLS termination)
Getting HTTPS right is annoying when every app does it differently. With a reverse proxy, you can often handle HTTPS certificates centrally. The proxy speaks HTTPS to the outside world, and then talks to your internal service over HTTP (or HTTPS, if you prefer) on your local network.
This is commonly called TLS termination: the encrypted connection “ends” at the proxy. For a home setup, the practical benefits are simple: fewer browser warnings, fewer half-broken login pages, and one place to manage certificates. Many people use Let’s Encrypt for free certificates (good overview here: https://letsencrypt.org/).
3) A single place to add basic access control and visibility
Even if each app has its own login, a reverse proxy can add an extra layer in front (or at least make it easier to apply consistent rules):
- basic authentication for a “quick and dirty” second lock
- IP allowlists (for example, only your VPN exit)
- rate limiting to slow down brute-force attempts
- access logs so you can see what’s being hit and when
None of this turns a risky app into a safe one, but it does give you a consistent choke point you control.
What a reverse proxy doesn’t do
Reverse proxies get hyped in self-hosting circles, and it’s easy to assume they’re a security shield. They’re not. Here are the big misconceptions to avoid:
- It’s not a VPN. A VPN gives you access to your private network as if you’re at home. A reverse proxy publishes specific services to the internet.
- It’s not a firewall. Your router rules still matter.
- It doesn’t “secure” a vulnerable app. If you expose a buggy service publicly, the proxy won’t magically save you.
For many home users, the safest default is: don’t expose services directly at all. Use a VPN for remote access, or keep everything local.
A high-level setup path (without getting lost in the weeds)
The exact steps vary depending on your router, whether you have a static IP, what you’re hosting, and what reverse proxy software you choose. But the overall flow is pretty consistent.
- Decide what should be available remotely. If it’s only you, a VPN is often simpler. If you want shareable links or multiple apps, a reverse proxy is convenient.
- Run the proxy on something stable. Keep it updated and give it a stable local IP.
- Set up a domain + DNS (and dynamic DNS if needed). You’ll point hostnames like
photos.yourdomain.comat your home IP. - Forward only ports 80/443 to the proxy, then add apps one at a time. Test from outside your network (cellular data is a quick reality check).
If that sounds like a lot, don’t worry; publishing services to the internet is genuinely one of those things where a little planning goes a long way. If you’re already self-hosting and want cleaner URLs, easier HTTPS, and a central control point, a reverse proxy is usually the next upgrade that makes your setup feel “grown up.”