Best apps for self-hosted reverse proxy on desktop in 2026 (7 tested)

The XDA piece on renting a VPS to get around CGNAT lands at a moment when self-hosted reverse proxies have become a household-tier piece of infrastructure. The premise is the same whether the proxy sits on a NAS, an old mini PC, or a $5 VPS bridge: traffic comes in on port 443, gets sorted by hostname, and lands on the right internal service. The two big shifts since 2020 are how easy auto-HTTPS has become, Let’s Encrypt plus the Caddy/NGINX/Traefik ecosystem made certificates a non-event, and how much the audience grew. Households running Jellyfin, Vaultwarden, Home Assistant, and Immich need this layer.

We tested 7 of the best apps for self-hosted reverse proxy on desktop in 2026, covering Linux, Windows, and macOS. The benchmark was specific: install on a clean Debian box, route three services through HTTPS with auto-renewing certificates, and survive a reboot. The 7 below all qualified.

What to look for in a self-hosted reverse proxy

The criteria that separate the working stack from a year of YAML headaches:

Quick comparison

AppBest forConfig styleAuto-HTTPSStarting price
NGINX Proxy ManagerBeginner-friendly GUIWeb UI on top of NGINXYes, built-inFree
CaddyAuto-HTTPS by defaultCaddyfile (simple)Yes, defaultFree
TraefikDocker-native dynamic routingYAML / labelsYes, ACMEFree, Enterprise tier exists
NGINXRaw classic performancenginx.confManual (Certbot, acme.sh)Free, Plus from $2,500/yr
HAProxyLoad balancing + proxyhaproxy.cfgManual or Lua pluginsFree, Enterprise tier exists
SWAGNGINX + Let’s Encrypt presetNGINX configs in DockerYes, certbotFree
PangolinSelf-hosted tunnel + proxyWeb UIYesFree

The 7 best apps for a self-hosted reverse proxy

1. NGINX Proxy Manager, best beginner-friendly GUI

NGINX Proxy Manager wraps NGINX in a web UI that turns “add a domain, point it at this internal service, get a Let’s Encrypt certificate” into a three-form-field operation. It runs as a single Docker container with a SQLite or MySQL backend. Each proxy host is a row in the database; the UI generates the NGINX config behind the scenes. NPM for self-hosted reverse proxy in 2026 is the right pick for the household self-hoster who wants HTTPS for Jellyfin and Vaultwarden without learning NGINX syntax first.

Where it falls short: The web UI hides the underlying NGINX config, which is fine until you need a feature the UI doesn’t expose. Power users tend to graduate to raw NGINX or Caddy. The default install doesn’t enable HTTP/3 out of the box.

Pricing:

Bottom line: The starter pick. If this is your first reverse proxy, install NPM and don’t look back until something specific pushes you to.

2. Caddy, best for auto-HTTPS by default

Caddy is the modern web server and reverse proxy with auto-HTTPS as the default behaviour rather than an opt-in. A three-line Caddyfile sets up a reverse proxy with a Let’s Encrypt certificate, HTTP/2, HTTP/3, and HSTS. The 2.8 release in 2024 sharpened the on-demand TLS handshake; the 2.9 series brought refined HTTP/3 transport. Caddy for self-hosted reverse proxy in 2026 is the right pick when the config language matters as much as the runtime.

Where it falls short: The Caddy plugin ecosystem isn’t as deep as NGINX’s. Some advanced routing (geo-IP, complex rewrites) needs xcaddy to compile in plugins, which is a small step but a step.

Pricing:

Bottom line: The pick when you want a config file you’ll still read cleanly in two years.

3. Traefik, best Docker-native dynamic routing

Traefik is the reverse proxy built for the container era. Point Traefik at a Docker daemon, add labels to your service containers, and Traefik discovers them, generates routes, and provisions Let’s Encrypt certificates automatically. The same model works for Kubernetes (Ingress), Consul, and ECS. Traefik vs NGINX for self-hosted reverse proxy in 2026: Traefik wins on automatic service discovery in Docker households; NGINX wins on raw throughput and configurability.

Where it falls short: The configuration model takes a sit-down with the docs. YAML, file providers, label-based dynamic providers, and the static-vs-dynamic config split all need understanding before things click. The web dashboard is read-only.

Pricing:

Bottom line: Pick this when your stack is mostly Docker and you want the proxy to track services automatically.

4. NGINX, best for raw classic performance

NGINX is the reverse proxy that has run the public web for two decades. The configuration is nginx.conf and a directory tree of server blocks. Auto-HTTPS comes via Certbot or acme.sh, a one-time setup, then it renews quietly. NGINX scales to traffic volumes a household will never see, and the documentation is the most thorough in the category. NGINX vs Caddy in 2026: NGINX wins on ecosystem depth, Caddy wins on time-to-first-HTTPS.

Where it falls short: Manual certificate setup. The nginx.conf language is its own dialect. Mistakes in a server block stop NGINX from starting, which costs a few minutes the first time you make one.

Pricing:

Bottom line: Pick this when the proxy needs to live for a decade with the same config and you don’t mind learning the syntax.

5. HAProxy, best load balancing + proxy

HAProxy has been the de-facto load balancer for high-traffic deployments since 2002 and serves admirably as a reverse proxy. The 3.0 LTS release in 2024 added an updated SSL stack and improved HTTP/3 handling. Lua scripting and Stick Tables let you build features that other proxies require external services for. HAProxy for self-hosted reverse proxy in 2026 is the right pick when the household is running multiple instances of the same service and the proxy needs to balance between them.

Where it falls short: Auto-HTTPS is manual or via Lua plugins, not built-in. The configuration syntax is its own language. Most self-hosters don’t need HAProxy’s load-balancing depth.

Pricing:

Bottom line: Pick this when you have multiple instances of a service that need balancing. Otherwise NGINX or Caddy is the simpler answer.

6. SWAG, best NGINX + Let’s Encrypt preset

SWAG (Secure Web Application Gateway) is LinuxServer.io’s pre-built Docker image that bundles NGINX with Certbot, a templating system, and a directory of community-maintained server block samples for popular self-hosted services. Run the container, point it at your domain, copy the right sample into the active config, and you have HTTPS for Jellyfin, Nextcloud, Vaultwarden, or whatever else in under an hour. SWAG vs NPM in 2026: SWAG exposes the raw NGINX configs, NPM hides them behind a UI.

Where it falls short: Editing NGINX configs by hand. The LinuxServer community is famously helpful but the documentation assumes some Docker familiarity. The image bundles a lot, DuckDNS, fail2ban, Authelia integration, that you may or may not want.

Pricing:

Bottom line: Pick this when you want NGINX’s flexibility and a directory of pre-written configs for popular self-hosted services.

7. Pangolin, best self-hosted tunnel + reverse proxy

Pangolin is the newer self-hosted answer to Cloudflare Tunnel: a reverse proxy that runs on a $5 VPS, a WireGuard tunnel that connects your home network back to it, and a web UI to manage routes. The 2025 1.0 release added SSO with Authelia/Authentik, an API for IaC users, and improved monitoring. Pangolin for self-hosted reverse proxy in 2026 is the right pick when the home connection is behind CGNAT and you want everything self-hosted, including the tunnel.

Where it falls short: Smaller community than the other six. The architecture (VPS + tunnel + home proxy) is more moving parts than a single NGINX container. Some advanced NGINX features take longer to land.

Pricing:

Bottom line: Pick this when CGNAT is the actual problem and you don’t want to rely on Cloudflare for the tunnel hop.

How to pick the right one

A working 2026 stack for a CGNAT-bound household is Pangolin on a $5 VPS with Caddy or NPM behind it, services exposed only over Tailscale, and a Wireguard tunnel keeping the home network connected. None of these are mutually exclusive; the names just have to play their part.

FAQ

What’s the easiest reverse proxy to set up?

NGINX Proxy Manager. Three-form-field setup per host, automatic Let’s Encrypt, and a web UI. Caddy is a close second if you’d rather edit a Caddyfile than click through a dashboard.

Does my home connection need a public IP?

For a directly accessible reverse proxy, yes. If your ISP gives you a CGNAT address (no public IP), you need a tunnel, Cloudflare Tunnel, Tailscale Funnel, or a self-hosted Pangolin setup with a small VPS, to expose services. The XDA piece this month walks through exactly this case.

How does Caddy handle SSL renewals automatically?

Caddy ships with an ACME client. The first time a hostname is requested, Caddy reaches Let’s Encrypt (or ZeroSSL or Buypass), proves ownership with an HTTP-01 or TLS-ALPN-01 challenge, and stores the certificate locally. Renewal happens 30 days before expiry without any intervention.

Can I run a reverse proxy on a Raspberry Pi?

Yes. All seven of these run comfortably on a Pi 4 or Pi 5. Pangolin, NPM, and SWAG are typically deployed as Docker containers and consume under 200 MB of RAM. NGINX and Caddy can also run natively on Pi OS.

Should I use Cloudflare Tunnel instead?

Cloudflare Tunnel is excellent and free for individuals, but it routes your traffic through Cloudflare. For households who’d rather not, Pangolin or your own Wireguard-to-VPS hop is the equivalent without Cloudflare in the loop.

What’s the difference between a reverse proxy and a load balancer?

A reverse proxy sits in front of one or more backend services and forwards requests based on hostname or path. A load balancer specifically distributes requests across multiple instances of the same service. HAProxy and NGINX can be both; NPM and Caddy are primarily reverse proxies with basic load-balancing features.