![]()
The XDA piece on renting a VPS to get around CGNAT lands at a moment when self-hosted reverse proxies have become a household-tier piece of infrastructure. The premise is the same whether the proxy sits on a NAS, an old mini PC, or a $5 VPS bridge: traffic comes in on port 443, gets sorted by hostname, and lands on the right internal service. The two big shifts since 2020 are how easy auto-HTTPS has become, Let’s Encrypt plus the Caddy/NGINX/Traefik ecosystem made certificates a non-event, and how much the audience grew. Households running Jellyfin, Vaultwarden, Home Assistant, and Immich need this layer.
We tested 7 of the best apps for self-hosted reverse proxy on desktop in 2026, covering Linux, Windows, and macOS. The benchmark was specific: install on a clean Debian box, route three services through HTTPS with auto-renewing certificates, and survive a reboot. The 7 below all qualified.
What to look for in a self-hosted reverse proxy
The criteria that separate the working stack from a year of YAML headaches:
- Auto-HTTPS. A 2026 proxy gets certificates from Let’s Encrypt (or ZeroSSL, or Buypass) without a manual cron. The default should be HTTPS, not a checkbox.
- HTTP/2 and HTTP/3. Both are table stakes now. HTTP/3 in particular helps any household whose ISP’s TCP performance is asymmetric.
- A configuration model you can read in six months. YAML, JSON, Caddyfile, NGINX-style, pick the language you’ll remember when the rule that broke isn’t the one you wrote last week.
- Docker awareness or service discovery. A proxy that watches the Docker daemon, Kubernetes, or Consul and adds new services automatically is the kind of automation a busy household needs.
- A way to expose the proxy from behind CGNAT. Either a public VPS bridge, a Tailscale Funnel, a Cloudflare Tunnel, or your own Pangolin/WireGuard hop. The XDA piece spelled this part out plainly.
Quick comparison
| App | Best for | Config style | Auto-HTTPS | Starting price |
|---|---|---|---|---|
| NGINX Proxy Manager | Beginner-friendly GUI | Web UI on top of NGINX | Yes, built-in | Free |
| Caddy | Auto-HTTPS by default | Caddyfile (simple) | Yes, default | Free |
| Traefik | Docker-native dynamic routing | YAML / labels | Yes, ACME | Free, Enterprise tier exists |
| NGINX | Raw classic performance | nginx.conf | Manual (Certbot, acme.sh) | Free, Plus from $2,500/yr |
| HAProxy | Load balancing + proxy | haproxy.cfg | Manual or Lua plugins | Free, Enterprise tier exists |
| SWAG | NGINX + Let’s Encrypt preset | NGINX configs in Docker | Yes, certbot | Free |
| Pangolin | Self-hosted tunnel + proxy | Web UI | Yes | Free |
The 7 best apps for a self-hosted reverse proxy
1. NGINX Proxy Manager, best beginner-friendly GUI
NGINX Proxy Manager wraps NGINX in a web UI that turns “add a domain, point it at this internal service, get a Let’s Encrypt certificate” into a three-form-field operation. It runs as a single Docker container with a SQLite or MySQL backend. Each proxy host is a row in the database; the UI generates the NGINX config behind the scenes. NPM for self-hosted reverse proxy in 2026 is the right pick for the household self-hoster who wants HTTPS for Jellyfin and Vaultwarden without learning NGINX syntax first.
Where it falls short: The web UI hides the underlying NGINX config, which is fine until you need a feature the UI doesn’t expose. Power users tend to graduate to raw NGINX or Caddy. The default install doesn’t enable HTTP/3 out of the box.
Pricing:
- Free: All features, MIT licence
- Paid: None
- Platforms: Linux (Docker), Windows (Docker Desktop), macOS (Docker Desktop)
Bottom line: The starter pick. If this is your first reverse proxy, install NPM and don’t look back until something specific pushes you to.
2. Caddy, best for auto-HTTPS by default
Caddy is the modern web server and reverse proxy with auto-HTTPS as the default behaviour rather than an opt-in. A three-line Caddyfile sets up a reverse proxy with a Let’s Encrypt certificate, HTTP/2, HTTP/3, and HSTS. The 2.8 release in 2024 sharpened the on-demand TLS handshake; the 2.9 series brought refined HTTP/3 transport. Caddy for self-hosted reverse proxy in 2026 is the right pick when the config language matters as much as the runtime.
Where it falls short: The Caddy plugin ecosystem isn’t as deep as NGINX’s. Some advanced routing (geo-IP, complex rewrites) needs xcaddy to compile in plugins, which is a small step but a step.
Pricing:
- Free: All features, Apache-2
- Paid: None
- Platforms: Linux, Windows, macOS, FreeBSD
Bottom line: The pick when you want a config file you’ll still read cleanly in two years.
3. Traefik, best Docker-native dynamic routing
Traefik is the reverse proxy built for the container era. Point Traefik at a Docker daemon, add labels to your service containers, and Traefik discovers them, generates routes, and provisions Let’s Encrypt certificates automatically. The same model works for Kubernetes (Ingress), Consul, and ECS. Traefik vs NGINX for self-hosted reverse proxy in 2026: Traefik wins on automatic service discovery in Docker households; NGINX wins on raw throughput and configurability.
Where it falls short: The configuration model takes a sit-down with the docs. YAML, file providers, label-based dynamic providers, and the static-vs-dynamic config split all need understanding before things click. The web dashboard is read-only.
Pricing:
- Free: All features (Traefik Proxy v3)
- Paid: Traefik Enterprise adds RBAC and HA, pricing on request
- Platforms: Linux, Windows, macOS
Bottom line: Pick this when your stack is mostly Docker and you want the proxy to track services automatically.
4. NGINX, best for raw classic performance
NGINX is the reverse proxy that has run the public web for two decades. The configuration is nginx.conf and a directory tree of server blocks. Auto-HTTPS comes via Certbot or acme.sh, a one-time setup, then it renews quietly. NGINX scales to traffic volumes a household will never see, and the documentation is the most thorough in the category. NGINX vs Caddy in 2026: NGINX wins on ecosystem depth, Caddy wins on time-to-first-HTTPS.
Where it falls short: Manual certificate setup. The nginx.conf language is its own dialect. Mistakes in a server block stop NGINX from starting, which costs a few minutes the first time you make one.
Pricing:
- Free: NGINX Open Source
- Paid: NGINX Plus from $2,500/year (rarely needed for self-hosting)
- Platforms: Linux, Windows, macOS, FreeBSD
Bottom line: Pick this when the proxy needs to live for a decade with the same config and you don’t mind learning the syntax.
5. HAProxy, best load balancing + proxy
HAProxy has been the de-facto load balancer for high-traffic deployments since 2002 and serves admirably as a reverse proxy. The 3.0 LTS release in 2024 added an updated SSL stack and improved HTTP/3 handling. Lua scripting and Stick Tables let you build features that other proxies require external services for. HAProxy for self-hosted reverse proxy in 2026 is the right pick when the household is running multiple instances of the same service and the proxy needs to balance between them.
Where it falls short: Auto-HTTPS is manual or via Lua plugins, not built-in. The configuration syntax is its own language. Most self-hosters don’t need HAProxy’s load-balancing depth.
Pricing:
- Free: HAProxy Community Edition
- Paid: HAProxy Enterprise, pricing on request
- Platforms: Linux, FreeBSD, macOS, Windows (community builds)
Bottom line: Pick this when you have multiple instances of a service that need balancing. Otherwise NGINX or Caddy is the simpler answer.
6. SWAG, best NGINX + Let’s Encrypt preset
SWAG (Secure Web Application Gateway) is LinuxServer.io’s pre-built Docker image that bundles NGINX with Certbot, a templating system, and a directory of community-maintained server block samples for popular self-hosted services. Run the container, point it at your domain, copy the right sample into the active config, and you have HTTPS for Jellyfin, Nextcloud, Vaultwarden, or whatever else in under an hour. SWAG vs NPM in 2026: SWAG exposes the raw NGINX configs, NPM hides them behind a UI.
Where it falls short: Editing NGINX configs by hand. The LinuxServer community is famously helpful but the documentation assumes some Docker familiarity. The image bundles a lot, DuckDNS, fail2ban, Authelia integration, that you may or may not want.
Pricing:
- Free: All features
- Paid: None
- Platforms: Linux (Docker)
Bottom line: Pick this when you want NGINX’s flexibility and a directory of pre-written configs for popular self-hosted services.
7. Pangolin, best self-hosted tunnel + reverse proxy
Pangolin is the newer self-hosted answer to Cloudflare Tunnel: a reverse proxy that runs on a $5 VPS, a WireGuard tunnel that connects your home network back to it, and a web UI to manage routes. The 2025 1.0 release added SSO with Authelia/Authentik, an API for IaC users, and improved monitoring. Pangolin for self-hosted reverse proxy in 2026 is the right pick when the home connection is behind CGNAT and you want everything self-hosted, including the tunnel.
Where it falls short: Smaller community than the other six. The architecture (VPS + tunnel + home proxy) is more moving parts than a single NGINX container. Some advanced NGINX features take longer to land.
Pricing:
- Free: Open-source under AGPL-3
- Paid: None
- Platforms: Linux (Docker)
Bottom line: Pick this when CGNAT is the actual problem and you don’t want to rely on Cloudflare for the tunnel hop.
How to pick the right one
- If this is your first reverse proxy and you want a GUI: NGINX Proxy Manager.
- If you want auto-HTTPS as the default and a config you’ll read cleanly: Caddy.
- If your stack is mostly Docker and you want service discovery: Traefik.
- If you want raw NGINX with no abstractions: NGINX.
- If you have multiple instances of the same service to balance: HAProxy.
- If you want NGINX plus a directory of pre-written configs for self-hosted services: SWAG.
- If CGNAT is the actual problem and you want a self-hosted tunnel: Pangolin (and a small VPS).
A working 2026 stack for a CGNAT-bound household is Pangolin on a $5 VPS with Caddy or NPM behind it, services exposed only over Tailscale, and a Wireguard tunnel keeping the home network connected. None of these are mutually exclusive; the names just have to play their part.
FAQ
What’s the easiest reverse proxy to set up?
NGINX Proxy Manager. Three-form-field setup per host, automatic Let’s Encrypt, and a web UI. Caddy is a close second if you’d rather edit a Caddyfile than click through a dashboard.
Does my home connection need a public IP?
For a directly accessible reverse proxy, yes. If your ISP gives you a CGNAT address (no public IP), you need a tunnel, Cloudflare Tunnel, Tailscale Funnel, or a self-hosted Pangolin setup with a small VPS, to expose services. The XDA piece this month walks through exactly this case.
How does Caddy handle SSL renewals automatically?
Caddy ships with an ACME client. The first time a hostname is requested, Caddy reaches Let’s Encrypt (or ZeroSSL or Buypass), proves ownership with an HTTP-01 or TLS-ALPN-01 challenge, and stores the certificate locally. Renewal happens 30 days before expiry without any intervention.
Can I run a reverse proxy on a Raspberry Pi?
Yes. All seven of these run comfortably on a Pi 4 or Pi 5. Pangolin, NPM, and SWAG are typically deployed as Docker containers and consume under 200 MB of RAM. NGINX and Caddy can also run natively on Pi OS.
Should I use Cloudflare Tunnel instead?
Cloudflare Tunnel is excellent and free for individuals, but it routes your traffic through Cloudflare. For households who’d rather not, Pangolin or your own Wireguard-to-VPS hop is the equivalent without Cloudflare in the loop.
What’s the difference between a reverse proxy and a load balancer?
A reverse proxy sits in front of one or more backend services and forwards requests based on hostname or path. A load balancer specifically distributes requests across multiple instances of the same service. HAProxy and NGINX can be both; NPM and Caddy are primarily reverse proxies with basic load-balancing features.