Proxy Server
Deploys a secure reverse proxy with Tailscale + Nginx Proxy Manager.
Quick Start
curl -fsSL https://gitea.arnodo.fr/Damien/infra-scripts/raw/branch/main/proxy/install.sh | bash
Components
- Tailscale: Private network access (SSH, admin panel)
- Nginx Proxy Manager: Public reverse proxy (HTTP/HTTPS)
- UFW: Firewall (only 80/443 exposed publicly)
- fail2ban + unattended-upgrades: Basic hardening
Environment Variables
| Variable | Default | Description |
|---|---|---|
PROXY_HOSTNAME |
proxy |
Server hostname |
TZ |
Europe/Paris |
Timezone |
Example:
PROXY_HOSTNAME=myproxy TZ=America/New_York curl -fsSL https://gitea.arnodo.fr/Damien/infra-scripts/raw/branch/main/proxy/install.sh | bash
What it does
- Sets hostname
- Installs base packages (vim, fail2ban, unattended-upgrades, at)
- Installs and connects Tailscale (will prompt for authentication)
- Configures sysctl for exit-node capability
- Installs Docker
- Configures UFW (80/443 public, everything else via Tailscale only)
- Deploys Nginx Proxy Manager
- Exposes NPM admin panel via Tailscale serve
- Temporarily opens SSH port 22 for 5 minutes (safety net)
SSH Safety Net
During installation, SSH port 22 is temporarily opened for 5 minutes to prevent lockout if you're connected via public IP. After 5 minutes, it will be automatically closed and only Tailscale SSH will work.
# List scheduled jobs
sudo atq
# Cancel the scheduled SSH closure (replace N with job number)
sudo atrm N
# Manually close SSH port 22 if needed
sudo ufw delete allow 22/tcp
Post-install
- Access NPM admin:
https://proxy.<your-tailnet>.ts.net - Default credentials:
admin@example.com/changeme - Optionally approve exit-node in Tailscale admin console