Add NAS web UI reverse proxy at nas.jasonernst.com#390
Add NAS web UI reverse proxy at nas.jasonernst.com#390
Conversation
Deploy a lightweight nginx:alpine container that proxies nas.jasonernst.com to the host's port 9999 (NAS web UI). Uses host.docker.internal to reach the host from the container, and VIRTUAL_HOST for nginx-proxy auto-discovery with SSL. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Adds an Ansible-managed reverse proxy container on the NAS to expose the NAS web management UI at nas.jasonernst.com via the existing jwilder/nginx-proxy + Let’s Encrypt companion setup in the media_server role.
Changes:
- Creates
/etc/nas-proxyand ships an nginxdefault.conffor proxying to host port9999. - Deploys an
nginx:alpinenas-proxycontainer configured for nginx-proxy/Let’s Encrypt discovery and host reachability viahost.docker.internal.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| ansible/roles/media_server/tasks/main.yml | Adds tasks to create NAS proxy config directory, copy nginx config, and deploy the nas-proxy container on the media network. |
| ansible/roles/media_server/files/nas-proxy.conf | Introduces nginx server config to proxy requests to http://host.docker.internal:9999. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - name: Copy NAS proxy nginx config | ||
| tags: nas-proxy | ||
| become: true | ||
| ansible.builtin.copy: | ||
| src: nas-proxy.conf | ||
| dest: /etc/nas-proxy/default.conf | ||
| mode: '644' | ||
| owner: root | ||
| group: root |
There was a problem hiding this comment.
Updates to /etc/nas-proxy/default.conf won’t automatically trigger nginx inside the nas-proxy container to reload, and docker_container won’t detect changes to the bind-mounted file. Consider adding a notify handler to restart/recreate the nas-proxy container when this copy task changes (or set the container task to recreate: true if restart-on-change isn’t feasible).
| location / { | ||
| proxy_pass http://host.docker.internal:9999; | ||
| proxy_set_header Host $http_host; | ||
| proxy_set_header X-Real-IP $remote_addr; | ||
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
| proxy_set_header X-Forwarded-Proto $scheme; | ||
| } |
There was a problem hiding this comment.
This reverse proxy exposes the NAS management UI directly to the public internet (via nginx-proxy + LetsEncrypt) without any additional access controls at the proxy layer. For a management interface, consider restricting access (e.g., IP allowlist/denylist, auth_basic, or requiring VPN-only access) to reduce the blast radius if the NAS UI has a vuln or weak auth.
Summary
nginx:alpinecontainer that proxiesnas.jasonernst.comto the host's port 9999 (NAS web management UI)host.docker.internal(viaextra_hosts: host-gateway) to reach the host from inside the containernas.jasonernst.comDNS already exists via dyndnsTest plan
ansible-playbook -i inventory.yml nas.yml --tags "nas-proxy"nas.jasonernst.comloads the NAS web UI with SSL🤖 Generated with Claude Code