Reverse Proxy Best Practices

Greetings all

I’m running multiple web applications for my company in our local servers which also have to be accessible from outside. I’ve been progressively migrating most of them to docker, but I still need to have some services running directly on separate physical servers.

Before that we used to use apache reverse proxy on ubuntu server to route all the traffic to the correct server, but after migrating to docker I switched to traefik which also easily handles Let’s encrypt certificates which I used to encrypt all of our connections as previously all would run on plain http.

In the next weeks I will be going through a major upgrade to a new pfsense firewall, and I was thinking if it could be better to directly reverse proxy from pfsense and not through the traefik on the first docker server as I would be able to reduce by one hop the path from the firewall to the services as now all the traffic goes through pfsense, traefik (in docker server) and then to the other servers.

So my question as in the title is, what would be the best practice in this situation?

If you already have it on a separate server then there is not really a need to have it on pfsense. Using HA Proxy on pfsense is nice as you don’t have to have an extra server, but you will have probably more options running a separate server and not having it tied into the firewal.

Thanks for sharing your view on it, I think I’m going to stick with it then. Doing it would make things easier as I’m already used to traefik and won’t have to learn HA Proxy from 0.