I’m currently self-hosting several services and looking to harden my setup. I already use Nginx Proxy Manager (NPM) with wildcard Let’s Encrypt certs, but I’m thinking of moving to something more robust with:

A proper WAF (Web Application Firewall)

Deep network monitoring (ideally per-container or per-service)

Possibly some bot protection and anomaly detection (ai scrapping is annoying)

I’ve looked into Traefik, BunkerWeb, and Pangolin. Each has pros and cons, BunkerWeb seems WAF-ready, but has some limitations (SSL setup is nightmare). Traefik is very flexible, but I’d need to add middleware myself (also runing non docker services). Pangolin looks great but werent able to get it work in my setup.

Main goals:

Secure exposure of HTTP(S) services (wildcard certs with Cloudlfare)

Easy rules for blocking bad IPs or patterns

Optional: rate-limiting, automatic fail2ban-style bans

Bonus: nice dashboard or at least logs that make sense

I also have a mix of Docker and bare metal services, so proxying non-container stuff cleanly is important.

My final goal is setup like this: OVH (Reverse Proxy - Firewall) - Tailscale - Hetzner Server)