System:Components
This document describes the key components of the jb-vpn.uk infrastructure.
Caddy (edge reverse proxy)
Purpose: Entry point for public HTTPS traffic on the VPS. Terminates TLS, routes by hostname, and proxies to local Docker services or to the NAS over OpenVPN.
Configuration: /etc/caddy/Caddyfile
Key features:
- Automatic Let's Encrypt certificates and renewal
- HTTP → HTTPS redirects
- Host-based routing (
wiki.jb-vpn.uk,dsm.jb-vpn.uk, etc.)
- Proxy headers (
Host,X-Real-IP,X-Forwarded-For,X-Forwarded-Proto)
- WebSocket upgrade headers where needed
Management:
caddy validate --config /etc/caddy/Caddyfile systemctl reload caddy systemctl status caddy journalctl -u caddy -n 50
VPS-hosted services (Docker)
| Service | Hostname | Local upstream |
| WebApp (prod) | app.jb-vpn.uk |
127.0.0.1:8008
|
| WebApp (beta) | app-beta.josh.me.uk |
127.0.0.1:8009
|
| phpMyAdmin | app-db.josh.me.uk |
127.0.0.1:8080
|
| Main wiki | wiki.jb-vpn.uk |
127.0.0.1:8010
|
| Werbs wiki | werbs-wiki.jb-vpn.uk |
127.0.0.1:8011
|
| Static site | vps.jb-vpn.uk |
/var/www/html
|
MediaWiki stack path: /var/www/wiki.jb/
OpenVPN tunnel
Purpose: Encrypted access from the VPS to the NAS for DSM, Plex, and SSH port forwarding.
Network:
- VPN server (VPS):
10.8.0.1ontun0
- NAS client:
10.8.0.2
- Subnet:
10.8.0.0/24
Caddy reaches NAS services at 10.8.0.2 (e.g. DSM :5001, Plex :32400) only when the VPN tunnel is up.
WebApp internal Nginx
The WebApp Docker stack uses its own Nginx container for PHP/Laravel routing on 127.0.0.1:8008 / 8009. That is separate from the public edge proxy (Caddy).
Firewall and routing
iptables on the VPS:
- NAT / port forwards (e.g. SSH
22222→10.8.0.2:22)
- MASQUERADE for VPN clients
- FORWARD rules between
tun0and internal targets
Related documentation
- [Network Architecture Network Architecture] — topology and ports
- [Security Security] — security layers
- Services:Current Services — per-hostname inventory