I currently have my reverse proxy on my NAS. That means I forward all of my 443 HTTPS traffic to my NAS. I am using OpnSense for my router, and there are several options for reverse proxies on that. Everything works the way it is now, but I do wonder if it would be “better” if I moved all of the reverse proxy stuff to my router. I don’t know that anything would be simpler to manage one way or the other, so I think it comes down to best practices and security. If I move the reverse proxy to my router, I would be able to remove that forwarded port, but is that really any more or less secure?
I try to keep my router and NAS clutter-free as far as software goes. Each additional service you run, especially that listens to requests from clients you can’t control, could open you to a vulnerability that might give system access.
I run a reverse proxy on a dedicated Pi and have firewall rules on the Pi to only allow outgoing connections to the hosts I’m proxying to.
Maybe I’m paranoid but I’m sure there are lots of good and bad eyes looking at Nginx’s code.
I took have a nginx reverse proxy, ddclient, PiHole on a dedicated Pi behind the router and in front of literally everything else.