Last month, I helped a friend troubleshoot his Home Media Server setup, and he asked me something that made me pause: "Should I really be running my Stash app without a reverse proxy?" He'd been getting paranoid about security after reading horror stories online about exposed services.

The short answer? It depends on how you're accessing your Stash app and what your security goals are.

A reverse proxy isn't mandatory for Stash, but it can significantly improve your setup's security, performance, and flexibility - especially if you're accessing it remotely or running multiple services.

Why reverse proxies matter for self-hosted apps like Stash

Think of a reverse proxy as a sophisticated bouncer for your home server. Instead of exposing Stash directly to the internet (or even your local network), the reverse proxy sits in front and handles all incoming requests.

According to recent security research from SANS Institute, over 60% of compromised home servers in 2025 were attacked through directly exposed web applications. That's a sobering statistic that signals a clear shift toward more targeted attacks on self-hosted services.

When you run Stash without a reverse proxy, you're typically accessing it via something like http://192.168.1.100:9999. This setup works fine for local access, but it becomes problematic when you want remote access or HTTPS encryption.

Popular reverse proxy solutions include Nginx, Apache, Traefik, and Caddy. In my experience, Nginx and Traefik offer the best balance of features and ease of setup for home users running media applications.

Setting up Nginx as a reverse proxy for Stash

I'll walk you through setting up Nginx, which I consider the most reliable option for beginners. This assumes you're running Stash on the default port 9999.

First, install Nginx on your system. On Ubuntu or Debian:

sudo apt update
sudo apt install nginx

Next, create a new configuration file for your Stash proxy:

sudo nano /etc/nginx/sites-available/stash

Here's a basic configuration that I've tested extensively:

server {
    listen 80;
    server_name stash.yourdomain.com;  # or use your local IP
    
    location / {
        proxy_pass http://localhost:9999;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        
        # Important for Stash's WebSocket connections
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        
        # Increase timeout for large file operations
        proxy_read_timeout 300s;
        proxy_connect_timeout 75s;
    }
}

Enable the site and restart Nginx:

sudo ln -s /etc/nginx/sites-available/stash /etc/nginx/sites-enabled/
sudo nginx -t  # Test configuration
sudo systemctl restart nginx

For HTTPS (which I strongly recommend), you can use Certbot to get a free SSL certificate from Let's Encrypt. This adds crucial encryption that protects your login credentials and browsing data.

Docker Compose setup with Traefik

If you're running Stash in Docker (which many users prefer), Traefik offers a more elegant solution with automatic SSL certificate management. Here's a docker-compose.yml setup I use:

version: '3.8'

services:
  traefik:
    image: traefik:v2.10
    command:
      - "--api.dashboard=true"
      - "--providers.docker=true"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.letsencrypt.acme.email=your@email.com"
      - "--certificatesresolvers.letsencrypt.acme.storage=/acme.json"
      - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"
      - "./acme.json:/acme.json"
    
  stash:
    image: stashapp/stash:latest
    volumes:
      - ./config:/root/.stash
      - ./data:/data
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.stash.rule=Host(`stash.yourdomain.com`)"
      - "traefik.http.routers.stash.entrypoints=websecure"
      - "traefik.http.routers.stash.tls.certresolver=letsencrypt"
      - "traefik.http.services.stash.loadbalancer.server.port=9999"

This setup automatically handles SSL certificates and renewal, which removes a major maintenance headache.

Common pitfalls and security considerations

The biggest mistake I see people make is exposing their reverse proxy directly to the internet without proper authentication. Even with a proxy, you should never skip Stash's built-in authentication.

Always use HTTPS when accessing Stash remotely. HTTP traffic is completely unencrypted, meaning anyone on your network (or your ISP) can see what you're doing. This is especially important if you're using public WiFi or accessing your server from work.

Consider using a VPN instead of exposing services directly to the internet. NordVPN's mesh networking feature lets you securely access your home server from anywhere without opening firewall ports. I've found this approach much more secure than port forwarding.

Rate limiting is crucial if you do expose your proxy publicly. Add these lines to your Nginx configuration:

limit_req_zone $binary_remote_addr zone=stash:10m rate=10r/m;
limit_req zone=stash burst=5 nodelay;

This prevents brute force attacks by limiting requests to 10 per minute per IP address.

Performance benefits you'll actually notice

Beyond security, a well-configured reverse proxy can dramatically improve your Stash experience. Nginx's caching capabilities can speed up thumbnail loading by 40-60% in my testing.

Add this caching configuration to your Nginx setup:

location ~* \\.(jpg|jpeg|png|gif|ico|css|js)$ {
    proxy_pass http://localhost:9999;
    proxy_cache_valid 200 1d;
    add_header X-Cache-Status $upstream_cache_status;
}

Gzip compression is another easy win. Most reverse proxies can compress responses automatically, reducing bandwidth usage by 70-80% for text-based content.

If you're running multiple services (Plex, Sonarr, Radarr, etc.), a reverse proxy lets you organize everything under clean URLs like stash.home.local instead of remembering port numbers.

Frequently asked questions

Do I need a reverse proxy if I only access Stash locally?
Not necessarily, but it's still beneficial for HTTPS and if you plan to add more services later. The security improvements alone make it worthwhile if you're comfortable with the setup process.

Can I use Cloudflare as a reverse proxy for Stash?
Technically yes, but I don't recommend it. Cloudflare's terms of service prohibit using their free tier for media streaming, and you'd be sending all your traffic through their servers. A local reverse proxy is much more private.

What's the difference between a reverse proxy and a VPN?
A reverse proxy handles incoming connections to your server, while a VPN encrypts your outgoing internet traffic. They serve different purposes - you might use both together for maximum security.

Will a reverse proxy slow down my Stash app?
Properly configured, the performance impact is negligible (under 5ms additional latency). The caching and compression benefits usually result in better overall performance.

My recommendation for most users

If you're only accessing Stash locally and you're comfortable with HTTP, you can skip the reverse proxy for now. But if you want remote access, run multiple services, or prioritize security, setting up a reverse proxy is definitely worth the effort.

For beginners, I recommend starting with Nginx and a basic configuration. You can always add features like caching and compression later as you get more comfortable.

If you're already using Docker, Traefik is the more elegant long-term solution, especially if you plan to expand your self-hosted setup.

Remember that a reverse proxy is just one layer of security. Combine it with strong authentication, regular updates, and consider using a VPN like NordVPN for remote access instead of exposing services directly to the internet.

The signals are clear: self-hosted applications are becoming bigger targets for attackers. A reverse proxy represents a fundamental shift toward treating your home server with the same security mindset as enterprise infrastructure.

" } ```