I’ve got a reverse proxy setup, with my services going through it, is there a way I can screen connections, so basically it’ll prevent a connection and just return the page not found, and give me some sort of way to know that someone tried to connect and I can allow future connections from said ip or device (ideally this works on mobile devices on cellular, not sure how that would work if it was through ip).
Why not just have a VPN that only allows devices you trust access to your home network?
The most secure way (aside from not doing it at all) would be to run a reverse proxy on a VPS and tunnel back into your network router via a VPN to your self hosted services.
Traffic is allowed only to certain ports via your VPN connection, you can run geo blocking lists and IPS and whatnot as you see fit.
To return “not found”, simply don’t point a URL to the service you don’t want to show and it’ll do exactly that.
I’m using certificate based authentication for internal services that are meant for internal use. This does require that you have your internal CA though. I’m using FreeIPA as IAM tool which also signs user certificates (makes PKI life easy) that are checked by the reverse proxy. If you can present a valid certificate of FreeIPA you will be allowed. In addition I recently also added that it checks if you’re part of a certain LDAP group based on the CN in the certificate.
What you want is not in scope of nginx, I think. You need proper firewall in front of it to filter traffic the way you described. I’m hosting from home, so I’ve put pfsense box in front of my server. I already have geo-filtering setup and I’m in the process of figuring out snort (IDS/IPS). There’s plenty of other interesting packages and the pfsense itself… it’s a bit of a rabbit hole 
If you’re using VPS instead, I’m not sure if there is a software solution that would provide that level of control. I would still use pfsense in a separate VM, routing all traffic through it in that case.
You can do something as simple as create a basic login page, and not route your page unless the user sets a flag when they log in. Or, you can strengthen the above setup by adding Oauth2 with JWT.
Screening by IP is difficult when it comes to mobile devices because you get a different IP when you connect, at least with AT&T. I use a VPN for that, but your VPN server would have to be reachable on the web, and that probably means paying for a cloud server. Digital Ocean is cheap, ~$5/mo.
It isn’t t without configuration, but as others have said, it sounds like a VPN is what you are looking for. I have been using wireguard for a while, and while it is slightly cumbersome to configure initially, it works great and is super performant. Once you configure it, it’s just a button click to turn on.
Basic password http authentication would be much simpler.
Use vouch proxy, you can add OAuth and require users to authentication via Google before the reverse proxy sends them to your services.
Don’t know if it was already suggested but Cloudflare free plan allows you to enable email 2FA as the landing page of any website you have that uses Cloudflare DNS.
Do you mean by ip?
For example I run swag docket image from Linux server.io.
And some services are only available with my internal ip.
Swag is using ngix.
I think this is what you are looking for!
The reason I didn’t do with a VPN is because I have some things that I want people to have easy access to, as I have some services that I want friends to be able to access, and I have some game servers that I want anyone to be able to access without access to my other services
I have a similar setup he is talking about. Services like air sonic, Nextcloud and bitwarden are on my nginx reverse proxy. I CNAME each service and use nginx as a reverse proxy and to manage my ssl certs.
I also have a VPN setup and do wonder which setup I should be using more. Using the VPN to tunnel in and access all internally or using the setup above.
There are a few mentions about a vps here, from my understanding that means I have to pay a service to host it, correct? Or is a vps something I can host myself?
I’m trying to stick to things I can host entirely on my own so I don’t have to deal with recurring costs; I’m 15 and don’t really have an income other than mowing some lawns
So I’ve looked into swag and it is what I’m looking for, but I’m currently using nginxproxymanager and I really like having the web ui to mess around with settings. I’m new to a lot of this networking stuff so a lot of what I’m doing right now is trial and error, and having the GUI makes it really quick to experiment. I do think I might switch to swag sometime in the future, but I think I’m gonna end up using cloudflares free tier to proxy and setup a firewall, like some others have suggested
For your internal apps, is there authentication involved? Is it not enough? You should be able to put auth in front of your reverse proxy, and then give yourself and those you want to be able to access things a user/pass. To make it more secure you could also have auth for your internal services.
You won’t have to choose just 1. For example, I use my reverse proxy for nextcloud and some other things I need to be world accessible. I have my vpn for Remote Desktop and things that done have to be world accessible
I think when people suggest a vpn from a vps, they just mean a second server and a firewall 
When I selfhosted, I used to have my storage (NAS) on a storage vlan, my internal services on a “server” vlan, and my external services on a DMZ vlan. Servers then accessed storage from the NAS via kerberized NFSv4 through the firewall, and for the DMZ network, NFSv4 was the only traffic allowed inside (except established / related).
This does create a Router on a stick setup which might not be ideal for everybody, but if your traffic is low volume, or your network is fast enough, then it won’t be a problem. As for me I have a 10G backbone and most clients are 1G. For regular low volume traffic 1G will be plenty (except if your internet is faster than 1G of course)
Also know that you don’t need 2 physical machines. I ran mine on Proxmox. If dealing with nfs mounts, LXC containers cannot mount them, and all storage needs to be mounted outside the container, which creates permission problems, so I just ran it as virtual machines.
Now, I can understand why you want to self host, but you really should look at all the free tiers of various services and see if they fit your needs. The internet is a hostile place.
Edit:
There are few things as attractive and expensive as self hosting. Moved everything to the cloud around New Years, and I’m saving money every month. The power consumption alone was more than my cloud subscriptions cost. Everything is of course encrypted.
Some napkin math:
Self hosted :
- Synology 4 bay NAS with 4 x 6TB drives : €1280
- Remote backup of 1TB for 5 years : €375
- Proxmox Server : €847
- local 8 TB backup : €167
- Power Consumption : (NAS 45W, server 20W), 569 kWh / year @ €0.3 = €170 / year, or €853.5 over 5 years.
In total you’re looking at €3522.5 for 5 years, or €704/year assuming your hardware lasts 5 years. €58.5/month.
Compare that to my cloud setup:
- Jottacloud subscription : €80/year, €400 for 5 years.
- Microsoft Family 365 subscription : €59 / year, €295 for 5 years.
- Local server for backups : €300
- 8 TB backup drive : €167
- Power consumption: 15w, 131 kWh / year, €220 over 5 years.
In total €1382 for 5 years of cloud service, or €276 / year. (€23/month)
So on top of saving money every day, I get enterprise grade equipment hosting my stuff, and no longer have to worry about failing hardware. I also don’t worry (too much) about patching vulnerabilities as I have 0 open ports in my firewall. I still patch daily though. I have a local backup of everything, and data in the cloud is encrypted either with rclone or Cryptomator.
Some of the money I save are instead used to buy services from Microsoft Azure (it’s what I know, others may prefer Google or aws). The future is moving to the cloud, and the need for local sysadms is dwindling.
Look into PiVPN. You can setup either WireGuard or OpenVPN and it pretty much does everything for you. There are some good tutorials for how to setup on a raspberry pi on the pimylifeup website.
That definitely understandable! I will be honest I have not used ngixmanager but it is running ngix manager you should be able to do to what swag is describing in the link I sent. But whatever works for you! its all about trial and error!