I’ll provide an ELI5, though if you actually want to use it you’ll have to go beyond ELI5.

You contact a web service via a combination of IP address and port. For the sake of simplicity, we can assume that domain name is equivalent to IP address. You can then compare domain name/port with street name/street number: you need both to actually find someone. By default, some street numbers are really standard, like 443 is for regular encrypted connection. But you can have any service on any street number, it’s just less nice and less standard. This is usually done on closed networks.

Now what happens if you have a lot of services and you want all of them reachable at address 443? Well basically you are now in the same situation as a business building with a lobby. Whenever you want to contact a service, you go to 443, ask the reception what floor they are in, and they will direct you there. The reception desk is your proxy: just making sure you talk to the right people.

Since you already got a lot of ELI5s, here is a basic to-do to get you up and running. From my experience, since I use the exact same setup as you describe.

1. Set up your containers in a way you can reach them from you local network (e.g. http://123.456.789.10:123)
2. Get a domain name (you can get one at the registrar of your choice, e.g. mydomain.com)
3. Set up NGINX proxy manager (NPM) (default address of webui would be http://123.456.789.10:81)
4. Set up a new proxy host in NPM:
   • Domain name: mycontainer.mydomain.com
   • Scheme: http
   • Forward Hostname/IP: 123.456.789.10 (if you get an error later on, you can use the docker container name if NPM and your container are connected to the same Docker network)
   • Port: 123
   • Via access lists you can provide a very basic username/pw login to protect your sites (you can do more and cooler stuff with Authelia)
   • In the SSL tab you can (and should) setup the SSL encryption: https://www.youtube.com/watch?v=TBGOJA27m_0
5. Go to the DNS management of your registrar
   • Add an A-record for mydomain.com and the public IP of your server (you can google public IP to find it out)
   • Add a CNAME record for the subdomain with name mycontainer and target mydomain.com
6. open port 443 of your server in your router If everything worked right, you can visit mycontainer.mydomain.com, your DNS server will resolve this to your public IP and forwards the request to nginx, which will serve the data of your local container

IPv4 version: Think of your public IP:Port as the office building, your internal IP:Port as the floor number, and reverse proxy as the reception on that floor.

(Your public IP:Port is routed to your internal IP:Port by the NAT on your router. The router knows which public port relates to which internal IP:Port due to the port forwarding rules you setup.)

IPv6 version: Think of your public IP:Port as the office, and the reverse proxy as the reception.

The following will be common to both IP protocols.

The port is usually 80 or 443, because reverse proxy is used for HTTP(S) connections, and by default those connections use the aforementioned ports.

When someone connects to your IP:Port, they ask the reverse proxy “hey, can you bring me to Mr. https://my-awesome-plex.xyz/ ?” and the reverse proxy will act as a middleman between that someone and the actual server that is serving that domain name.

The reverse proxy, as a middleman, forwards your requests to the server, and the server’s response is forwarded back to you by the reverse proxy too.

And just to make things complete… Why do we use reverse proxies?

1. To hide the identity of the actual server. This is easy to understand - you are only ever talking to the proxy, never the actual server. It’s just that your messages are continually forwarded to the actual server.

2. To save IP addresses. (One public address can serve multiple websites, if the actual servers are given only private IP addresses.)

3. To load balance. The reverse proxy can direct one to another server if the first server is overloaded. This requires a website to be served by more than one server though, and selfhosters like us never really need it.

4. To prevent attacks. If the reverse proxy realises that someone has been making too many connections to https://my-awesome-nas.com/, the reverse proxy can reject subsequent connections. This is how Cloudflare works.

5. Caching. If the middleman remembers that the server responded “what is the answer to everything” with “42”, then the next time someone asks the same question again, the middleman will simply reply with the same response. This takes off the workload on the server.