I’m going round in circles on this one.

What I want to do is:

  • serve up my self-hosted apps with https (to local clients only - nothing over the open web)
  • address them as ‘app.server.lan’ or ‘sever.lan/app’
  • preferably host whatever is needed in docker

I think this is achievable with a reverse proxy, some kind of DNS server and self-signed certs. I’m not a complete noob but my knowledge in this area is lacking. I’ve done a fair bit of research but I’m probably not using the right terminology or whatever.

Would anyone have a link to a good guide that covers this?

  • philpo@feddit.orgEnglish
    0·
    16 days ago

    It is absolutly possible, but oersonally I would highly recommend getting yourself a proper public domain for that,even if you won’t use it otherwise (it’s even somewhat saver if you use a designated one for it).

    To make it really easy get the domain with someome who also provides DNS with it (Hetzner is a solid choice, so are others, has to have an API). (E.g. “mydomain.casa”.)

    Now get an internal DNS server that can handle it’s own zones. I always recommend technitium, but there are other choices. Pihole is not a good choice here.

    Next thing is a reverse proxy,as you mentioned. If you want it easy, NginxProxyManager is a good choice, but limits what one can do later. But it kind of works out of the box. Traefik and caddy are both often named,but I found none of them as “fire and forget” as NPM is - and caddy can’t do a lot of things either. Traefik is what I currently use,but even using Manatrae or similar GUIs it’s sometimes a pain. But it’s absolutely powerful especially when you run a lot of docker container on the same host. Tbh, if I had not some special requirements I would still use NPM.

    Now, what to do? (Not a full manual, more like a ovrview that it’s not that complicated)

    1. Install all of the above on docker.
    2. Setup NPM with a wildcard certificate, register with zerossl.com (has advantages over LetsEncrypt), add them as a provider and get a wildcard(!) certificate. (*.yourdomain.casa).
    3. Setup a proxy host. You simply add the domainname (nextcloud.mydomain.casa),point it to the actual container ("192.168.1.10:3000) and choose the wildcard certificate as a SSL and switch on “force SSL”.
    4. Go to the DNS server, create a DNS zone “mydomain.casa” and then simply add “nextcloud.mydomain.casa” and point it to the Reverse proxy IP. Done.

    For good practice I would recommend to also keep a zone that links directly to the services so you can use that whenever necessary. (mydomain.internal)

    • Archy@lemmy.worldEnglish
      2·
      15 days ago

      Just curious, why is PiHole not a good choice here? I am using it for internal DNS management

    • hietsu@sopuli.xyzEnglish
      0·
      16 days ago

      Umm, wildcard certs from ZeroSSL seem to run at $52.99 per month, billed yearly. Free plan does not have those, neither does Basic.

      • TimeWalker@piefed.foxden.partyEnglish
        1·
        14 days ago

        As I understood, the one that you see on the page is something distinct. They have a different service on their ACME page. If you’re using a script like acme.sh or using the ACMEIssuer in Caddy, then you can get a free wildcard certificate over that. But I assume it’s losing the advantages that have been mentioned like the web dashboard, etc.

        • hietsu@sopuli.xyzEnglish
          1·
          14 days ago

          Good to know! *-cert is definitely something I’d need to setup in my self host setup, though a little complex as my (free) domain provider does not let me edit TXT records for DNS-01.

      • philpo@feddit.orgEnglish
        0·
        16 days ago

        Sorry, then proceed with LE. Got that part mixed up, you are totally rjght.