I’m going round in circles on this one.

What I want to do is:

  • serve up my self-hosted apps with https (to local clients only - nothing over the open web)
  • address them as ‘app.server.lan’ or ‘sever.lan/app’
  • preferably host whatever is needed in docker

I think this is achievable with a reverse proxy, some kind of DNS server and self-signed certs. I’m not a complete noob but my knowledge in this area is lacking. I’ve done a fair bit of research but I’m probably not using the right terminology or whatever.

Would anyone have a link to a good guide that covers this?

  • philpo@feddit.orgEnglish
    6·
    9 days ago

    It is absolutly possible, but oersonally I would highly recommend getting yourself a proper public domain for that,even if you won’t use it otherwise (it’s even somewhat saver if you use a designated one for it).

    To make it really easy get the domain with someome who also provides DNS with it (Hetzner is a solid choice, so are others, has to have an API). (E.g. “mydomain.casa”.)

    Now get an internal DNS server that can handle it’s own zones. I always recommend technitium, but there are other choices. Pihole is not a good choice here.

    Next thing is a reverse proxy,as you mentioned. If you want it easy, NginxProxyManager is a good choice, but limits what one can do later. But it kind of works out of the box. Traefik and caddy are both often named,but I found none of them as “fire and forget” as NPM is - and caddy can’t do a lot of things either. Traefik is what I currently use,but even using Manatrae or similar GUIs it’s sometimes a pain. But it’s absolutely powerful especially when you run a lot of docker container on the same host. Tbh, if I had not some special requirements I would still use NPM.

    Now, what to do? (Not a full manual, more like a ovrview that it’s not that complicated)

    1. Install all of the above on docker.
    2. Setup NPM with a wildcard certificate, register with zerossl.com (has advantages over LetsEncrypt), add them as a provider and get a wildcard(!) certificate. (*.yourdomain.casa).
    3. Setup a proxy host. You simply add the domainname (nextcloud.mydomain.casa),point it to the actual container ("192.168.1.10:3000) and choose the wildcard certificate as a SSL and switch on “force SSL”.
    4. Go to the DNS server, create a DNS zone “mydomain.casa” and then simply add “nextcloud.mydomain.casa” and point it to the Reverse proxy IP. Done.

    For good practice I would recommend to also keep a zone that links directly to the services so you can use that whenever necessary. (mydomain.internal)

    • hietsu@sopuli.xyzEnglish
      1·
      8 days ago

      Umm, wildcard certs from ZeroSSL seem to run at $52.99 per month, billed yearly. Free plan does not have those, neither does Basic.

    • jonno@discuss.tchncs.deEnglish
      2·
      8 days ago

      This is the way! Also without having to open a port, you can use dns over tls. Also use duckdns or any other free dynamic dns provider.

  • kossa@feddit.orgEnglish
    3·
    8 days ago

    Lots of people recommending a proper domain, I would as well (way easier)

    Just, if you want to go the complete “independent” route: either make sure all the ylients you plan to use can just accept self-signded certs and skip validation or you need to create your own CA and import those into your clients.

    Depending on which clients you plan on using that might be impossible (e.g. for some IoT devices, some Smart TVs and such).

    That is why having an proper domain and use LetsEncrypt, ZeroSSL et. al. is way easier.

  • Funky_Beak@lemmy.sdf.orgEnglish
    2·
    9 days ago

    Personal solution:

    • Openssl certs (lots of youtube videos on best practice there).
    • nginx reverse proxy manager
    • adguard home using the dns rewrite pointing to the wildcard domain.

    This is enough i find for intranet use. You can get fancy and put it over a wireguard or tailscale network too.

  • Elvith Ma'for@feddit.orgEnglish
    2·
    9 days ago

    I have this setup. I bought a domain (say homeserver.tld) from a registrar that allows zone edits with an API. Then I use certbot with a plugin that supports my registrar to get real Let’s Encrypt certificates. Usually Let’s encrypt connects to your server to ensure that it responds to the domain you’re requesting a certificate for, but this challenge can also be done by editing the DNS record of your domain to prove ownership. That is called DNS-01 challenge and is useful of your domain is not publicly reachable. Google for certbot DNS-01 your registrar to find some documentation.

    Some of the VMs/LXC now get certificates for a specific subdomain (“some-app.homeserver.tld”), other just get a wildcard certificate (“*.homeserver.tld”) - e.g. my docker host.

    • robador51@lemmy.mlEnglish
      2·
      9 days ago

      I do the same. I have a real domain and certbot does a dns challenge. It was a little fiddly and took a moment to figure out, i think that was because i couldn’t gat caddy to work, but traefik worked a charm. Self signing is more complex i think because you’ll need to accept the root in every client (browsers especially?), which is even more fiddly.

      • Elvith Ma'for@feddit.orgEnglish
        1·
        8 days ago

        Yeah, that’s exactly why I didn’t use my own CA. There’s a plethora of devices that you now need to import the CA to and then you need to hope, that every application uses the system cert store and doesn’t roll its own (IIRC e.g. Firefox uses its own cert store and doesn’t use the system cert store. Same for every java based application,…)

        It’s fiddly with Caddy, as you need a specific plugin to get it to work with anything else than the default challenge. That means using a custom build via caddy - and with docker, you’re SOL. BUT you can just use certbot and point caddy to the cert file in your file system.

  • coffeeboba@lemmy.worldEnglish
    2·
    9 days ago

    Pasting a comment I made in another similar thread:

    I use a reverse proxy (caddy), and point a domain at my machine.ts-domain.ts.net which hosts caddy

    this way I can go to service.my.domain instead of machine:port as long as I’m connected to tailscale. any devices not on my tailscale network just get bounced if they hit the domain

  • borax7385@lemmy.worldEnglish
    1·
    9 days ago

    1. Point the hostname of your service to the IP of the proxy in the DNS.

    2. For the certs you need an internal CA. I use Step CA which has ACME support so the proxy can get certificates easily.

    3. Add the root CA certificate to your computer certificate trust store.

    4. Profit!!

  • exu@feditown.comEnglish
    11·
    9 days ago

    It’s probably just easier to use public certs with DNS verification than building and distributing your own certs.