this post was submitted on 25 Oct 2025
60 points (96.9% liked)

Selfhosted

59973 readers
451 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam.

  3. Posts here are to be centered around self-hosting. Please ensure it is clear in your post how it relates to self-hosting.

  4. Don't duplicate the full text of your blog or git here. Just post the link for folks to click.

  5. Submission headline should match the article title.

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
ayyy@sh.itjust.works
curbstickle@anarchist.nexus
curbstickle_lw@lemmy.world
60
Internal domain and reverse proxy (lemmy.zip)
submitted 7 months ago by jobbies@lemmy.zip to c/selfhosted@lemmy.world
29 comments fedilink hide all child comments
 

I'm going round in circles on this one.

What I want to do is:

  • serve up my self-hosted apps with https (to local clients only - nothing over the open web)
  • address them as 'app.server.lan' or 'sever.lan/app'
  • preferably host whatever is needed in docker

I think this is achievable with a reverse proxy, some kind of DNS server and self-signed certs. I'm not a complete noob but my knowledge in this area is lacking. I've done a fair bit of research but I'm probably not using the right terminology or whatever.

Would anyone have a link to a good guide that covers this?

you are viewing a single comment's thread
view the rest of the comments
[–] elvith@feddit.org 14 points 7 months ago* (last edited 7 months ago) (1 children)

I have this setup. I bought a domain (say homeserver.tld) from a registrar that allows zone edits with an API. Then I use certbot with a plugin that supports my registrar to get real Let's Encrypt certificates. Usually Let's encrypt connects to your server to ensure that it responds to the domain you're requesting a certificate for, but this challenge can also be done by editing the DNS record of your domain to prove ownership. That is called DNS-01 challenge and is useful of your domain is not publicly reachable. Google for certbot DNS-01 your registrar to find some documentation.

Some of the VMs/LXC now get certificates for a specific subdomain ("some-app.homeserver.tld"), other just get a wildcard certificate ("*.homeserver.tld") - e.g. my docker host.

[–] robador51@lemmy.ml 5 points 7 months ago (1 children)

I do the same. I have a real domain and certbot does a dns challenge. It was a little fiddly and took a moment to figure out, i think that was because i couldn't gat caddy to work, but traefik worked a charm. Self signing is more complex i think because you'll need to accept the root in every client (browsers especially?), which is even more fiddly.

[–] elvith@feddit.org 1 points 7 months ago

Yeah, that's exactly why I didn't use my own CA. There's a plethora of devices that you now need to import the CA to and then you need to hope, that every application uses the system cert store and doesn't roll its own (IIRC e.g. Firefox uses its own cert store and doesn't use the system cert store. Same for every java based application,...)

It's fiddly with Caddy, as you need a specific plugin to get it to work with anything else than the default challenge. That means using a custom build via caddy - and with docker, you're SOL. BUT you can just use certbot and point caddy to the cert file in your file system.