this post was submitted on 25 Oct 2025
60 points (98.4% liked)

Selfhosted

52586 readers
485 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
60
Internal domain and reverse proxy (lemmy.zip)
submitted 2 days ago by jobbies@lemmy.zip to c/selfhosted@lemmy.world
30 comments fedilink hide all child comments
 

I'm going round in circles on this one.

What I want to do is:

  • serve up my self-hosted apps with https (to local clients only - nothing over the open web)
  • address them as 'app.server.lan' or 'sever.lan/app'
  • preferably host whatever is needed in docker

I think this is achievable with a reverse proxy, some kind of DNS server and self-signed certs. I'm not a complete noob but my knowledge in this area is lacking. I've done a fair bit of research but I'm probably not using the right terminology or whatever.

Would anyone have a link to a good guide that covers this?

you are viewing a single comment's thread
view the rest of the comments
[–] philpo@feddit.org 18 points 2 days ago (2 children)

It is absolutly possible, but oersonally I would highly recommend getting yourself a proper public domain for that,even if you won't use it otherwise (it's even somewhat saver if you use a designated one for it).

To make it really easy get the domain with someome who also provides DNS with it (Hetzner is a solid choice, so are others, has to have an API). (E.g. "mydomain.casa".)

Now get an internal DNS server that can handle it's own zones. I always recommend technitium, but there are other choices. Pihole is not a good choice here.

Next thing is a reverse proxy,as you mentioned. If you want it easy, NginxProxyManager is a good choice, but limits what one can do later. But it kind of works out of the box. Traefik and caddy are both often named,but I found none of them as "fire and forget" as NPM is - and caddy can't do a lot of things either. Traefik is what I currently use,but even using Manatrae or similar GUIs it's sometimes a pain. But it's absolutely powerful especially when you run a lot of docker container on the same host. Tbh, if I had not some special requirements I would still use NPM.

Now, what to do? (Not a full manual, more like a ovrview that it's not that complicated)

  1. Install all of the above on docker.
  2. Setup NPM with a wildcard certificate, register with zerossl.com (has advantages over LetsEncrypt), add them as a provider and get a wildcard(!) certificate. (*.yourdomain.casa).
  3. Setup a proxy host. You simply add the domainname (nextcloud.mydomain.casa),point it to the actual container ("192.168.1.10:3000) and choose the wildcard certificate as a SSL and switch on "force SSL".
  4. Go to the DNS server, create a DNS zone "mydomain.casa" and then simply add "nextcloud.mydomain.casa" and point it to the Reverse proxy IP. Done.

For good practice I would recommend to also keep a zone that links directly to the services so you can use that whenever necessary. (mydomain.internal)

[–] archy@lemmy.world 3 points 1 day ago

Just curious, why is PiHole not a good choice here? I am using it for internal DNS management

[–] hietsu@sopuli.xyz 2 points 2 days ago (2 children)

Umm, wildcard certs from ZeroSSL seem to run at $52.99 per month, billed yearly. Free plan does not have those, neither does Basic.

[–] TimeWalker@piefed.foxden.party 2 points 19 hours ago (1 children)

As I understood, the one that you see on the page is something distinct. They have a different service on their ACME page. If you're using a script like acme.sh or using the ACMEIssuer in Caddy, then you can get a free wildcard certificate over that. But I assume it's losing the advantages that have been mentioned like the web dashboard, etc.

[–] hietsu@sopuli.xyz 1 points 10 hours ago

Good to know! *-cert is definitely something I’d need to setup in my self host setup, though a little complex as my (free) domain provider does not let me edit TXT records for DNS-01.

[–] philpo@feddit.org 5 points 2 days ago* (last edited 2 days ago) (1 children)

Sorry, then proceed with LE. Got that part mixed up, you are totally rjght.

[–] motruck@lemmy.zip 1 points 1 day ago (1 children)

What advantages do you think the paid cert has over letsencrypt?

[–] philpo@feddit.org 1 points 21 hours ago

ZeroSSL has unpaid plans (for non wildcards) that have a few advantages that LE doesn't:

  • No Ratelimits,
  • A WebDashboard
  • More ways to validate
  • They have a RestAPI

And, first and foremost, they are European and it's always good tk have an alternative ready.

But as said before, I totally missed the wildcard issue, as I haven't touched these for a long time and recently had more to do with my public services (which get a ACME single domain cert via zeroSSL)