this post was submitted on 05 Oct 2025
61 points (95.5% liked)

Selfhosted

52038 readers
905 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
61
[question] Help me access my local homeserver using a public domain name (lemmy.zip)
submitted 1 day ago* (last edited 1 day ago) by TheHobbyist@lemmy.zip to c/selfhosted@lemmy.world
77 comments fedilink hide all child comments
 

Hi folks,

TL;DR: my remaining issue seems to be firefox specific, I've otherwise made it work on other browsers and other devices, so I'll consider this issue resolved. Thank you very much for all your replies and help! (Edit, this was also solved now in EDIT-4).

I'm trying to setup HTTPS for my local services on my home network. I'm gotten a domain name mydomain.tld and my homeserver is running at home on let's say 192.168.10.20. I've setup Nginx Proxy Manager and I can access it using its local ip address as I've forwarded ports 80 and 443 to it. Hence, when I navigate on my computer to http://192.168.10.20/ I am greeted with the NPM default Congratulations screen confirming that it's reachable. Great!

Next, I've setup an A record on my registrar pointing to 192.168.10.20. I think I've been able to confirm this works because when I check on an online DNS lookup tool like https://centralops.net/CO/Traceroute as it says 192.168.10.20 is a special address that is not allowed for this tool.. Great!

Now, what I'm having trouble with, is the following: make it such that when I navigate to http://mydomain.tld/ I get to the NPM welcome screen at http://192.168.10.20/. When I try this, I'm getting the firefox message:

Hmm. We’re having trouble finding that site.
We can’t connect to the server at mydomain.tld.

Strangely, whenever I try to navigate to http://mydomain.tld/ it redirects me to https://mydomain.tld/, so I've tried solving this using a certificate, using the DNS-01 challenge from NPM, and setting up a reverse proxy from https://mydomain.tld/ to http://192.168.10.20/ and with the wildcard certificate from the challenge, but it hasn't changed anything.

I'm unsure how to keep debugging from here? Any advice or help? I'm clearly missing something in my understanding of how this works. Thanks!

EDIT: It seems several are confused by my use of internal IP addresses in this way, yes it is entirely possible. There are multiple people reporting to use exactly this kind of setup, here are some examples.

EDIT-2: I've made progress. It seems I'm having two issues simultaneously. First one was that I was trying to test my NPM instance by attempting to reach the Congratulations page, served on port 80. That in itself was not working as it ended in an infinite-loop resolving loop, so trying to instead expose the admin page, default port 81, seems to work in some cases. And that's due to the next issue, which is that on some browsers / with some DNS, the endpoint can be reached but not on others. For some reason I'm unable to make it work on Firefox, but on Chromium (or even on Vanadium on my phone), it works just fine. I'm still trying to understand what's preventing it from working on Firefox, I've attempted multiple DNS settings, but it seems there's something else at play as well.

EDIT-3: While I have not made it work in all situations I wanted, I will consider this "solved", because I believe the remaining issue is a Firefox-specific one. My errors so far, which I've addressed are that I could not attempt at exposing the NPM congratulations page which was shown on port 80, because it lead to a resolution loop. Exposing the actual admin page on port 81 was a more realistic test to verify whether it worked. Then, setting up the forwarding of that page using something like https://npm.mydomain.tld/ and linking that to the internal IP address of my NPM instance, and port 81, while using the wildcard certificate for my public domain was then necessary. Finally, I was testing exclusively on Firefox. While I also made no progress when using dig, curl or host, as suggested in the commends (which are still useful tools in general!) I managed to access my NPM admin page using other browsers and other devices, all from my home network (the only use-case I was interested in). I'll keep digging to figure out what specific issue remains with my Firefox, I've verified multiple things, from changing the DNS on firefox (seems not to work, showing Status: Not active (TRR_BAD_URL) in the firefox DNS page (e.g. with base.dns.mullvad.dns). Yet LibreWolf works just fine when changing DNS. Go figure...

EDIT-4: I have now solved it in firefox too, thanks to @non_burglar@lemmy.world! So it turns out, firefox has setup a validation system for DNS settings, called TRR. You can read more about it here: https://wiki.mozilla.org/Trusted_Recursive_Resolver Firefox has a number of TRR configurations, preventing the complete customization of DNS, but also with specific defaults that prevent my use-case. By opening up the firefox config page at about:config, search for network.trr.allow-rfc1918 and set it to true. This now solved it for me. This allows the resolution of local IP addresses. You can read more about RFC1918 here: https://datatracker.ietf.org/doc/html/rfc1918 I'll probably still look to actually make other DNS usable, such as base.dns.mullvad.net which is impossible to use on Firefox by default...

(page 2) 28 comments
sorted by: hot top controversial new old
[–] aaravchen@lemmy.zip 1 points 1 day ago* (last edited 1 day ago) (1 children)

Given your setup, I presume you're trying to access your server via a domain name, only from within your home network? That's what the linked blog posts are talking about.

EDIT: It seems several are confused by my use of internal IP addresses in this way, yes it is entirely possible. There are multiple people reporting to use exactly this kind of setup, here are some examples.

Or maybe your example IP address is just confusing. IP addresses in the ranges 192.168.0.0/16, 172.16.0.0/12, and 10.0.0.0/8 are all reserved for "private routing" and are not routable on the larger internet.Your home will have devices with those IP addresses because it's a private LAN that uses Network Address Translation (NAT) at the boundary with your ISP. Your ISP might also have it's own NAT called Carrier-Grade NAT (CGNAT) that has another translation boundary where it reaches the internet. If your ISP doesn't have CGNAT, and allows incoming connections on your desired ports, you might be able to use the IP address your ISP assigned your router as the pubic IP, but if not you'll need to figure out some other routing method (e.g. VPS hosting a private VPN exit point with routing rules to allow incoming and entry point somewhere in your network with routing rules to reply thru that VPN).

EDIT: Added quote

[–] aaravchen@lemmy.zip 1 points 1 day ago* (last edited 1 day ago) (4 children)

If you're just trying to do this within your home network, you're doing what's called "split DNS", where the DNS in your home network is different from the global DNS.

I do this for services I host, though usually I can also access them remotely as well, just from a different IP address. The easiest from the TLS certificates (TLS is what gives you the S in HTTPS) is to use DNS-01 challenges for tour LetsEncrypt/ZeroSSL certificate generation because it doesn't have to actually reach your domain's site to prove you own the domain, it instead has you put extra temporary DNS records in instead.

load more comments (4 replies)
[–] mhzawadi@lemmy.horwood.cloud 2 points 1 day ago

Your issue is using a non-routable IP on a public DNS provider, some home routers will assume it's a miss configuration and drop it.

If your only going to use the domain over a VPN and local network, I would use something like pihole to do the DNS.

If you want access from the internet at large, you will need your public IP in your DNS provider.

[–] princessnorah@lemmy.blahaj.zone 1 points 1 day ago* (last edited 1 day ago)

It's very likely that DNS servers aren't going to propagate that A name record because of it being an internal IP. What DNS settings are you using for Tailscale? You could also check that the address is resolving locally with the command host mydomain.tld which should return mydomain.tld has address 192.168.10.20 if things are set up correctly.

Edit: you can also do a reverse lookup with host 192.168.10.20 which should spit out 20.10.168.192.in-addr.arpa domain name pointer mydomain.tld.

[–] BaroqueInMind@piefed.social 1 points 1 day ago (1 children)

One thing you probably forgot to check is if your TLD registrar supports DyDNS and you have it set on both sides of the route.

[–] TheHobbyist@lemmy.zip 1 points 1 day ago (1 children)

Would you mind explaining further what you mean by "setting it up on both sides of the route"? Much appreciated!

[–] 30p87@feddit.org 1 points 1 day ago (6 children)

Do a curl http://mydomain.tld/ -i with your server off/while off-network.

Your registrar probably has a service to rewrite http accesses to https automatically. Curl -i shows the headers, which will probably confirm that you're being redirected without even connecting to anything in your network.

load more comments (6 replies)
[–] jabberwockiX@piefed.social 0 points 1 day ago (13 children)

Sorry this will most definitely not work with your local IP address on an external DNS. That is not routable over the internet. I have a 192.168.10.20 IP address in my home network as well. You need to go to whatsmyip.com or ipchicken.com and get your external IP and put that in the DNS at your registrar. Most likely you will need a Dynamic DNS provider as your ISP probably gives you a dynamic public IP address that will change occasionally.

If you just want to resolve mydomain.tld INTERNALLY so you can use a mydomain.tld HTTPs certificate then you just need to add mydomain.tld to your INTERNAL DNS server pointing at your INTERNAL IP address for your server. Likely your router is set up as a DNS server but it just forward all requests to the external DNS which is why you just get sent to mydomain.tld instead of your internal server.

load more comments (13 replies)
[–] humanamerican@lemmy.zip 0 points 1 day ago

Have you considered using a mesh VPN instead of opening a port to the public? Nebula and TailScale are both great options that have a free tier which is more than enough for most home use cases. With Nebula you can even selfhost your discovery node so nothing is cloud-based, but then you're back to opening firewall ports again.

Anyway, its going to be more secure than even a properly configured reverse proxy setup and way less hassle.

[–] slazer2au@lemmy.world 0 points 1 day ago

Without posting your config we can't really do much.

I have a similar setup with Traefik getting a cert for a public domain for my private server but didn't have any issues.

[–] TangledRockets@lemmy.world -2 points 1 day ago

The IP address you've used as an example would not work. That is a 'local' address, ie home address. If you want DNS to resolve your public domain name to your home server, you need to set the A record to your 'public' IP address, ie the external address of your modem/router. Find this by going to whatismyip.com or something similar.

That will connect your domain name with your router. You then set up port forwarding on the router to pass requests to the server.

[–] Mitchie151@lemmy.world -2 points 1 day ago (3 children)

You can't point to 192.168.X.X that's your local network IP address. You need to point to your public IP address which you can find by just searching 'what is my IP'. Note that you can't be behind CGNAT for this, and either need a static IP or dynamic DNS configuration. Be aware of the risks involved exposing your home server to the internet in this manner.

[–] slazer2au@lemmy.world 1 points 1 day ago (1 children)

You can't point to 192.168.X.X that's your local network IP address. You need to point to your public IP address

That's not true at all. That is exactly how I have my setup. A wildcard record at Porkbun pointing to the private IP of my home server so when I am home I have zero issues accessing things.

[–] HelloRoot@lemy.lol 0 points 1 day ago (7 children)

A wildcard record at Porkbun pointing to the private IP of my home server

Which can not be 192.168.X.X

read: https://en.wikipedia.org/wiki/IP_address#Private_addresses

load more comments (7 replies)
load more comments (2 replies)
load more comments
view more: ‹ prev next ›