Vista Normal

Hay nuevos artículos disponibles. Pincha para refrescar la página.
Ayer — 21 Noviembre 2024IT And Programming

Let's Encrypt SSL Certificates Guide

There was a recent post asking for guidance on this topic and I wanted to share my experience, so that it might help those who are lost on this topic.

If you are self-hosting an application, such as AdGuard Home, then you will undoubtedly find yourself encountering a browser warning about the application being unsafe and requiring you to bypass the warning before continuing. This is particularly noticeable when you want to access your application via HTTPS instead of HTTP. The point is that any application with access to traffic on your LAN's subnet will be able to access unencrypted traffic. To avoid this issue and secure your self-hosted application, you ultimately want a trusted certificate being presented to your browser when navigating to the application.

  • Purchase a domain name - I use Namecheap, but any registrar should be fine.
  • I highly recommend using a separate nameserver, such as Cloudflare.

Depending on how you have implemented your applications, you may want to use a reverse proxy, such as Traefik or Nginx Proxy Manager, as the initial point of entry to your applications. For example, if you are running your applications via Docker on a single host machine, then this may be the best solution, as you can then link your applications to Traefik directly.

As an example, this is a Docker Compose file for running Traefik with a nginx-hello test application:

name: traefik-nginx-hello secrets: CLOUDFLARE_EMAIL: file: ./secrets/CLOUDFLARE_EMAIL CLOUDFLARE_DNS_API_TOKEN: file: ./secrets/CLOUDFLARE_DNS_API_TOKEN networks: proxy: external: true services: nginx: image: nginxdemos/nginx-hello labels: - traefik.enable=true - traefik.http.routers.nginx.rule=Host(`nginx.example.com`) - traefik.http.routers.nginx.entrypoints=https - traefik.http.routers.nginx.tls=true - traefik.http.services.nginx.loadbalancer.server.port=8080 networks: - proxy traefik: image: traefik:v3.1.4 restart: unless-stopped networks: - proxy labels: - traefik.enable=true - traefik.http.routers.traefik.entrypoints=http - traefik.http.routers.traefik.rule=Host(`traefik-dashboard.example.com`) - traefik.http.routers.traefik.middlewares=traefik-https-redirect - traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https - traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https - traefik.http.routers.traefik-secure.entrypoints=https - traefik.http.routers.traefik-secure.rule=Host(`traefik-dashboard.example.com`) - traefik.http.routers.traefik-secure.service=api@internal - traefik.http.routers.traefik-secure.tls=true - traefik.http.routers.traefik-secure.tls.certresolver=cloudflare - traefik.http.routers.traefik-secure.tls.domains[0].main=example.com - traefik.http.routers.traefik-secure.tls.domains[0].sans=*.example.com ports: - 80:80 - 443:443 environment: - CLOUDFLARE_EMAIL_FILE=/run/secrets/CLOUDFLARE_EMAIL - CLOUDFLARE_DNS_API_TOKEN_FILE=/run/secrets/CLOUDFLARE_DNS_API_TOKEN secrets: - CLOUDFLARE_EMAIL - CLOUDFLARE_DNS_API_TOKEN security_opt: - no-new-privileges:true volumes: - /etc/localtime:/etc/localtime:ro - /var/run/docker.sock:/var/run/docker.sock:ro - ./data/traefik.yml:/etc/traefik/traefik.yml:ro - ./data/configs:/etc/traefik/configs:ro - ./data/certs/acme.json:/acme.json 

Note that this expects several files:

# ./data/traefik.yml api: dashboard: true debug: true entryPoints: http: address: ":80" http: redirections: entryPoint: to: https scheme: https https: address: ":443" serversTransport: insecureSkipVerify: true providers: docker: endpoint: "unix:///var/run/docker.sock" exposedByDefault: false file: directory: /etc/traefik/configs/ watch: true certificatesResolvers: cloudflare: acme: storage: acme.json # Production caServer: https://acme-v02.api.letsencrypt.org/directory # Staging # caServer: https://acme-staging-v02.api.letsencrypt.org/directory dnsChallenge: provider: cloudflare #disablePropagationCheck: true #delayBeforeCheck: 60s resolvers: - "1.1.1.1:53" - "1.0.0.1:53" # ./secrets/CLOUDFLARE_DNS_API_TOKEN your long and super secret api token # ./secrets/CLOUDFLARE_EMAIL Your Cloudflare account email 

You will also note that I included the option for additional dynamic configuration files to be included via './data/configs/[dynamic config files]'. This is particularly handy if you wish to manually add routes for services, such as Proxmox, that you don't have the ability to setup via Docker service labels.

# ./data/configs/proxmox.yml http: routers: proxmox: entryPoints: - "https" rule: "Host(`proxmox.nickfedor.dev`)" middlewares: - secured tls: certresolver: cloudflare service: proxmox services: proxmox: loadBalancer: servers: # - url: "https://192.168.50.51:8006" # - url: "https://192.168.50.52:8006" # - url: "https://192.168.50.53:8006" - url: "https://192.168.50.5:8006" passHostHeader: true 

Or middlewares:

# ./data/configs/middleware-chain-secured.yml http: middlewares: https-redirectscheme: redirectScheme: scheme: https permanent: true default-headers: headers: frameDeny: true browserXssFilter: true contentTypeNosniff: true forceSTSHeader: true stsIncludeSubdomains: true stsPreload: true stsSeconds: 15552000 customFrameOptionsValue: SAMEORIGIN customRequestHeaders: X-Forwarded-Proto: https default-whitelist: ipAllowList: sourceRange: - "10.0.0.0/8" - "192.168.0.0/16" - "172.16.0.0/12" secured: chain: middlewares: - https-redirectscheme - default-whitelist - default-headers 

Alternatively, if you are running your services via individual Proxmox LXC containers or VM's, then you may find yourself needing to request SSL certificates and pointing the applications to their respective certificate file paths.

In the case of AdGuard Home running as a VM or LXC Container, as an example, I have found that using Certbot to request SSL certificates, and then pointing AdGuard Home to the SSL certfiles is the easiest method.

In other cases, such as running an Apt-Mirror, you may find yourself needing to run Nginx in front of the application as either a webserver and/or reverse proxy for the single application.

The easiest method of setting up and running Certbot that I've found is as follows:

  1. Install the necessary packages: apt install -y certbot python3-certbot-dns-cloudflare
  2. Setup a Cloudflare API credentials directory: sudo mkdir -p ~/.secrets/certbot
  3. Generate a Cloudflare API token with Zone > Zone > Read and Zone > DNS > Edit permissions.
  4. Add the token to a file: echo 'dns_cloudflare_api_token = [yoursupersecretapitoken]' > ~/.secrets/certbot/cloudflare.ini
  5. Update file permissions: sudo chmod 600 ~/.secrets/certbot/cloudflare.ini
  6. Execute Certbot to request a SSL cert: sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini -d service.example.com

In the case if you're using Nginx, then do the following instead:

  1. Ensure nginx is already installed: sudo apt install -y nginx
  2. Ensure you also install Certbot's Nginx plugin: sudo apt install -y python3-certbot-nginx
  3. To have Certbot update the Nginx configuration when it obtains the certificate: sudo certbot run -i nginx -a dns-cloudflare --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini -d service.example.com

If you are using Plex, as an example, then it is possible to use Certbot to generate a certificate and then run a script to generate the PFX cert file.

  1. Generate a password for the cert file: openssl rand -hex 16
  2. Add the script below to: /etc/letsencrypt/renewal-hooks/post/create_pfx_file.sh
  3. Ensure the script is executable: sudo chmod +x /etc/letsencrypt/renewal-hooks/post/create_pfs_file.sh
  4. If running for the first time, force Certbot to execute the script: sudo certbot renew --force-renewal

#!/bin/sh # /etc/letsencrypt/renewal-hooks/post/create_pfs_file.sh openssl pkcs12 -export \ -inkey /etc/letsencrypt/live/service.example.com/privkey.pem \ -in /etc/letsencrypt/live/service.example.com/cert.pem \ -out /var/lib/service/service_certificate.pfx \ -passout pass:PASSWORD chmod 755 /var/lib/service/service_certificate.pfx 

Note: The output file: /var/lib/service/service_certificate.pfx will need to be renamed to the respective service, i.e. /var/lib/radarr/radarr_certificate.pfx

Then, you can reference the file and password in the application.

For personal-use, this implementation is fine; however, a dedicated reverse proxy is recommended and preferable.

As mentioned before, Nginx Proxy Manager is another viable option, particularly for those interested in using something with a GUI to help manage their services. It's usage is very self explanatory, as you simply use the GUI to enter in the details of whatever service you wish to forward traffic towards and includes a simple menu system for setting up requesting SSL certificates.

The key thing to recall is that some applications, such as Proxmox, TrueNAS, Portainer, etc, may have their own built-in SSL certificate management. In the case of Proxmox, as an example, it's possible to use its built-in SSL management to request a certificate and then install and configure Nginx to forward the default management port from 8006 to 443:

# /etc/nginx/conf.d/proxmox.conf upstream proxmox { server "pve.example.com"; } server { listen 80 default_server; listen [::]:80 default_server; rewrite ^(.*) https://$host$1 permanent; } server { listen 443 ssl; listen [::]:443 ssl; server_name _; ssl_certificate /etc/pve/local/pveproxy-ssl.pem; ssl_certificate_key /etc/pve/local/pveproxy-ssl.key; proxy_redirect off; location / { proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_pass https://localhost:8006; proxy_buffering off; client_max_body_size 0; proxy_connect_timeout 3600s; proxy_read_timeout 3600s; proxy_send_timeout 3600s; send_timeout 3600s; } } 

Once all is said and done, the last step will always be pointing your DNS to your services.

If you're using a single reverse proxy, then use a wildcard entry, i.e. *.example.com, to point to your reverse proxy's IP address, which will then forward traffic to the respective service.

Example: Nginx Proxy Manager > 192.168.1.2 and Pihole > 192.168.1.10

Point DNS entry for pihole.example.com to 192.168.1.2 and configure Nginx Proxy Manager to forward to 192.168.1.10 .

If you're not using a reverse proxy in front of the service, then simply point the service's domain name to the server's IP address, i.e. pihole.example.com > 192.168.1.10 .

tl;dr - If you're self-hosting and want to secure your services with SSL, so that you may use HTTPS and port 443, then you'll want a domain that you can use for requesting a trusted Let's Encrypt certificate. This opens up options for whether the service itself has SSL management options built-in, such as Proxmox or you want to setup a single point of entry that forwards traffic to the respective service.

There are several different reverse proxy solutions available that have SSL management features, such as Nginx Proxy Manager and Traefik. Depending on your implementation, i.e. using Docker, Kubernetes, etc, there's a variety of ways to implement TLS encryption for your services, especially when considering limited use-cases, such as personal homelabs.

If you need to publicly expose your homelab services, then I would highly recommend considering using something like Cloudflare Tunnels. Depending on use case, you might also want to just simply use Tailscale or Wireguard instead.

This is by no means a comprehensive or production-level/best-practices guide, but hopefully it provides some ideas on several ways to help implement to your homelab.

submitted by /u/Pravobzen
[link] [comments]

Retrom v0.4 Released - Fullscreen mode w/ initial gamepad support

Retrom v0.4 Released - Fullscreen mode w/ initial gamepad support

Hey all, I'm here to update everyone on Retrom's most recent major release! Since last time there are two major changes to note:

  1. Fullscreen mode! Now Retrom is easily used in couch gaming environments and feels great on handhelds!
    1. Initial gamepad support should properly render glyphs for just about any XBox controllers and/or DualShock controllers. There are bound to be some missing pieces here, so please reach out to report faulty/missing controller mappings on github or discord.
  2. Emulator configurations are now saved in the service and shared across client devices -- no more needing to configure the same profiles for the same emulators on each and every one of your devices.
    1. Per-client configuration items, like the path to the emulator executable, have been extracted into their own configuration section for clarity.

Learn more about Retrom on the GitHub repo, or join the budding discord community

Screenshots for fullscreen mode:

https://preview.redd.it/4qly6ub4i52e1.png?width=1731&format=png&auto=webp&s=77d16b5ca02d05c2880f55afe9bb933d84416338

https://preview.redd.it/xfiisub4i52e1.png?width=1731&format=png&auto=webp&s=0ce1799ac2a200ee9f9cf67c30fa956cc4b01a01

https://preview.redd.it/rwa2gub4i52e1.png?width=1731&format=png&auto=webp&s=0eb8ba3ef2a715f142cddee6261d92d98d63cf5c

https://preview.redd.it/v0xratb4i52e1.png?width=1731&format=png&auto=webp&s=5200cdbc048e9e901f288f31f47e0815001606de

https://preview.redd.it/o70autb4i52e1.png?width=1731&format=png&auto=webp&s=a403006a1cd11d839d652740f949e276ae957734

Previous release announcement

To get ahead of the questions that always pop up in these threads, here is a quick FAQ:

submitted by /u/Volcaus
[link] [comments]

The Ultimate Dashboard ?

The Ultimate Dashboard ?

I came across the video online where they showed live dashboard where it showed all push/pull on GitHub in their HQ building.

Has anyone tried such a thing ? This could show local / external traffic of our server and it looks super cool. Check the link below for video

https://x.com/calder_white/status/1811203592067662192

https://x.com/ChiefScientist/status/1747511724977344979

submitted by /u/KnowledgeHot2022
[link] [comments]

Selfhosting email with SMTP relay, advices?

I understand the complexity of having a functional email is hard and many people often advice against self hosting this part, but still I want to give it a try before giving up.

The main motive is to get rid of google as much as possible, regain control of my privacy and my data as much as possible.

I rarely send out email at all, I'd say less than 100 a month, I'm not using email for business communication anyway, it's mostly for receiving account info, receipts, etc. And I surely don't send any sketchy email as well, if anytime I need to send email it's mostly to inquiry about some stuff.

So with that usage I'm thinking I could get by of using SMTP relay to handle the email sending, and handle the incoming email on my own, so probably just a cheap vps running mailcow or mail-in-a-box then use a cheap relay like amazon ses.

Is this a workable idea or am I missing out something?

submitted by /u/LifeReboot___
[link] [comments]

Guide: How to hide the nagging banners - Gitlab Edition

Guide: How to hide the nagging banners - Gitlab Edition

This is broken down into 2 parts. How I go about identifying what needs to be hidden, and how to actually hide them. I'll use Gitlab as an example.

At the time, I chose the Enterprise version instead of Community (serves me right) thinking I might want some premium feature way ahead in the future and I don't want potential migration headaches, but because it kept annoying me again and again to start a trial of the Ultimate version, I decided not to.

If you go into your repository settings, you will see a banner like this:

https://preview.redd.it/osbuuw08f62e1.png?width=1473&format=png&auto=webp&s=a4b215f66bcee42404affb4a3a485115c175c394

Looking at the CSS id for this widget in Inspect Element, I see promote_repository_features. So that must mean every other promotion widget also has similar names. So then I go into /opt/gitlab in the docker container and search for promote_repository_features and I find that I can simply do grep -r "id: 'promote" . which will basically give me these:

  • promote_service_desk
  • promote_advanced_search
  • promote_burndown_charts
  • promote_mr_features
  • promote_repository_features

Now all we need is a CSS style to hide these. I put this in a css file called custom.css.

#promote_service_desk, #promote_advanced_search, #promote_burndown_charts, #promote_mr_features, #promote_repository_features { display: none !important; } 

In the docker compose config, I add a mount to make my custom css file available in the container like this:

 volumes: - './custom.css:/opt/gitlab/embedded/service/gitlab-rails/public/assets/custom.css:ro' 

Now we need a way to actually make Gitlab use this file. We can configure it like this as an environment variable GITLAB_OMNIBUS_CONFIG in the docker compose file:

 environment: GITLAB_OMNIBUS_CONFIG: | gitlab_rails['custom_html_header_tags'] = '<link rel="stylesheet" href="/assets/custom.css">' 

And there we have it. Without changing anything in the Gitlab source or doing some ugly patching, we have our CSS file. Now the nagging banners are all gone!

https://preview.redd.it/6f85g018m62e1.png?width=1657&format=png&auto=webp&s=9a596ceececf4a6b54c64a79c9a4bdf4491e4237

Gitlab also has a GITLAB_POST_RECONFIGURE_SCRIPT variable that will let you run a script, so perhaps a better way would be to automatically identify new banner ids that they add and hide those as well. I've not gotten around that yet, but will update this post when I come to that.

Update #1: Optional script to generate the custom css.

import subprocess import sys CONTAINER_NAME = "gitlab" command = f""" docker compose exec {CONTAINER_NAME} grep -r "id: 'promote" /opt/gitlab | awk "match(\$0, / id: '([^']+)/, a) {{print a[1]}}" """ css_ids = [] try: css_ids = list(set(subprocess.check_output(command, stderr=subprocess.STDOUT, shell=True, text=True).split())) except subprocess.CalledProcessError as e: print(f"Unable to get promo ids") sys.exit(1) for css_id in css_ids[:-1]: print(f"#{css_id},") print(f"#{css_ids[-1]} {{\n display: none !important;\n}}") 
submitted by /u/sunshine-and-sorrow
[link] [comments]

Best GPU for jellyfin

long story short I have a NAS that acts as a torrent server (z97mobo based) and another networked device that has a strong GPU that I use as a proxmox compute server/stuff

but I feel like idling a 3090 is overkill

is there any sub 100$ GPU that you can recommend that can do 4K-h.264/h265 streaming for 2-4 clients and is power efficient?

also is it a good idea to have that jellyfin server on a i3-4130 if the GPU does the heavy lifting and there is already a Zpool and an nginx attached to it?

submitted by /u/randoomkiller
[link] [comments]

Self-Hosting Guide to Alternatives: Pocket, Omnivore (Bookmark / Read Later)

Hey, r/selfhosted! In light of the recent Omnivore news, it felt like an appropriate time to post a brief overview of the fantastic landscape of self-hosted bookmark and read later applications.

As usual, I'd recommending exploring every option on the list and finding the one that is best suited to your needs. Feel free to reach out with feedback or if I missed anything!


Self-Hosting Guide to Alternatives - Pocket, Omnivore (selfh.st)

submitted by /u/shol-ly
[link] [comments]

What serviccess are ok to host only through wifi?

Before you start hating me wait. I have some UMAX laptop with Intel Pentium G4400 3.3GHz 4 Gb RAM and 64 Gb of ssd storage and I'd like to use it for something, it is currently running ubuntu server and I don't know how could I utilize something that I cannot plug into the network by cable (it literarlly doesn't have ethernet port)

Any recommendations what to do with this piece of hardware?

I'd like to use it in my homelab (Now one desktop and one laptop both with proxmox installed) somehow, it sits in my closet for more than a year and I have no other use for it now, maybe I'd use it just as client for media streaming (with non wifi TV) but this can be done using raspberry or I could just plug hdmi in my daily drive laptop, that I use for school note taking mainly and sometimes for development.

submitted by /u/gun3kter_cz
[link] [comments]

Looking for a Lightweight Self-Hosted Automatic YouTube Downloader – TubeSync Feels Bloated

I'm looking for a specific self-hosted service or application that allows me to manage a list of YouTube channels with individual configurations. The ideal tool should:

  • Poll YT API or listen to the RSS feeds of the specified YouTube channels.
  • Automatically download new videos as soon as they're released to a predefined folder.
  • Save metadata (thumbnails, descriptions, etc.) so I can view them in Jellyfin.
  • Have a minimalistic UI, or even no UI at all, I'm comfortable modifying config files manually.

I tried TubeSync but really didn't like it at all. Building a custom solution sounds like a fun weekend project, but before I dive in, I wanted to check if there are any existing self-hosted services apart from TubeSync that can accomplish this.

Does anyone know of a tool that fits these requirements?

submitted by /u/StackerCoding
[link] [comments]

A Git based Notes app for Android with Markdown support and more! - It's also FOSS (fr this time)

Hello everyone!

CALL FOR CONTRIBUTORS

I have been working on a Markdown based, git synced notes app for android. Skipping any bs, here are the features that u can explore rn (albeit without polish):

  • Git based syncing (clone over https, pull, add (staging and unstaging), commit and push implemented)

  • Allowing storage of repositories on external storage (fr this time)

  • Markdown rendering supported, opening files in other apps supported using intent framework

  • Multiple repos supported by default

  • MIT license, no hidden subscription/donations... its FOSS (fr this time).

Here's what I have planned for the near future (if there is demand):

  • Customizing the way markdown looks and feels, from font to its color, size, weight, style, etc.

  • A polished ui with pretty animations.

  • Support for sharing, converting and editing files (not just markdown)

  • SSH support

  • Using GitHub auth and something similar on GitLab for easy cloning and stuff.

Here are some more ideas that are just ideas (I have no clue how I will implement them or unsure if it will be of any use):

  • Potentially add support for a pen based input using a tab/drawing pad. (for now onenote files can be used maybe?)

  • Let each repo have a .{app name} folder with various configuration files, these files could have app settings in them. This means, for example you can have the apps theme change for different repos.

I hear you ask the name of the app?

GitNotes or MarGitDown... I am not sure yet, suggestions are welcome!

Here is the GitHub link if you find this project interesting!

https://github.com/psomani16k/GitNotes

Feel free to ask for any more information.

submitted by /u/Most-Net-8102
[link] [comments]

Any way to get a digest for academic papers ?

Hello all,

I've recently set up alerts on google scholar for new papers coming out. Google scholar only works for one search engine (google scholar), can only notify you by email, and the emails they send aren't that informative etc etc. I can't help but think there must be better self hosted solutions. No luck finding one so far though, do you know of any ?

submitted by /u/Gueleric
[link] [comments]

🖕

🖕

(But actually, how can i hide this from my ISP?) I am hosting a grav site for me and a few others, as well as Immich for me and a few others, and a small (2 person) Minecraft server. So far all I have done is use a cloudflared tunnel for the grav site and the immich server, using custom subdomains via cloudflare, and TCPShield for the Minecraft server. I also use ProtonVPN on my devices but I have the Minecraft server set to split tunneling in ProtonVPN as i could not get the cloudflared tunnel to work with the server with TCP.

submitted by /u/PornAltRhino
[link] [comments]

First release of Broadcastarr

Hello !

I'm happy to publish the first public release of Broadcastarr.
This project aims to provide access to web broadcasts (such as sport streamings for instance) through a Jellyfin server.
It provides a Discord bot to perform basic actions, indexing is also published on Discord and Matrix channels.

JSON descriptions of the indexers are not provided on the repository, but you can ask me for the ones I have already implemented, or ask me for some help if the documentation is not clear enough.

This project has been in development since summer 2023 and took a lot of time to get to this point.
Starting from a simple script to grab url links, it now works as a full service running in background.

Don't hesitate to ask questions, report bugs or suggest improvements.
Hello !
I'm happy to publish the first public release of Broadcastarr.
This project aims to provide access to media broadcasts (such as sport streaming for instance) through a Jellyfin server.
It provides a Discord bot to perform basic actions, indexing is also published on Discord and Matrix channels.

JSON descriptions of the indexers are not provided on the repository, but you can ask me for the ones I have already implemented, or ask me for some help if the documentation is not clear enough.

This project has been in development since summer 2023 and took a lot of time to get to this point.
Starting from a simple script to grab url links, it now works as a full service running in background.

Everything is available here: https://github.com/Billos/Broadcastarr

Don't hesitate to ask questions, report bugs or suggest improvements.

submitted by /u/billos35
[link] [comments]

Best OS for Docker server and maybe hosting some VMs

I just purchased a 1L PC to replace my current Docker server (Synology NAS). I mostly host all my services via Docker. But I do plan on trying out some VMs for more remote desktop type stuff not for hosting services.

The 1L PC is a HP Elite Mini G9. I will be adding 2 SSDs for redundant OS disks. And I will be utilizing my Synology NAS for storage. So the 1L PC doesn't need crazy amounts of storage and I will not be using it like a NAS.

Which OS should I use as the basis of the 1L PC? I like the idea of the easy nature of TrueNAS as a base OS, so I can set up shares and permissions easily. But do VMs run well under TrueNAS? Is there another OS I should consider as the basis of this mainly Docker server with some VMs?

submitted by /u/shadowjig
[link] [comments]

Help needed for Traefik + wg-easy setup. I'm loosing my mind

Help needed for Traefik + wg-easy setup. I'm loosing my mind

I some self hosted services running in docker containers. They are all on the same server (with static ip).

I was able to configure Traefik (also in a container with Docker Compose) as a reverse proxy with a self-signed certificate in my local network. This was surprisingly easy to do.

Now I want to expose these self hosted services to the internet so I can access them everywhere, but only via a VPN tunnel (WG Easy). What I have done so far:

  • Configured my router to forward ports 80, 443 and 51820
  • Changed the DNS A record of my domain to point to my external ip address (I use Cloudflare DNS)
  • Setup WG easy and Traefik in a docker container. I'm now able to navigate to https://vpn.my-domain.com (I'll disable this later again and only allow this from my LAN):

    services: wg-easy: labels: # traefik - "traefik.enable=true" - "traefik.http.services.WireGuardService.loadbalancer.server.port=51821" # http to https - "traefik.http.routers.WireGuardRoute.service=WireGuardService" # ⚠️ Required: # Change this to your host's public address - "traefik.http.routers.WireGuardRoute.rule=Host(vpn.my-domain.com)" - "traefik.http.routers.WireGuardRoute.entrypoints=web" - "traefik.http.routers.WireGuardRoute.middlewares=HttpToHttpsRedirectMiddleware" # https - "traefik.http.routers.WireGuardRouteSSL.service=WireGuardService" # ⚠️ Required: # Change this to your host's public address - "traefik.http.routers.WireGuardRouteSSL.rule=Host(vpn.my-domain.com)" - "traefik.http.routers.WireGuardRouteSSL.entrypoints=websecure" - "traefik.http.routers.WireGuardRouteSSL.tls.certresolver=MainCertResolver" environment: # ⚠️ Required: # Change this to your host's public address - WG_HOST=vpn.my-domain.com

     # Optional: # - PASSWORD= # - WG_PORT=51820 # - WG_DEFAULT_ADDRESS=10.8.0.x # - WG_DEFAULT_DNS=1.1.1.1 # - WG_MTU=1420 #- WG_ALLOWED_IPS= # - WG_PRE_UP=echo "Pre Up" > /etc/wireguard/pre-up.txt # - WG_POST_UP=echo "Post Up" > /etc/wireguard/post-up.txt # - WG_PRE_DOWN=echo "Pre Down" > /etc/wireguard/pre-down.txt # - WG_POST_DOWN=echo "Post Down" > /etc/wireguard/post-down.txt networks: - traefik_network container_name: wg-easy image: ghcr.io/wg-easy/wg-easy volumes: - .:/etc/wireguard ports: - "51820:51820/udp" restart: unless-stopped cap_add: - NET_ADMIN - SYS_MODULE sysctls: - net.ipv4.ip_forward=1 - net.ipv4.conf.all.src_valid_mark=1 

    traefik: image: "traefik:v3.2" container_name: "traefik" command: - "--providers.docker" - "--providers.docker=true" - "--providers.docker.exposedbydefault=false" - "--providers.docker.network=traefik_network" - "--entrypoints.web.address=:80" - "--entrypoints.websecure.address=:443" - "--certificatesresolvers.MainCertResolver.acme.tlschallenge=true" - "--certificatesresolvers.MainCertResolver.acme.email=my@email.com" #- "--certificatesresolvers.MainCertResolver.acme.storage=/letsencrypt/acme.json" environment: - TZ=Earope/Brussels ports: - "80:80" - "443:443" - "8080:8080" networks: - traefik_network volumes: - "/var/run/docker.sock:/var/run/docker.sock:ro" - "./config/dynamic.yml:/etc/traefik/dynamic.yml" - "./letsencrypt:/letsencrypt" - "./certs/:/etc/certs"networks: volumes: letsencrypt:

Then I created another small test service:

whoami: image: "traefik/whoami" container_name: "simple-service" labels: - "traefik.enable=true" - "traefik.http.routers.whoami.rule=Host(`whoami.my-domain.com`)" - "traefik.http.routers.whoami.entrypoints=websecure" - "traefik.http.routers.whoami.tls.certresolver=MainCertResolver" - "traefik.http.services.whoami.loadbalancer.server.port=80" 

But no matter what I do, if I navigate to whoami.my-domain.com, I get following response:

If I ping that domain, I can see the DNS A record pointing to my personal external IP address....
Can someone point me in the right direction? Been breaking my head for hours now :)

submitted by /u/frogfuhrer
[link] [comments]
❌
❌