Struggling to Get Started Hosting a Mix of Local and Publicly Exposed Containers
I'm new to self hosting and just starting to experiment with web development. I've been reading and cross-referencing several guides, but I'm having trouble figuring out how to put together all the pieces to achieve what I'm looking for. Maybe the perfect tutorial is out there, but I just haven't found the right search terms.
On my Raspberry Pi 4, I have a few Docker containers already up and running:
Pi Hole with network-mode set to host so it can handle DHCP too
Watchtower to keep the Pi Hole up-to-date
Portainer to check on the status of things
In addition those, I'm planning to host a personal website, a small Matrix server, and a few other things eventually. For portability reasons and my own professional development, I want to go all-in on Docker Compose and keep each piece in its own separate container.
The main thing I'm struggling with is figuring out how to configure nginx-proxy-manager and my Docker networks to expose only the containers I want to expose while keeping my other containers safe. More specifically, how do I handle the conflicting ports between Pi Hole and nginx-proxy-manager without exposing my Pi Hole's admin page to the public internet? Can I use the same reverse proxy to manage all my local and public services at the same time?
Another piece that I'm feeling unsure about is pointing my domain name to the right IP address and setting up SSL encryption. It feels like there are a lot of ways to mess it up. What do I need to do to keep things safe and secure? How important is something like Cloudflare tunnel?
Register a domain if you haven't already. I did two, one for internal and one for external. If you want something easy to setup, use nginx. I'm sure there are guides out there to add Let's Encrypt SSL certs to nginx. I personally use Let's Encrypt with Traefik as my reverse proxy. Traefik has a little bit of a learning curve, but once you have it setup and working, it's pretty easy to update and move around.
Once you have your reverse proxy working with a SSL cert, you can start looking at different options to expose your containers. Probably the easiest method is to point your domain to your home IP address and on your router setup port forwarding. I'm not a fan of that because it's probably the most risky exposing ports to the wide internet.
Another option is tunneling, which I think is the best. Cloudflare tunnels is pretty popular and I believe are still free. I have a cheap VPS that I have a Wireguard tunnel setup. With either tunnel option you don't have to make any changes to your home network or firewall.
To separate my internal and external. Both my domains have wild card certs. I have a VPS that connects to my home lab. External requests hit the VPS first. Internal requests bypass the VPS and go straight to my home lab.
I could use a single domain but then my internal requests would reach out to the VPS just to go back to my home lab. I wanted to avoid that extra hop.
I actually registered two different domains. I think using .lan or .internal would work like that. Essentially from the client machine, it needs to be able to resolve the domain name to the IP of your internal service. So say from your home PC you want to have grue.com resolve to your server. One way to do that is have a host entry on your PC to point grue.com to your server IP address. That way is easy to do and works great but will get annoying if you have multiple client machines.
Another way is if you have a local DNS server that can add locally defined DNS records. Pi-hole can do this, so that way any client machine that goes through Pi-hole will be routed to your server IP.
Forgive my stupidity, but couldn't you just use split-horizon DNS and have your internal DNS resolve to your homelab instead of the VPS? Personally, that's what I've done. So external lookups for sub.domain.tld go one way and internal lookups go to 10.10.10.x.
Yes, I could do a split DNS and achieve the same thing. I didn't really want to change my DNS settings in my router. I also just like the separation by domain name.
Hi, do you mind giving me some pointers for setting up traefik to use https for my locally hosted services?
I have most of my stuff on a single server (named poseidon), on which I want to separate all the stuff using subdomains (like plex.poseidon). From what I found when searching online it seems like I require a local DNS server for that on which I can enter local domains, in addition to using traefik to specify a rule for the host using a label in the docker-compose. Is that correct?
I also have no idea how to route the subdomains to the services I want.
You just need something that points *.poseidon to your server IP. You can use a host file, local DNS server, or DNSMasq.
Once you have traefik setup, it will have a config where you can setup routers that route the subdomain to a service. Then you have services configured that point to a IP and port.
I based my setup on Techno Tim's video here and made minor tweaks. Try following that tutorial and see if that gets you started. Feel free to ask any other questions if you run into snags.