I personally run tailscale on my host and a single traefik instance on docker. Anything that doesn't need to be accessed by other people listen to the hostname and get a 100.64.0.0/10 ip whitelist middleware to only allow connections through tailscale. That way a request sent through the public IP with a custom Host header can't be smuggled in and I don't have to deal with custom ports for a 2nd reverse proxy
Self-Hosted Main
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
For Example
- Service: Dropbox - Alternative: Nextcloud
- Service: Google Reader - Alternative: Tiny Tiny RSS
- Service: Blogger - Alternative: WordPress
We welcome posts that include suggestions for good self-hosted alternatives to popular online services, how they are better, or how they give back control of your data. Also include hints and tips for less technical readers.
Useful Lists
- Awesome-Selfhosted List of Software
- Awesome-Sysadmin List of Software
Yes this is how I do things. I run two instances of nginx proxy, one public facing and one private. External requests are routed to the public proxy and my local dns has CNAME records for all the domains my services run on forwarding to the internal proxy. That way I have a couple of subdomains exposed publicly (Plex, nextcloud and home assistant) through subdomains declared in my public name server and many, many more on the internal proxy whose domain records exist only on my local dns.
Thank you! This is the most appealing option to me right now. I’m having trouble understanding how all my internal traffic could be routed via my internal DNS though. NPM listens on both 80 and 443. Is the idea to have NPM listen on 443 and and my local DNS on 80, then I configure my router to use local DNS to route my traffic accordingly?
It's down to having two distinct instances of nginx proxy and control of your local DNS (I use pihole as my DNS provider for local machines, but other DNS servers are available).
So you have your public proxy, which for the sake of this example we'll call publicproxy.local, and you have your internal proxy which we'll call localproxy.local.
You also have a dns provider, e.g. pihole.local
Configure your router to provide pihole.local as the dns server for any client on your local network via DHCP. Then configure your firewall to forward port 443 to publicproxy.local
In your local DNS provider configure CNAME or A records for any service you want to be able to access locally that point to localproxy.local.
In your external name servers configure CNAME or A records for any service you want to be able to access locally that point to your public IP or DDNS address.
For example:
Cloudflare has a CNAME record for plex.example.com which resolves to your public IP. Requests from outside your network hit your router which port forwards the request to publicproxy.local, publicproxy.local is configured to forward plex.example.com to 192.168.0.6 (where your Plex server lives)
pihole has a CNAME record for plex.example.com which resolves to localproxy.local. localproxy.local is also configured to forward plex.example.com to 192.168.0.6.
That means whether you request from outside or inside the network you'll end up hitting 192.168.0.6, success!
Now, pihole also has a CNAME record for sonarr.example.com which resolves to localproxy.local and the proxy is configured to forward sonarr.example.com to 192.168.0.8 (where sonarr is in this example).
There's no cloudflare record for that subdomain and the public proxy doesn't recognise it. So if you can't hit your public IP with a request for sonarr.example.com at all, short of having a host file configured to force it. Even if you forced the domain resolution the public proxy doesn't recognise the URL and gives a 404.
However, if you were to go to sonarr.example.com locally you'd see sonarr.
It's exactly what I do and works great