Selfhosted

39231 readers

471 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago

MODERATORS

Looking For Opinions on Docker + Letsencrypt + Reverse Proxy Setup (kbin.social)

submitted 1 year ago* (last edited 1 year ago) by [email protected] to c/selfhosted

34 comments fedilink hide all child comments

I've been running 2 linodes for a number of years now - one has my website (wordpress) on it and one has a Foundry VTT server running. Both are separate linodes, and I use Google Domains to point [site.tld] to the wordpress VPS and foundry.[site.tld] to the other linode.

For a few services I run at home within my own network (Sonarr, Lidarr, Plex, etc.) I've started to use Docker and Portainer, and I like how easy it is to set things up (and remove them if they don't work). I'd like to redo my VPS similarly - I'd like to have a single linode, as a Docker host, and have the main domain point to a Wordpress container, a subdomain point to a Foundry container, and be able to easily add other containers for something like freshrss, etc. My goal is to be able to quickly spin up a docker via a compose file (portainer would be preferred), have it automatically reach out to letsencrypt to get a cert for the relevant subdomain, and have that subdomain point to that docker container.

I've been doing some searching around, and there seem to be a number of options, things like nginx reverse proxy, traefik, etc. and there are a lot of conflicting results.

Does anyone here have an opinion on this or some advice as to what the best option to look into might be?

you are viewing a single comment's thread
view the rest of the comments

[–] chiisana 3 points 1 year ago* (last edited 1 year ago) (1 children)

Everyone has an opinion, and at the end of the day, whatever works best for you is what you should stick with.

I like Traefik because you can mount /var/run/docker.sock:/var/run/docker.sock:ro to Traefik, then it can read labels from containers, and automatically wire up new instances based on labels on them. I'm sure there's equivalent in other reverse proxy solutions, but as I said, it works for me and I like it.

I give that container my Cloudflare origin certificate, everything gets encrypted in transit to Cloudflare, and then Cloudflare handles all the SSL management for me, as well as provide extra layer of DDOS protection.

[–] [email protected] 1 points 1 year ago (2 children)

Thanks for the suggestion! Does cloudflare essentially fulfill the same role as letsencrypt (with DDOS protection added)? I've heard of cloudflare but I'm not particularly familiar with them.

[–] chiisana 1 points 1 year ago

Yep! Basicall, they sit between you and your visitors as a reverse proxy. When you domain is accessed through their infrastructure (you set this up via DNS), they’ll sign SSL for you domains so you don’t need to worry about it. Using the origin certificate secures communication from your server to theirs, so there’s no point in the chain being left in the open. They’ll even do DDOS protection and some basic web application firewall for free as well.

Additionally, since they’re globally distributed, your website could have static content cached closer to your visitor, thereby giving a faster experience.

They’ve also added lots of great stuff to help with locking down remote access to your internal infrastructure. For example if I want to SSH into my homelab, I don’t have to expose my SSH globally, and when I try to access it, I get a browser pop up asking me to login to my SSO, and then grants access.

I really enjoy and recommend trying their free offering.

[–] [email protected] 0 points 1 year ago

Yes, it can provide a SSL connection to the end-user even though you're just serving http with no cert. However it is yet another moving part that can break or be mis-configured and yet another bunch of capitalists data-mining all the things.