I’m sure I’m massively overthinking this, but any help would be greatly appreciated.

I have a domain name that I bought through NameCheap and I’ve pointed it to Cloudflare (i.e. updated the name servers). I have a Synology NAS on which I run Docker and a few containers. Up until now I’ve done this using IP addresses and ports to access everything (I have a Homepage container running and just link to everything from there).

But I want to setup SSL and start running Vaultwarden, hence purchasing a domain name to make it all easier.

I tried creating an A record in Cloudflare to point to the internal IP of my NAS (and obviously, this couldn’t be orange-clouded through CF because it’s internal to my LAN). I’m very reluctant to point the A record to the external IP of my NAS (which, for added headache is dynamic, so I’d need to get some kind of DDNS) because I don’t want to expose everything on my NAS to the Internet. In actual fact, I’m not precious about accessing any of this stuff over the internet - if I need remote access I have a Tailscale container running that I can connect to (more on that later in the post). The domain name was purely for ease of setting up SSL and Vaultwarden.

So I guess my questions are:

  • What is the best way to go about this - do I create a DDNS on the NAS and point that external IP address to my domain in Cloudflare, then use Traefik to just expose the containers I want to have access to using subdomains?
  • If so, then how do I know that all other ports aren’t accessible (I assume because I’m only going to expose ports 80 and 443 in Traefik?)
  • What do other people see (i.e. outside my network) if they go to my domain? How do I ensure they can’t access my NAS and see some kind of page?
  • Is there a benefit to using Cloudflare?
  • How would Pi-hole and local DNS fit into this? I guess I could point my router at Pi-hole for DNS and create my A records on Pi-hole for all my subdomains - but what do I need to setup initially in Cloudflare?
  • I also have a RPi that has a (very basic) website on it - how do I setup an A record to have Cloudflare point a sub-domain to the Pi’s IP address?
  • Going back to the Tailscale thing - is it possible to point the domain to the IP address of the Tailscale container, so that the domain is only accessible when I switch on the Tailscale VPN? Is this a good idea/bad idea? Is there a better way to do it?

I’m sure these are all noob-type questions, but for the past 6-7 years I’ve purely used this internally using IP:port combinations, so never had to worry about domain names and external exposure, etc.

Many thanks in advance!

  • schmurnan@lemmy.worldOP
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Thanks, and yeah sorry, what I meant was to listen on both ports 80 and 443 and have a redirect in Traefik from 80 to 443 - I don’t plan on having anything directly accessible over port 80.

    As per another post, I’ve hit a stumbling block:

    OK so made a start with this. Spun up a Pi-hole container, added mydomain.com as an A record in Local DNS, and created a CNAME for traefik.mydomain.com to point to mydomain.com.

    In Cloudflare, I removed the mydomain.com A record and the www CNAME record.

    Doing an nslookup on mydomain.com I get

    Non-authoritative answer:
    *** Can't find mydomain.com: No answer
    

    Which I guess is to be expected.

    However, when I then navigate to http://traefik.mydomain.com in my browser, I’m met with a Cloudflare error page: https://imgur.com/XhKOywo.

    Below is the docker-compose of my traefik container:

    traefik:
        container_name: traefik
        image: traefik:latest
        restart: unless-stopped
        networks:
          - medianet
        ports:
          - 80:80
        volumes:
          - /etc/localtime:/etc/localtime:ro
          - /var/run/docker.sock:/var/run/docker.sock:ro
          - /volume1/docker/traefik:/etc/traefik
          - /volume1/docker/traefik/access.log:/logs/access.log
          - /volume1/docker/traefik/traefik.log:/logs/traefik.log
          - /volume1/docker/traefik/acme/acme.json:/acme.json
        environment:
          - TZ=Europe/London
        labels:
          - traefik.enable=true
          - traefik.http.routers.traefik.rule=Host(`$TRAEFIK_DASHBOARD_HOST`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
          - traefik.http.routers.traefik.service=api@internal
    

    My traefik.yml is also nice and basic at this point:

    global:
      sendAnonymousUsage: false
    
    entryPoints:
      web:
        address: ":80"
    
    api:
      dashboard: true
      insecure: true
    
    providers:
      docker:
        endpoint: "unix:///var/run/docker.sock"
        watch: true
        exposedByDefault: false
    
    log:
      filePath: traefik.log
      level: DEBUG
    
    accessLog:
      filePath: access.log
      bufferingSize: 100
    

    Any ideas what’s going wrong? I’m unclear on why the domain is still routing to Cloudflare.

    • Kangie@lemmy.srcfiles.zip
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Sorry about the delay.

      Probably TTL to be honest, it can take a long time for DNS changes to propagate. You’d typically set the TTL really low, wait a while, then change the value, then set the TTL back.

      • schmurnan@lemmy.worldOP
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        No problem, I appreciate the help!

        So I’ve made a fair bit of progress now - I’ve managed to get all my containers working behind the Traefik reverse proxy with SSL. I’ve also deployed a Cloudflare DDNS container in Docker and have linked the external IP address of my Synology NAS to Cloudflare. I haven’t port forwarded 80 and 443, though, so it’s not accessible over the internet. So I’ve added local DNS into Pi-hole so I can access all the containers using subdomains.

        I’ve also deployed an Authelia container and have started running through my containers adding 2FA in front of them all.

        I should probably point out at this juncture, that if I encounter any errors, the HTTP 404 page that I get is a Cloudflare one - I assume that’s expected behaviour?

        So, the final three bits I’m struggling with now are:

        • Pi-hole behind the reverse proxy
        • Portainer behind the reverse proxy
        • Accessing Vaultwarden over the internet (because as soon as I leave my house, if the vault hasn’t synced then I don’t have access to all my passwords) - unless anybody has a better suggestion?

        Portainer - I have no idea how I do it, because I use it to manage my containers, so don’t have the config for Portainer in Portainer (obviously). So if I screw up the config, how am I getting back in to Portainer to fix it?

        And the far more troubling one is Pi-hole. I just cannot get that thing working behind the reverse proxy.

        I’ve followed a few different guides (though none of them are recent), and the below is the latest docker-compose I have. It will bring up the login page, but when I login it keeps returning me back to the login page - it won’t go to the main admin page.

        version: "3.7"
        
        services:
          pihole:
            container_name: pihole
            image: pihole/pihole:latest
            restart: unless-stopped
            networks:
              - medianet
              - npm_network
            ports:
              - 8008:80
              - 53:53/tcp
              - 53:53/udp
            environment:
              - TZ=Europe/London
              - WEBPASSWORD=xxxxxxxxxx
              - FTLCONF_LOCAL_IPV4=192.168.1.116
              - WEBTHEME=default-auto
              - DNSMASQ_LISTENING=ALL
              - VIRTUAL_HOST=pihole.mydomain.com
            volumes:
              - /path/to/pihole:/etc/pihole
              - /path/to/pihole/dnsmasq.d:/etc/dnsmasq.d
            cap_add:
              - NET_ADMIN
            labels:
              - traefik.enable=true
              - traefik.http.routers.pihole.entrypoints=http
              - traefik.http.routers.pihole.rule=Host(`pihole.mydomain.com`)
              - traefik.http.middlewares.pihole-https-redirect.redirectscheme.scheme=https
              - traefik.http.routers.pihole.middlewares=pihole-https-redirect
              - traefik.http.middlewares.pihole-addprefix.addprefix.prefix=/admin
              - traefik.http.routers.pihole.middlewares=pihole-addprefix
              - traefik.http.routers.pihole-secure.entrypoints=https
              - traefik.http.routers.pihole-secure.rule=Host(`pihole.mydomain.com`)
              - traefik.http.routers.pihole-secure.tls=true
              - traefik.http.routers.pihole-secure.service=pihole
              - traefik.http.services.pihole.loadbalancer.server.port=80
        
        networks:
          medianet:
            external: true
          npm_network:
            external: true