I’m sure I’m massively overthinking this, but any help would be greatly appreciated.

I have a domain name that I bought through NameCheap and I’ve pointed it to Cloudflare (i.e. updated the name servers). I have a Synology NAS on which I run Docker and a few containers. Up until now I’ve done this using IP addresses and ports to access everything (I have a Homepage container running and just link to everything from there).

But I want to setup SSL and start running Vaultwarden, hence purchasing a domain name to make it all easier.

I tried creating an A record in Cloudflare to point to the internal IP of my NAS (and obviously, this couldn’t be orange-clouded through CF because it’s internal to my LAN). I’m very reluctant to point the A record to the external IP of my NAS (which, for added headache is dynamic, so I’d need to get some kind of DDNS) because I don’t want to expose everything on my NAS to the Internet. In actual fact, I’m not precious about accessing any of this stuff over the internet - if I need remote access I have a Tailscale container running that I can connect to (more on that later in the post). The domain name was purely for ease of setting up SSL and Vaultwarden.

So I guess my questions are:

  • What is the best way to go about this - do I create a DDNS on the NAS and point that external IP address to my domain in Cloudflare, then use Traefik to just expose the containers I want to have access to using subdomains?
  • If so, then how do I know that all other ports aren’t accessible (I assume because I’m only going to expose ports 80 and 443 in Traefik?)
  • What do other people see (i.e. outside my network) if they go to my domain? How do I ensure they can’t access my NAS and see some kind of page?
  • Is there a benefit to using Cloudflare?
  • How would Pi-hole and local DNS fit into this? I guess I could point my router at Pi-hole for DNS and create my A records on Pi-hole for all my subdomains - but what do I need to setup initially in Cloudflare?
  • I also have a RPi that has a (very basic) website on it - how do I setup an A record to have Cloudflare point a sub-domain to the Pi’s IP address?
  • Going back to the Tailscale thing - is it possible to point the domain to the IP address of the Tailscale container, so that the domain is only accessible when I switch on the Tailscale VPN? Is this a good idea/bad idea? Is there a better way to do it?

I’m sure these are all noob-type questions, but for the past 6-7 years I’ve purely used this internally using IP:port combinations, so never had to worry about domain names and external exposure, etc.

Many thanks in advance!

  • DRx@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    arrow-down
    1
    ·
    1 year ago

    I do this for some dockers in my unraid, except I use the zero trust tunnels. MUCH easier, can use SSL, and can set up a login page for users. Also, you don’t have to open any ports on your router!

    Im not sure about synology, but I would assume you can find a “cloudflared” docker in the app store.

    check out this youtube video for a good explanation: https://www.youtube.com/watch?v=ZvIdFs3M5ic

      • DRx@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        Christian brings up some great points worthy of consideration; however, if your going to use traditional routing through their network (A/cname) your still doing the same thing. CF will still see your traffic.

        The second thing I should say is, I only use zero trust for websites I share with family. So, I have a Searxng and wef/voyager dockers running through zero trust.

        For admin, homeassistant/iot/ip cams, I use an always on IPSec vpn on my iPhone, iPad, and steam deck (take it to work and plug into 3rd monitor) … this is cool because I get 24/7 ad blocking no matter where I am because it routes all my traffic through my pihole at home. This is a great solution for a single person, but I do not want to manage vpn access for multiple ppl. So, I agree with christian in NOT putting admin stuff/sensitive info behind CF at all (zero trust OR tradition web routing) unless you fully trust them. Otherwise do a 24/7 vpn like I do.