I’m sure I’m massively overthinking this, but any help would be greatly appreciated.

I have a domain name that I bought through NameCheap and I’ve pointed it to Cloudflare (i.e. updated the name servers). I have a Synology NAS on which I run Docker and a few containers. Up until now I’ve done this using IP addresses and ports to access everything (I have a Homepage container running and just link to everything from there).

But I want to setup SSL and start running Vaultwarden, hence purchasing a domain name to make it all easier.

I tried creating an A record in Cloudflare to point to the internal IP of my NAS (and obviously, this couldn’t be orange-clouded through CF because it’s internal to my LAN). I’m very reluctant to point the A record to the external IP of my NAS (which, for added headache is dynamic, so I’d need to get some kind of DDNS) because I don’t want to expose everything on my NAS to the Internet. In actual fact, I’m not precious about accessing any of this stuff over the internet - if I need remote access I have a Tailscale container running that I can connect to (more on that later in the post). The domain name was purely for ease of setting up SSL and Vaultwarden.

So I guess my questions are:

  • What is the best way to go about this - do I create a DDNS on the NAS and point that external IP address to my domain in Cloudflare, then use Traefik to just expose the containers I want to have access to using subdomains?
  • If so, then how do I know that all other ports aren’t accessible (I assume because I’m only going to expose ports 80 and 443 in Traefik?)
  • What do other people see (i.e. outside my network) if they go to my domain? How do I ensure they can’t access my NAS and see some kind of page?
  • Is there a benefit to using Cloudflare?
  • How would Pi-hole and local DNS fit into this? I guess I could point my router at Pi-hole for DNS and create my A records on Pi-hole for all my subdomains - but what do I need to setup initially in Cloudflare?
  • I also have a RPi that has a (very basic) website on it - how do I setup an A record to have Cloudflare point a sub-domain to the Pi’s IP address?
  • Going back to the Tailscale thing - is it possible to point the domain to the IP address of the Tailscale container, so that the domain is only accessible when I switch on the Tailscale VPN? Is this a good idea/bad idea? Is there a better way to do it?

I’m sure these are all noob-type questions, but for the past 6-7 years I’ve purely used this internally using IP:port combinations, so never had to worry about domain names and external exposure, etc.

Many thanks in advance!

  • schmurnan@lemmy.worldOP
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Thanks. Yep, subdomains was what I’d planned on: traefik.mydomain.com to access the Traefik dashboard; home.mydomain.com to access the Homepage container. I was planning on spinning up an Authelia container as well to provide 2FA for the services I want protecting. I guess it’d also be nice to have some kind of landing page for traffic coming directly to www.mydomain.com or mydomain.com as well.

    Ideally I don’t want to port forward, so would I need to rely on Traefik to redirect the traffic from port 80 to port 443, and then proxy from port 443 to the required container? How do I therefore stop traffic from hitting the DSM admin on ports 5000/5001 for example?

    I need to figure out a starting point to get traffic from my domain into my NAS (safely) then start spinning up containers and have Traefik route them appropriately, then I can look at Pi-hole/local DNS and Tailscale. And then I guess SSL.

    • Kangie@lemmy.srcfiles.zip
      link
      fedilink
      English
      arrow-up
      0
      ·
      1 year ago

      Ideally I don’t want to port forward, so would I need to rely on Traefik to redirect the traffic from port 80 to port 443, and then proxy from port 443 to the required container? How do I therefore stop traffic from hitting the DSM admin on ports 5000/5001 for example?

      That’s not quite how it works - the port forwarding is on your internet gateway to allow traffic on those ports to a specific host internal to your network. That’s your only option if you want these services to be available on the wider web.

      My recommendation around using 80 to redirect to 443 is because in 2023 there’s no reason for that traffic to be unencrypted - just listen on 80 and say “Hey, go to https://example.com” instead.

      If you don’t care about that you can do internal only DNS + VPN into the network and still get the benefits of free SSL certificates via the LetsEncrypt DNS01 challenge.

      • schmurnan@lemmy.worldOP
        link
        fedilink
        English
        arrow-up
        0
        ·
        1 year ago

        Thanks, and yeah sorry, what I meant was to listen on both ports 80 and 443 and have a redirect in Traefik from 80 to 443 - I don’t plan on having anything directly accessible over port 80.

        As per another post, I’ve hit a stumbling block:

        OK so made a start with this. Spun up a Pi-hole container, added mydomain.com as an A record in Local DNS, and created a CNAME for traefik.mydomain.com to point to mydomain.com.

        In Cloudflare, I removed the mydomain.com A record and the www CNAME record.

        Doing an nslookup on mydomain.com I get

        Non-authoritative answer:
        *** Can't find mydomain.com: No answer
        

        Which I guess is to be expected.

        However, when I then navigate to http://traefik.mydomain.com in my browser, I’m met with a Cloudflare error page: https://imgur.com/XhKOywo.

        Below is the docker-compose of my traefik container:

        traefik:
            container_name: traefik
            image: traefik:latest
            restart: unless-stopped
            networks:
              - medianet
            ports:
              - 80:80
            volumes:
              - /etc/localtime:/etc/localtime:ro
              - /var/run/docker.sock:/var/run/docker.sock:ro
              - /volume1/docker/traefik:/etc/traefik
              - /volume1/docker/traefik/access.log:/logs/access.log
              - /volume1/docker/traefik/traefik.log:/logs/traefik.log
              - /volume1/docker/traefik/acme/acme.json:/acme.json
            environment:
              - TZ=Europe/London
            labels:
              - traefik.enable=true
              - traefik.http.routers.traefik.rule=Host(`$TRAEFIK_DASHBOARD_HOST`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
              - traefik.http.routers.traefik.service=api@internal
        

        My traefik.yml is also nice and basic at this point:

        global:
          sendAnonymousUsage: false
        
        entryPoints:
          web:
            address: ":80"
        
        api:
          dashboard: true
          insecure: true
        
        providers:
          docker:
            endpoint: "unix:///var/run/docker.sock"
            watch: true
            exposedByDefault: false
        
        log:
          filePath: traefik.log
          level: DEBUG
        
        accessLog:
          filePath: access.log
          bufferingSize: 100
        

        Any ideas what’s going wrong? I’m unclear on why the domain is still routing to Cloudflare.

        • Kangie@lemmy.srcfiles.zip
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Sorry about the delay.

          Probably TTL to be honest, it can take a long time for DNS changes to propagate. You’d typically set the TTL really low, wait a while, then change the value, then set the TTL back.