I’m sure I’m massively overthinking this, but any help would be greatly appreciated.
I have a domain name that I bought through NameCheap and I’ve pointed it to Cloudflare (i.e. updated the name servers). I have a Synology NAS on which I run Docker and a few containers. Up until now I’ve done this using IP addresses and ports to access everything (I have a Homepage container running and just link to everything from there).
But I want to setup SSL and start running Vaultwarden, hence purchasing a domain name to make it all easier.
I tried creating an A record in Cloudflare to point to the internal IP of my NAS (and obviously, this couldn’t be orange-clouded through CF because it’s internal to my LAN). I’m very reluctant to point the A record to the external IP of my NAS (which, for added headache is dynamic, so I’d need to get some kind of DDNS) because I don’t want to expose everything on my NAS to the Internet. In actual fact, I’m not precious about accessing any of this stuff over the internet - if I need remote access I have a Tailscale container running that I can connect to (more on that later in the post). The domain name was purely for ease of setting up SSL and Vaultwarden.
So I guess my questions are:
- What is the best way to go about this - do I create a DDNS on the NAS and point that external IP address to my domain in Cloudflare, then use Traefik to just expose the containers I want to have access to using subdomains?
- If so, then how do I know that all other ports aren’t accessible (I assume because I’m only going to expose ports 80 and 443 in Traefik?)
- What do other people see (i.e. outside my network) if they go to my domain? How do I ensure they can’t access my NAS and see some kind of page?
- Is there a benefit to using Cloudflare?
- How would Pi-hole and local DNS fit into this? I guess I could point my router at Pi-hole for DNS and create my A records on Pi-hole for all my subdomains - but what do I need to setup initially in Cloudflare?
- I also have a RPi that has a (very basic) website on it - how do I setup an A record to have Cloudflare point a sub-domain to the Pi’s IP address?
- Going back to the Tailscale thing - is it possible to point the domain to the IP address of the Tailscale container, so that the domain is only accessible when I switch on the Tailscale VPN? Is this a good idea/bad idea? Is there a better way to do it?
I’m sure these are all noob-type questions, but for the past 6-7 years I’ve purely used this internally using IP:port combinations, so never had to worry about domain names and external exposure, etc.
Many thanks in advance!
Thanks, and yeah sorry, what I meant was to listen on both ports 80 and 443 and have a redirect in Traefik from 80 to 443 - I don’t plan on having anything directly accessible over port 80.
As per another post, I’ve hit a stumbling block:
OK so made a start with this. Spun up a Pi-hole container, added mydomain.com as an A record in Local DNS, and created a CNAME for traefik.mydomain.com to point to mydomain.com.
In Cloudflare, I removed the mydomain.com A record and the www CNAME record.
Doing an nslookup on mydomain.com I get
Non-authoritative answer: *** Can't find mydomain.com: No answer
Which I guess is to be expected.
However, when I then navigate to http://traefik.mydomain.com in my browser, I’m met with a Cloudflare error page: https://imgur.com/XhKOywo.
Below is the docker-compose of my traefik container:
traefik: container_name: traefik image: traefik:latest restart: unless-stopped networks: - medianet ports: - 80:80 volumes: - /etc/localtime:/etc/localtime:ro - /var/run/docker.sock:/var/run/docker.sock:ro - /volume1/docker/traefik:/etc/traefik - /volume1/docker/traefik/access.log:/logs/access.log - /volume1/docker/traefik/traefik.log:/logs/traefik.log - /volume1/docker/traefik/acme/acme.json:/acme.json environment: - TZ=Europe/London labels: - traefik.enable=true - traefik.http.routers.traefik.rule=Host(`$TRAEFIK_DASHBOARD_HOST`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`)) - traefik.http.routers.traefik.service=api@internal
My traefik.yml is also nice and basic at this point:
global: sendAnonymousUsage: false entryPoints: web: address: ":80" api: dashboard: true insecure: true providers: docker: endpoint: "unix:///var/run/docker.sock" watch: true exposedByDefault: false log: filePath: traefik.log level: DEBUG accessLog: filePath: access.log bufferingSize: 100
Any ideas what’s going wrong? I’m unclear on why the domain is still routing to Cloudflare.
Sorry about the delay.
Probably TTL to be honest, it can take a long time for DNS changes to propagate. You’d typically set the TTL really low, wait a while, then change the value, then set the TTL back.