Route domain name to Docker containers on Synology NAS? (lemmy.world)

submitted 1 year ago by schmurnan@lemmy.world to c/selfhosted@lemmy.world

40 comments fedilink hide all child comments

I'm sure I'm massively overthinking this, but any help would be greatly appreciated.

I have a domain name that I bought through NameCheap and I've pointed it to Cloudflare (i.e. updated the name servers). I have a Synology NAS on which I run Docker and a few containers. Up until now I've done this using IP addresses and ports to access everything (I have a Homepage container running and just link to everything from there).

But I want to setup SSL and start running Vaultwarden, hence purchasing a domain name to make it all easier.

I tried creating an A record in Cloudflare to point to the internal IP of my NAS (and obviously, this couldn't be orange-clouded through CF because it's internal to my LAN). I'm very reluctant to point the A record to the external IP of my NAS (which, for added headache is dynamic, so I'd need to get some kind of DDNS) because I don't want to expose everything on my NAS to the Internet. In actual fact, I'm not precious about accessing any of this stuff over the internet - if I need remote access I have a Tailscale container running that I can connect to (more on that later in the post). The domain name was purely for ease of setting up SSL and Vaultwarden.

So I guess my questions are:

What is the best way to go about this - do I create a DDNS on the NAS and point that external IP address to my domain in Cloudflare, then use Traefik to just expose the containers I want to have access to using subdomains?
If so, then how do I know that all other ports aren't accessible (I assume because I'm only going to expose ports 80 and 443 in Traefik?)
What do other people see (i.e. outside my network) if they go to my domain? How do I ensure they can't access my NAS and see some kind of page?
Is there a benefit to using Cloudflare?
How would Pi-hole and local DNS fit into this? I guess I could point my router at Pi-hole for DNS and create my A records on Pi-hole for all my subdomains - but what do I need to setup initially in Cloudflare?
I also have a RPi that has a (very basic) website on it - how do I setup an A record to have Cloudflare point a sub-domain to the Pi's IP address?
Going back to the Tailscale thing - is it possible to point the domain to the IP address of the Tailscale container, so that the domain is only accessible when I switch on the Tailscale VPN? Is this a good idea/bad idea? Is there a better way to do it?

I'm sure these are all noob-type questions, but for the past 6-7 years I've purely used this internally using IP:port combinations, so never had to worry about domain names and external exposure, etc.

Many thanks in advance!

you are viewing a single comment's thread
view the rest of the comments

[-] schmurnan@lemmy.world 1 points 1 year ago

Thanks, and yeah sorry, what I meant was to listen on both ports 80 and 443 and have a redirect in Traefik from 80 to 443 - I don't plan on having anything directly accessible over port 80.

As per another post, I've hit a stumbling block:

OK so made a start with this. Spun up a Pi-hole container, added mydomain.com as an A record in Local DNS, and created a CNAME for traefik.mydomain.com to point to mydomain.com.

In Cloudflare, I removed the mydomain.com A record and the www CNAME record.

Doing an nslookup on mydomain.com I get

Non-authoritative answer:
*** Can't find mydomain.com: No answer

Which I guess is to be expected.

However, when I then navigate to http://traefik.mydomain.com in my browser, I’m met with a Cloudflare error page: https://imgur.com/XhKOywo.

Below is the docker-compose of my traefik container:

traefik:
    container_name: traefik
    image: traefik:latest
    restart: unless-stopped
    networks:
      - medianet
    ports:
      - 80:80
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /volume1/docker/traefik:/etc/traefik
      - /volume1/docker/traefik/access.log:/logs/access.log
      - /volume1/docker/traefik/traefik.log:/logs/traefik.log
      - /volume1/docker/traefik/acme/acme.json:/acme.json
    environment:
      - TZ=Europe/London
    labels:
      - traefik.enable=true
      - traefik.http.routers.traefik.rule=Host(`$TRAEFIK_DASHBOARD_HOST`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
      - traefik.http.routers.traefik.service=api@internal

My traefik.yml is also nice and basic at this point:

global:
  sendAnonymousUsage: false

entryPoints:
  web:
    address: ":80"

api:
  dashboard: true
  insecure: true

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    watch: true
    exposedByDefault: false

log:
  filePath: traefik.log
  level: DEBUG

accessLog:
  filePath: access.log
  bufferingSize: 100

Any ideas what’s going wrong? I’m unclear on why the domain is still routing to Cloudflare.

[-] Kangie@lemmy.srcfiles.zip 1 points 1 year ago

Sorry about the delay.

Probably TTL to be honest, it can take a long time for DNS changes to propagate. You'd typically set the TTL really low, wait a while, then change the value, then set the TTL back.

[-] schmurnan@lemmy.world 1 points 1 year ago

No problem, I appreciate the help!

So I've made a fair bit of progress now - I've managed to get all my containers working behind the Traefik reverse proxy with SSL. I've also deployed a Cloudflare DDNS container in Docker and have linked the external IP address of my Synology NAS to Cloudflare. I haven't port forwarded 80 and 443, though, so it's not accessible over the internet. So I've added local DNS into Pi-hole so I can access all the containers using subdomains.

I've also deployed an Authelia container and have started running through my containers adding 2FA in front of them all.

I should probably point out at this juncture, that if I encounter any errors, the HTTP 404 page that I get is a Cloudflare one - I assume that's expected behaviour?

So, the final three bits I'm struggling with now are:

Pi-hole behind the reverse proxy
Portainer behind the reverse proxy
Accessing Vaultwarden over the internet (because as soon as I leave my house, if the vault hasn't synced then I don't have access to all my passwords) - unless anybody has a better suggestion?

Portainer - I have no idea how I do it, because I use it to manage my containers, so don't have the config for Portainer in Portainer (obviously). So if I screw up the config, how am I getting back in to Portainer to fix it?

And the far more troubling one is Pi-hole. I just cannot get that thing working behind the reverse proxy.

I've followed a few different guides (though none of them are recent), and the below is the latest docker-compose I have. It will bring up the login page, but when I login it keeps returning me back to the login page - it won't go to the main admin page.

version: "3.7"

services:
  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    restart: unless-stopped
    networks:
      - medianet
      - npm_network
    ports:
      - 8008:80
      - 53:53/tcp
      - 53:53/udp
    environment:
      - TZ=Europe/London
      - WEBPASSWORD=xxxxxxxxxx
      - FTLCONF_LOCAL_IPV4=192.168.1.116
      - WEBTHEME=default-auto
      - DNSMASQ_LISTENING=ALL
      - VIRTUAL_HOST=pihole.mydomain.com
    volumes:
      - /path/to/pihole:/etc/pihole
      - /path/to/pihole/dnsmasq.d:/etc/dnsmasq.d
    cap_add:
      - NET_ADMIN
    labels:
      - traefik.enable=true
      - traefik.http.routers.pihole.entrypoints=http
      - traefik.http.routers.pihole.rule=Host(`pihole.mydomain.com`)
      - traefik.http.middlewares.pihole-https-redirect.redirectscheme.scheme=https
      - traefik.http.routers.pihole.middlewares=pihole-https-redirect
      - traefik.http.middlewares.pihole-addprefix.addprefix.prefix=/admin
      - traefik.http.routers.pihole.middlewares=pihole-addprefix
      - traefik.http.routers.pihole-secure.entrypoints=https
      - traefik.http.routers.pihole-secure.rule=Host(`pihole.mydomain.com`)
      - traefik.http.routers.pihole-secure.tls=true
      - traefik.http.routers.pihole-secure.service=pihole
      - traefik.http.services.pihole.loadbalancer.server.port=80

networks:
  medianet:
    external: true
  npm_network:
    external: true

this post was submitted on 26 Jul 2023

16 points (100.0% liked)

Selfhosted

39980 readers

619 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago

MODERATORS

HybridSarcasm@lemmy.world

HybridSarcasm@lemmy.hybridsarcasm.xyz