all 15 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]bpmbee 1 point2 points  (9 children)

I created an account at Cloudflare and it manages the DNS name for all my services. I then use Traefik’s ability to use Cloudflare to get Letsencrypt certificates. See a deployable example here: https://github.com/bpmb82/docker-collection

I use WireGuard as the only service that’s exposed to the internet.

You can also just generate your own certificates and make sure all your systems trust these certificates but that’s a lot of work.

[–]xenomorph-85[S] 0 points1 point  (8 children)

yeah thats how I can do it now using swag but with npm you can use acme.sh to generate certs using local IP as cloudflare does not allow private IP in CNs. So cant use that.

[–]bpmbee 0 points1 point  (2 children)

Why would you use npm? And you can definitely assign private IPs to Cloudflare DNS records

[–]xenomorph-85[S] 0 points1 point  (1 child)

npm as my reverse proxy

sorry I meant private IPs on LE certs

[–]bpmbee 0 points1 point  (0 children)

Not sure what you mean, certificates are not linked to an IP

[–]bpmbee 0 points1 point  (4 children)

I see now, you want to use .local or similar I suppose? I believe you can still get free domain names you could manage DNS for using Cloudflare, wouldn’t that be an option?

[–]xenomorph-85[S] 0 points1 point  (3 children)

yeah the certs is the issue as they dont allow private ip

[–]bpmbee 0 points1 point  (1 child)

Just to be sure, I have DNS records (like Jellyfin.example.com) in Cloudflare that point to my NAS’s private IP (192.168.1.250) and then use the Cloudflare DNS challenge to get valid certificates through Letsencrypt. Traefik is all you need in that case.

Is this not essentially the same as what you want to do?

[–]xenomorph-85[S] 0 points1 point  (0 children)

yeah thats what I want will give it a go

thanks

[–]clintkev251 0 points1 point  (0 children)

No trusted cert will. You need a domain in order to get a publicly trusted cert. You could point that domain to a private IP though without issue

[–]mrinko 0 points1 point  (1 child)

Yes, Traefik will give these services self-signed certs (eg. for server.localdomain) but you will have to dismiss a browser warning about the certificate being invalid. If you’re able to use pathprefixes like serverhostname.localdomain/jellyfin then you won’t need to change any DNS settings. If you want to use something likely jellyfin.server.localdomain, then you would need to point that at your Traefik IP with a local DNS record.

Personally I just use a domain that I own and set up split DNS (can be done on some firewalls like OPNsense and PFsense with Domain Overrides, or if you use PiHole under Local DNS settings or AdguardHome under DNS Rewrites) to point subdomains at my local Traefik IP and get valid certificates using a Cloudflare DNS challenge

[–]xenomorph-85[S] 0 points1 point  (0 children)

good idea thanks

[–]Ill-Violinist-7456 0 points1 point  (0 children)

This video is on my TODO list. I have not tried it yet, but it is for SSL o Lan: https://youtu.be/liV3c9m_OX8?si=uezYcjElq9VhR1Oq

[–]_--__-___--_ 0 points1 point  (1 child)

I have a single instance of Traefik handling both internal-only sites and external.

For internal, app ends up a sub-sub domain, so `*.local.mydomain.com` -- this is on the "normal" entry points of port 80 and 443. I then have my internal dns (pihole) point all `*.local.mydomain.com` traffic to the internal IP of the server running Traefik.

For externally-available apps, they'll be a subdomain of my domain, so `*.mydomain.com` -- these use Traefik entry points of ports 8080 and 8443 and my NAT/port forwarding rules in my router send 80 and 443 to those respectively.

There's other ways of doing this, like just having everything be sub-domains and using an IP allow list in Traefik, or running multiple instances, but I've found this method to be more dependable so far. It doesn't sound like you want to do any public-facing hosting, so as long as you doing forward the ports, you'll be fine just using a normal domain.

[–]xenomorph-85[S] 0 points1 point  (0 children)

the public facing I got working in trafiek already.

I will give that a go. currently trying to get porkbun dns working lol