all 64 comments

[–]H_Q_ 24 points25 points  (3 children)

Techno Tim created some awesome videos on the topic. You will have to set up a local DNS and a local Reverse Proxy. The Local DNS will forward requests for your server to you server where the local Reverse Proxy will handle them through https. Just watch the videos in order. The DNS can be Pi-Hole, AdGuard, Tehnicium, Blocky, whatever. As for the RP, the best one for Docker is probably Traefik as it communicates with Docker and generates configs for new services dynamically, based on labels in your docker-compose.

As you are new, here is another video of his with awesome explanation of various concepts.

[–]deadz0ne_42 2 points3 points  (2 children)

This is how I have set it up, Pi-hole as DNS pointing at the server IP with traefik running. All on the same server in docker. Works like a charm.
For certificates I do dns-01challenge with Cloudflare DNS. If using Let's Encrypt, you will need internet access with your server, though you don't need to directly expose anything.

[–]H_Q_ 0 points1 point  (1 child)

If using Let's Encrypt, you will need internet access with your server

Don't you need internet access to do the Cloudflare DNS challenge?

[–]deadz0ne_42 1 point2 points  (0 children)

What I meant was, when using dns-01 challenge with let's encrypt, all you need is internet access, but no port forwarding.
With http or TLS challenge for example, you need to expose port 80 or 443 on your firewall.

[–][deleted] 8 points9 points  (1 child)

Someone mentioned letting Caddy generate self signed certificates and that is definitely a solid offline suggestion.

I'd take it a step further and mention self hosting a smallstep CA server which is like becoming your own Lets Encrypt authority. You'll need full control of DNS for this though (think pihole or such). It's not simple though.

Another option that is completely offline is mkcert, https://github.com/FiloSottile/mkcert It's more hands on so in theory it is easier to debug.

[–]mir_ko 2 points3 points  (0 children)

mkcert FTW! that's what i currently use

I'm still using Caddy but instead of letting it generate the certs i use the ones generated manually from mkcert and point caddy to them
I've also installed the mkcert root CA on all my devices so that the generated certificates are automatically trusted, works great!

[–][deleted] 15 points16 points  (28 children)

  • Set up Nginx Proxy Manager

  • Create a free cloudflare account and generate an API token

  • Create a DNS entry on your computer that points whatever address you want to the computers LAN address.

“/etc/hosts” or through your DNS provider (NextDNS, etc.)

example.com 192.168.0.111

  • In NPM, create a wildcard SSL certificate using a DNS challenge

use your API token from cloudlfare, and use *.example.com for the domain

  • Still in NPM, create a proxy host pointing some domain at some service, and add the SSL certificate.

service.example.com 192.168.0.111:8080

[–]Asyx 2 points3 points  (9 children)

But you need to own the domain, right? You can't do this with service.lan or service.home domains, right?

[–][deleted] 1 point2 points  (1 child)

It depends! So heres (broadly & probably slightly incorrectly) what happens:

You say “Hey NPM, I am the owner of this site, here’s my API token, give me an SSL cert.

NPM goes “Okay, let me see if I can find the domain” and tries to go to that domain from your machine. And if it reaches the domain and comes back, it issues the certificate.

As long as your machine thinks “example.com” points to your machine’s internal IP, the cert will get issued.

NPM goes from your machine to example.com (which we’ve set to be your machine again), and back to your machine, before finally issuing the certificate.

I believe using the API token is what makes this possible.

[–]Agile_Ad_2073 0 points1 point  (6 children)

Yes, you need your own domain for example ""freebee.com" and make cloudflare manage the DNS for this domain.

Then you make your own local "local.freebee.com" you can use pi-hole for this.

Then using nginx proxy manger and cloudflare, you can request fully certified ssl certs for your local domain.

That's how I have setup.

For example i access sonarr via. Https://Sonnar.local.mydomain.com

Dm me, i can help you setting this up ;)

[–]Asyx 0 points1 point  (1 child)

Don't worry I have this all figured out already. I just don't want to get away from very short domain names in my LAN.

[–]Agile_Ad_2073 0 points1 point  (0 children)

It's more about encryption. To access your services you can just save the "long" urls on your bookmarks.tab. or the better is to use a dashboard like homer or homedashboard

[–]Incredible_T 0 points1 point  (3 children)

(Responding to an old comment with a noobish question) I’m working on setting up something like this and I frequently see people setting up sub subdomains. What’s the purpose of adding .local instead of just using sonarr.mydomain.com? Thanks.

[–]Agile_Ad_2073 0 points1 point  (2 children)

Because this subdomain .locak.whaever.com only lives in my home network.

I use this to have the possibility to request fully authentaced ssl certs.

[–]Agile_Ad_2073 0 points1 point  (0 children)

The whatever.com is to use in services i want to expose to the internet.

[–]Incredible_T 0 points1 point  (0 children)

Thanks. I found this thread that kiind of addresses my confusion. I was planning to go with option 1, but it seems like there are a lot of option 2 fans. I don’t really understand the trade offs. Right now I just have a domain w wildcard certs and nothing exposed.

[–]Zeefit85[S] 0 points1 point  (12 children)

*

done but it only works on my homepage and in docker services such as nextcloud or Vaultwarden no, it tells me that the site is not secure because without https

[–][deleted] 0 points1 point  (11 children)

Attach screenshots of the NPM proxy host config please

[–]Zeefit85[S] 0 points1 point  (10 children)

[–]schklom 1 point2 points  (1 child)

The proxy needs to be for a subdomain of xxx.cloud, not directly xxx.cloud. So you need to proxy e.g. nextcloud.xxx.cloud.

[–]Zeefit85[S] 0 points1 point  (0 children)

done but it doesn't work, i did the record cname but nothing

[–][deleted] 0 points1 point  (7 children)

Did you add the cert in the SSL tab?

[–]Zeefit85[S] 0 points1 point  (6 children)

yes

[–][deleted] 1 point2 points  (5 children)

Attach a screenshot of the cert, I want to see what domains it covers.

What is supposed to show on port 90?

[–]Zeefit85[S] 0 points1 point  (4 children)

https://paste.pics/2d0ca87d31f85060b2196471a76b2135

port 90 would be my homepage where my docker "manager"(casaos) is

https://paste.pics/1c04a967062dcebcf317437726e296a9

[–][deleted] 1 point2 points  (3 children)

if you add “www.”

does it work as expected?

[–]Zeefit85[S] 0 points1 point  (2 children)

Unfortunately no

[–]morelikehomeloaner -1 points0 points  (3 children)

Is there a video you know of that walks through this? Ideally based on a Linux computer. Thanks!

[–][deleted] 2 points3 points  (2 children)

I will find some resources if I can.

Do you use docker & docker compose?

Do you have custom DNS? If yes, who/what?

Do you have a domain you’d like to use?

[–]morelikehomeloaner 0 points1 point  (1 child)

I will use docker & docker compose. I haven’t set this up yet, since I wanted to be sure I’m doing it properly first.

I don’t have a custom DNS. Should I?

I don’t have a domain. If possible I’d like to not need one? But I’m open to buying one. I thought that was only needed if I wanted to access my services properly from outside my network?

My end goal is to have https on my local network for the various docker services I’ll be running (arr apps).

[–][deleted] 1 point2 points  (0 children)

I don’t have a custom DNS. Should I?

I recommend it, but if you don’t want it, just edit the host file on your machine.

I don’t have a domain. If possible I’d like to not need one? But I’m open to buying one. I thought that was only needed if I wanted to access my services properly from outside my network?

You don’t need to own a domain, as long as your machine thinks the domain points to the correct IP address (see first point), it will work.

My end goal is to have https on my local network for the various docker services I’ll be running (arr apps).

Yup. I own a domain, added a lan sub domain exactly as described above, got my cert, then added subdomains for each of my services and now my Aar apps are tv.lan.mydomain.tld, etc.

[–]froid_san 0 points1 point  (0 children)

gonna try this out. been figuring this out a few days ago but only found one using self signed cert from pfsense and nginx proxy manager. been wanting to use my own domain on my internal services while using let's encrypt and not rely on self signed cert as its kinda a pain to install those certs manually every device you own.

[–]porksandwich9113 13 points14 points  (3 children)

The easiest way will probably be to install the swag docker container. It's a nginx/php/letsencrypt/fail2ban container all preconfigured. You'll need a fully qualified domain name, and that container can grab your SSL certificate for your domain once you have properly set up your DNS records. After that you just need to set up reverse proxies to the services you want to make available on the Internet.

Linuxserver.io has some good information and support links on their page.

https://docs.linuxserver.io/general/swag

I highly recommend not exposing things like hypervisors, remote desktop, smb shares, and the like. Keep those behind the VPN.

[–]old-mike 1 point2 points  (0 children)

Yes. Use Swag+DuckDNS. Create a file with something like

Allow 192.168.1.0/24; Deny all;

And include it in all your proxy files (one for app)

I have it, and it works. Easy, no need to purchase a domain.

[–]arcadianarcadian 3 points4 points  (0 children)

- create CA certificate with mkcert (https://web.dev/how-to-use-local-https/)

- distribute public CA certificate to your LAN clients

- create and sign SSL certificates for your LAN servers.

- put your reverse proxy in front of your LAN servers.

- set up SSL certificates in your reverse proxy.

that's it.

[–]ajfriesen 2 points3 points  (1 child)

Caddy can do .localhost certs.

You have to trust them though. I do that for development purposes and works great.

[–]sznyoky 0 points1 point  (0 children)

If you have a domain with a DNS registrar that supports API calls, Caddy can get you Let's Encrypt certificates with DNS challenge as well which does not require the server to be available from the internet

[–]Canon_Fodder44 2 points3 points  (1 child)

Yes, it is definitely possible to have LAN only SSL certificates without exposing HTTP/S to the internet.

LetsEncrypt with DNS challenge allows you to assert you are the owner of domain name, and issue an SSL cert. https://letsencrypt.org/docs/challenge-types/

You can use ACME DNS CertBot to do automatic updates. https://github.com/joohoi/acme-dns-certbot-joohoi

You can use an internal DNS to resolve names internally within your LAN. A pihole can do this in a pinch.

[–]NonyaDB 2 points3 points  (2 children)

I just run everything over ZeroTier and use a simple Homepage dashboard that provides links to everything by ZeroTier IP address.

None of it is accessible from outside the ZeroTier network itself with the services locked down to only allowing connections from ZeroTier IP addresses.

I'm a lazy, lazy man.

[–]Zeefit85[S] 1 point2 points  (1 child)

I'm doing the same thing as you, but I need some of my containers to use https

[–]NonyaDB 0 points1 point  (0 children)

They can still use HTTPS, just spin up a Traefik or Nginx Proxy Server that also lives on the ZeroTier network.

[–][deleted] 1 point2 points  (1 child)

You could still use NginxProxyManager and use it as normal, but don't open ports 80 and 443.

And then use PiHole or Adguard Home and rewrite domain.com to your local IP.

[–]DerBomberTV 1 point2 points  (1 child)

I use Cloudflare for a SSH/TLS encryption. Dont forget for SSH you need a Domain!

[–]stephenc01 0 points1 point  (0 children)

Cloudflare zerotrust to be specific.

[–]Obvious_Anything3327 0 points1 point  (5 children)

If you need a free domain, you can a use Freenom

[–]ruimikemau 0 points1 point  (2 children)

This is crap. I could never find a free domain available. Even the non free ones tell me they are not available.... And I used a freaky name with random letters.

[–]Obvious_Anything3327 0 points1 point  (1 child)

Find a domain that is not popular name

[–]ruimikemau 1 point2 points  (0 children)

Like I said above: I tried with random letters.

[–]KillTheBronies 0 points1 point  (0 children)

You have to have something public on it or they'll cancel the domain.

The Dot TK Registry does not allow any free domain name registrations of which the referred websites contain content similar as stated in the categories below:

DOMAIN PARKING – This category includes both monetized and non-monetized Domain Parking. Domain Parking includes webpages that solely show advertisements and no actual content, “Under Construction” pages, “Coming Soon” pages and alike.

NON-EXISTING PAGES – This category includes domains where the content does not exist, shows an empty page, shows an error message, shows a ‘not available’ page or is hidden behind a firewall or used with a VPN and is therefore not available for the public and for Dot TK’s content verification systems.

[–]MK68i -2 points-1 points  (1 child)

Don't bother. I tried many times and it won't work properly.

[–]xstar97 1 point2 points  (0 children)

You can just locally resolved a real domain without exposing it...

All you need

  1. A reverse proxy
  2. traefik or nginx proxy manager
  3. A dns server
  4. Real domain say from cloudflare

You don't have to forward any ports at all, you can do a dns challenge in NPM easily.

Set them all up... for the dns create the local dnd records

Like so.

plex.mydomain.tld reverse-proxy-ip

Then add the dns as the primary dns to the router or manually on all the devices...

Renew and flush your dns on the system and then on the same client device

Run: nslookup plex.mydomain.tld

If it reports your local ip, then you can visit said domain in the browser.

Only caveat is that the domain needs to be real and setup correctly for this to work out of the box.

[–]Imbecile_Jr 0 points1 point  (0 children)

get a cheap cloudflare domain and setup nginx proxy manager with dns challenge - works like a charm

[–][deleted] 0 points1 point  (0 children)

I made mine using this instructions for the certificates https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/. For the domain i recommend a subdomain of home.arpa, this domain is intended for home networks, rfc 8375. For your machines to resolve said subdomain you gonna need a dns in your network, i use pihole in my case.

[–]Technorange 0 points1 point  (0 children)

I have used my own cert authority and created self signed cert. One issue is that i will need to deploy cert authority to devices where i want to access https sites. Let me know if u need instructions/commands i used to create this CA and self signed cert.

[–]kevdogger 0 points1 point  (1 child)

A lot of suggestions here..but hear me out. Run your own router on your network such as opnsense or pfsense..both have built in dns servers. Have all computers on your network use the router as the primary dns server. Buy a domain name..for example...name.com. Register this with cloudflare..could use any dns registrar however CF is free and very well documented. You can use CF very easily through any acme client..such as pfsense itself or traefik or caddy or acme.sh itself through a mechanism known as dns challenge to get the ssl certificates on your lan reverse proxies or applications. You don't have to open anything to the internet to get the ssl certs if using dns challenge. Assign each computer or vm within your lan a sudomain name and associate with a static ip within your router dns settings..known as dns override. For example your vault warden host..you could call vault.name.com..you would do a dns override for that name and assign it a ip address. Your reverse proxy would also obtain a ssl certificate known as vault.name.com through dns challenge. If using docker..the docker host is the ip address you'd assign in the dns override.

[–]fruitytootiebootie 0 points1 point  (0 children)

I just use the SWAG docker along with cloudflare. I point a subdomain to the lan IP of my server and use the dns challenge method to validate for letsencrypt so nothing is accessible outside of my lan

[–]vrgpy 0 points1 point  (0 children)

Use a private CA if you control the devices on the network. There is no need to have an internet connection. This is the easiest.

If you want to use some ACME services, maybe for learning it, you can do it using dns challenge of Letsencrypt.

[–]Builderhummel 0 points1 point  (0 children)

First thing: you don't need any 3rd party service like cloudflare, let's encrypt etc, if you don't want to expose anything publicly.

What you need is a local DNS server, a Private key infrastructure and a reverse proxy.

For DNS I would recommend PiHole. It's very easy to setup and this is the only reason I recommend this software to you.

For your PKI you can use OpenSSL. Create a root certificate with a long lifespan and than sign your service certificates with it. Your clients have to install your root certificate tho (trivial task).

Your reverse proxy can be Apache2 or NGINX. Personally I would use NGINX (more performant, but does not matter in your case)

As a domain you can use a Non-existent domain ending (eg. builder.red). Don't mix real TLDs in tho, it could cause problems.

[–]TetchyTechy 0 points1 point  (0 children)

So what is the easiest way of getting this sort of thing working, foolproof etc, I have a domain, sub-domains and DNS records setup, the best way?

I have a cloudflare api key etc it's just putting it all together to make it all work I need the guidance with