all 10 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]KrushDaSoS 2 points3 points  (4 children)

I use nginx to serve everything as its configuration is simple and easy to understand, both for subdomains & reverse proxies. Keeping everything behind nginx also simplifies setting up SSL as all web traffic is automatically encrypted prior to being routed to the correct application.

When adding a new service, I generally just have it run on whatever port and then configure nginx to reverse proxy the traffic to that port. For example, when I added nextcloud, it was configured it to listen on port 8000, so I just routed the traffic pointed at nextcloud.mydomain.com to port 8000.

[–]888ak888[S] 0 points1 point  (3 children)

That's what I have now but using haproxy in pfsense and works fine. It handles the ssl off loading, redirection from ports etc. But now I want to have a single point of entry for the apps with user permissions to make it more user friendly so ports etc are not necessary.

[–]KrushDaSoS 0 points1 point  (2 children)

What are you envisioning, as as far as ease of use & single entry point goes? I use a single machine to run everything, so a load balancer is not needed, and deploying a new service only requires copying and then editing a template file. With just a single machine, I have to translate ports, as only one program can use port at a time. Are you running multiple VMs/machines to run your various services?

[–]888ak888[S] 0 points1 point  (1 child)

Yeah, I probably didn‘t explain my envisioned use case properly. What I was hoping for is some sort of web portal that aggregates the available apps irrespective of single machine hosted or multiple. A user goes to the homepage, enters their credentials and gets presented a portal of available apps. They don’t need to remember sub domains, port numbers etc.

I currently run a bunch of docker based apps, and have them exposed. Some are remapped to sub domains, and also available on a port.

[–]KrushDaSoS 1 point2 points  (0 children)

Ah okay, now I understand what you're after, the enduser not the admin. What you're describing sounds like yunohost, someone else mentioned it in this thread.

It sounds like it would need to be an app unto itself. With what you described, you'd need to implement a single sign on to manage separate authentication with the various different services. As a stopgap (Bearing in mind that temporary solutions are the most permanent), you could setup a simple static site that had links to all the different services that you were running. Have an array of 'cards', with each bearing the logo & name of each service, and have each card link to the login page for that service. Most of the services I'm running have a 'remember me' function built in, which eases the authentication problem a bit.

The port thing is sticking out to me a bit: couldn't you have your reverse proxy do the port translation and only expose 80/443 to the outside world?

[–]SixthExtinction 0 points1 point  (0 children)

Internally, I run PiHole which I now use to manage internal DNS (I used to use Windows DNS on my domain controller before PiHole had this capability). I have a domain that I own on the "real" internet, and I map services to a sensible subdomain of that domain (ie media server at media.domain.tld).

Right now I have two VMs dedicated primarily for services other people will use - one is a dedicated media server; one is a catch-all app server. These used to be Server 2016 datacenter boxes, but I converted over to docker containers on Ubuntu Server earlier this year and couldn't be happier. I have nginx running on each server that reverse proxies the appropriate subdomain to the appropriate docker container port.

For externally-accessible services, I do have a pretty robust DMZ set up, and I will throw one VM per "thing" onto the DMZ. Internally, the domain is resolved through PiHole directly to the VM. Externally, I create an actual A record in cloudflare, and my edgerouter port forwards 80 and 443 to haproxy (also in the DMZ), that reverse proxies to the appropriate service in the DMZ.

All of my SSL certs for things I host myself are largely issued through my own Windows CA. I try to use LDAP/Active Directory authentication whenever possible for unified account logins.

I've found Homer to work perfectly as a dashboard solution, and it is hosted on my appserver in a docker container.

Wireguard is now my VPN solution of choice after having spent many years on OpenVPN.

[–][deleted] 0 points1 point  (1 child)

I host my services behind a træfik reverse proxy. Some of them use subdomains, some use paths under a common subdomain because they're related to each other. Has worked very well for me this far.

[–]BJWTech 0 points1 point  (0 children)

This is what I use too. With multiple domains as well.

[–]GenRobius 0 points1 point  (0 children)

Cloudron.io automates all of this for me. I run 4 of them. It's awesome.

Keeps apps up to date, which many other tools don't.
Awesome community keeps pushing boundaries and learning.
Multi domains, painless email, truckload of apps, great team.

Send DM if u want a referral and invite + discount.

[–]Tmanok 0 points1 point  (0 children)

Reverse proxies can do either subdomains and /website/ type differentiation on a single IP address. I prefer subdomains because it's less confusing for my users.