Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Free Dynamic DNS + Nginx Proxy Manager + Lets Encrypt Wildcard Certs : r/selfhosted #66

Open
ericvlog opened this issue May 12, 2024 · 0 comments

Comments

@ericvlog
Copy link
Owner

Posted this in another sub and thought maybe its useful to someone here too.

The Dynamic in the title shouldnt have been there :s

What we will do: Get a free subdomain for your network and add simple records to it, add a record to your own local DNS, configure NPM (Nginx Proxy Manager) to get trusted valid SSL certificates for your subdomain, and importantly sub-subdomains, set NPM to proxy to a service like Portainer.

The end result will be that you can use https://portainer.example.dedyn.io in your home network, and you will have proper SSL working, and also no need to remember port numbers for each link anymore.

The one part i will not cover here is installing NPM. It would be beyond this already looking huge post and it truely is not hard to do. Look up guides/videos about "installing nginx proxy manager". There are thousands in whatever format and language your prefer. And do yourself a favor, if you are not already, use docker compose for it instead of docker run, it makes things much easier for you and any good tutorial will use this too. It really is not hard to do. And if it is, then honestly, maybe you shouldnt be doing this at all, quite simple. Its okay to not be ready to do something. But fingers crossed, you managed to just install NPM. Good.

You will also need some form of simple local DNS. A lof people reading this might already be running something like Pihole or Adguard Home, thats perfect. If not, maybe your router/gateway has basic local DNS features and you can add a custom entry there. If you dont have any of that, you can still continue but functionality will be limited, for now. Or if you are not in a rush with the SSL cert stuff here, you can take a break and first get Pihole for example going in your Docker setup, it doesnt need any SSL certs or things for itself.

Get yourself a domain. Yes that is required. But it doesnt need to be a paid domain. And you dont have to run your services publicly over it later. You can do that all local only. But for a trusted SSL cert you need a domain. And it can be a subdomain too. Just make sure the provider is compatible with Lets Encrypt's DNS challenge and that they support wildcard subdomains. A lot of them dont. For simplicity i will stick to the excellent deSEC here.

So get a free subdomain from https://www.desec.io and it will be like example.dedyn.io Important: You dont need to make a new subdomain here for each of your services at home. You only create one "main" domain and later on we will locally add everything else. So dont make portainer.dedyn.io now, make something like myhomenetwork.dedyn.io and that will later become portainer.myhomenetwork.dedyn.io

Now you have a subdomain and deSEC is managing your DNS records for that domain. Perfect.

In the deSEC interface, you add one A record that points to your home IP (you dont need to open anything there, no ports, nothing, just add the record). This could even be a fake IP, but im fairly certain a valid A record needs to exist (i might test and edit this later).

Then add a CNAME record that has just * as the subname and has example.dedyn.io. as the target hostname (note the dot at the end here).

That is all for the records now.

Now go to Token Management on their site, click the + to Generate a new token, enter a useful name for the token like "nginx proxy" and click save to show the token. Now copy that token value into a textfile somewhere, you will need it later and it will not be shown again for security reasons. When you have done that, you are done with deSEC here.

Now as i mentioned earlier, maybe you already use a local DNS like Pihole. Perfect! In your Pihole add a new "Local DNS entry" and use for portainer.example.dedyn.io in that format and now the important bit, this entry should NOT point at your Portainer IP, but it needs to point at the IP wherever your Nginx Proxy Manager is running. Maybe that is the same IP as Portainer, maybe not. Just make sure its the one where NPM can be reached from your entire network. Save this and done. If youre using AdGuard or something else, the procedure is the same, just different menus and labels. I really cant provide info for every local DNS tool that exists.

Worst case, you dont have anything for local DNS. Then on your workstation (probably the computer youre sitting at right now), the computer where you will later try to access Portainer (as the example)... edit your local hosts file. Sounds scary, it isnt. If you are using a typical Linux, sudo nano /etc/hosts will do it. Add a new line in the format you can already see there, like 192.168.120.17 portainer.example.dedyn.io Replace the IP with the IP where your Nginx Proxy Manager is running on, NOT where Portainer might be running. Save the file and exit (with nano, press CTRL+X). Now you have a fake local DNS entry for portainer.example.dedyn.io but it only works on this one computer, not for your entire network like a phone etc. That is why a real local DNS is later required to make this all work perfectly. But for now you can continue like this. If you later do setup a local DNS, you can come back and remove this line from your hosts file.

Try ping portainer.example.dedyn.io and you should see it resolving to and probably replying from the IP of NPM. Good.

So you have watched and followed a guide to simply install NPM (Nginx Proxy Manager) on your system, for simplicity that can be the same system where all your services are running in Docker for example but it doesnt need to be. This computer does not need to have any ports forwarded or open or anything to the public internet. NPM should be running on ports 80 and 443, but that means only those ports on that machine, not forwarding these ports to the internet. And you need access to NPM's webinterface which is at port 81 by default. So if youre using docker-compose for this, you must have mapped 80:80 and 443:443 and the 81 can be mapped to whatever you want.

So enter NPM's webinterface, go to SSL certificates and select Add new, Lets Encrypt.

Now into the domains field you enter this: Type example.dedyn.io then click on add. Now still in the domains field, type *.example.dedyn.io and at the end, click add again. Now you should have two seperate entries there for two "domains".

Lower in that menu, enable Use a DNS Challenge and in the Provider list select deSEC.

In the field 'Credentials File Contentyou **ONLY replace the placeholder**YOUR_DESEC_API_TOKEN` with the token you have saved earlier from the deSEC web interface. So the field must then look like this:

dns_desec_token = edWQ1LXhjBG8wdYj4Ws5HFmE4mjs dns_desec_endpoint = https://desec.io/api/v1/

Then Agree to the terms and save this. You can wait a minute or two and then the entry in the list should have a green symbol and it will say a date when the cert will expire (90 days from now). Thats it, that is all done with your "fake" domain and your valid SSL certificate. Perfect!

Now go to the Hosts/Proxy Hosts menu and click Add Proxy Host.

As domain you enter portainer.example.dedyn.io Yes thats correct, you just add the name of your service at the front, as another subdomain to the one you actually own. Thats what the * does as a wildcard when we added the DNS records and when we setup the SSL certificate.

Now as scheme its important to know that this DOES NOT refer to how you want to access Portainer. It refers to what Portainer as the target is currently offering. With a standard Portainer (or most other services like this) it will be plain HTTP. So leave this option at that.

The field Forward Hostname/IP that is where nginx should redirect to, the target. So that must be the IP of your Portainer in this example. Enter that. And into the Forward Port field you enter the port where you typically reach Portainer at.

Leave everything else at default for now. The additional options are sometimes required for some services, but you can always come back later to toggle them on/off and test more.

In the tab for SSL select the entry we have created earlier for your example.dedyn.io *.example.dedyn.io. Again, for now leave everything else at default. Click save.

Your proxy host will now be shown in the list of hosts. Give it a few seconds, then try to access https://portainer.example.dedyn.io

What is happening then is this:

  • Your local DNS will resolve this domain to the IP for your NPM

  • Because you used https to access it and you didnt add any custom port, your browser tries the default port 443 on that IP

  • NPM sits on that IP and this port, and responds

  • NPM recognizes that you are not trying to reach itself, but that you used portainer.example.dedyn.io

  • NPM redirects you to the proxy host you have set up earlier, meaning the Forward Hostname/IP and Port and thats where Portainer actually is.

  • You should now have the Portainer interface loading and your browser should show a happy symbol or whatever for a valid trusted SSL certificate, click on it and check the details, it will say something about Lets Encrypt.

Done.

NPM will also pay attention to when the SSL cert will expire, and automatically renew it for you, you dont have to do anything manually there. You also dont have to touch the public DNS records at deSEC anymore.

From now on, for a new local service that you want to use, all you need to do is: Add a local DNS entry for it in the form of service.example.dedyn.io and point it to your NPM IP. Then inside NPM, you add a new proxy host, and add the IP of the service as the Forward IP and select the existing SSL cert. Thats it. Nothing more.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant