Looking for feedback on simplifying self hosting - eviltoast

Hi all,

I started self hosting nextcloud only. Now I have a domain name and I would like to selfhost more services and websites on subdomains without having to open up more ports on my router.

  1. Is it reasonable to use a reverse proxy server to avoid opening up more ports?
  2. Can I use a reverse proxy manager that simplifies SSL certs, etc?
  3. Can I put the HTTP/HTTPS services behind a reverse proxy, behind a free cloudflare DNS proxy to mask my IP address?
  4. And put other non-http services on the real IP address.
  5. Will all of this be more prone to failure and slow compared to forwarding 443 and 80 directly to my nextcloud server?

The other services I would like to eventually host and have accessible externally are

  • Jitsi
  • Mastodon instance (hoping to make some bots that mirror other social media to bring them into Mastodon)
  • blog website
  • Veilid maybe
  • OpenVPN over TCP on 443 (to get through restrictive firewalls on e.g. school wifi networks that don’t whitelist domains)
  • Synology to Synology backup.

I’m hoping to use Yunohost on a RPI to simplify hosting a lot of these things.

Here’s my plan where I’m looking for feedback. Am I missing any steps? Are my assumptions correct?

  1. Install reverse proxy on yunohost; configure cloudflare DNS and freedns.afraid.org to point towards the reverse DNS server.
  2. Configure the reverse DNS to redirect various subdomains to
  • the raspberry pi running nextcloud
  • the other raspberry pi running openvpn
  • the Synology running the backup service
  • services running on the yunohost raspberry pi

I have not been able to find good documentation about how to configure the yunohost reverse proxy, or how to deal with HTTP headers, or have correct certificates on all the subdomains as well as the reverse proxy. Looking for advice on how to move forward and or simply this setup.

  • sugar_in_your_tea@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    2
    ·
    2 months ago

    Lots of options. Here’s what I do:

    1. HAProxy - uses SNI to match an HTTPS request to a service, without decrypting the connection
    2. Caddy - manages TLS certificates, decrypts connections, and sends the request to the relevant service
    3. Docker - each service runs in a docker container on the host
    4. my router has static DNS entries for each of my subdomains, so I can do https://service.mydomain.com, and my traffic never leaves my LAN when I’m at home

    I have HAProxy running on my VPS (Hetzner), and it routes traffic over my WireGuard VPN to whatever physical device on my internal network handles that service (i.e. 2). This allows me to add devices to my network as needed, and TLS certs all live on that device.

    This is probably overkill for your setup since it sounds like you can talk to your home router from the internet (I can’t because I’m behind CGNAT), so you could drop #1 and just use Caddy, assuming you’re okay with having all traffic handled by a single device. Or you can see if your router supports SNI-based routing to handle what I’m using HAProxy for.

    If you don’t need to share your services w/ anyone, you can have everything live inside of a VPN and just access it via that VPN. You can look into Tailscale if you want something dead simple, and I think Cloudflare offers something similar. I started with that, but decided I wanted to share a number of services with family members, and I didn’t want to force each of them to configure my VPN.

    • sem@lemmy.blahaj.zoneOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      2 months ago

      Thanks for the information. I will have to look into SNI and see if my router can support it – if I move someday to an ISP behind a more restrictive firewall, this system looks pretty good. (Or if I get unhappy with one reverse proxy handling everything).