Comment by TomK32
24 days ago
nginx-proxy becomes almost a must have if you have multiple services and prefer remembering domain names instead of port numbers https://github.com/nginx-proxy/nginx-proxy
24 days ago
nginx-proxy becomes almost a must have if you have multiple services and prefer remembering domain names instead of port numbers https://github.com/nginx-proxy/nginx-proxy
Most people will use nginx-proxy [0] or Traefik [1] for front ending home labs with LetsEncrypt certs... Beyond that people will protect them with things like Tailscale [2], Cloudflare Tunnels [3] or even just mTLS [4] for protected access.
Home labbing today has a lot of amazing software and it's hard to keep up!
And as for dashboarding [5] on top of all this there are a lot of options.
Also, for those new to the game who want an easier way to approach take a look at Tipi [6].
[0] https://nginxproxymanager.com/ [1] https://traefik.io/traefik/ [2] https://tailscale.com [3] https://developers.cloudflare.com/cloudflare-one/connections... [4] https://smallstep.com/blog/build-a-tiny-ca-with-raspberry-pi... [5] https://selfh.st/apps/?tag=Dashboard [6] https://runtipi.io/
I use Tailscale for a bunch of self hosted services on a raspberry pi in my house. Port numbers and TLS certs are my current main problems with this setup but it's not annoyed me quite enough yet to do anything about it.
BTW why bother with TLS over already-encrypted and authenticated Wireguard tunnels? Is this just so that browsers won't complain, or do you have a more complex threat model?
1 reply →
> I use Tailscale...Port numbers and TLS certs are my current main problems with this setup
I've been running a Tailscale container, using the `tailscale serve` feature[0], as a sidecar for each containerized service I want to access. External access, TLS (to make my browser happy), and domain names all come for almost free. This allows me to set up `https://my-cool-service.lemur-pangolin.ts.net` with relative ease.
There's a ton of boilerplate, which drives me a bit nuts. But at least copy/paste is easy to do. Looking just now I have 31 Tailscale containers running that are almost duplicates of each other. You could probably do config generation but for a homelab I'm not motivated to really do that.
The command line interface for this tool is a little bit limited and forces you to share the network stack between your service and the sidecar. I would recommend injecting a config file into each container to give you full flexibility. I put up an example config on pastebin[1].
---
[0] https://tailscale.com/kb/1242/tailscale-serve
[1] https://pastebin.com/raw/PSgLqS0T
Lots of options to proxy and provide automation for certs. I'm personally a huge fan of Traefik, but I know a lot of folks use NPM since it's so simple and Nginx has great performance overall.
Can I suggest giving Caddy a go? I used to do everything with nginx but as soon as I found caddy I haven't looked back.
Why not just have a main page on a single domain that has links to all the services? That way you only need to remember one domain name.
Of course, a service map comes handy, just another simple way of getting it done. What I meant with the proxy was using e.g. jellyfin.example.com and portainer.example.com instead of the ports. Not to mention that two apps might have the same default port.
For those with a multi-machine setup, like running the easy stuff on a 1L machine and having backupservice at multiple locations or the LLMs on a big setup that might even use WakeOnLan the proxy will keep you from having to remember the IPs as well.
You could do that as long as you protected that page from prying eyes.
Yeah? That would apply to NGINX Proxy too...
Many use browser history so type a few characters and hit enter rather than navigating to an index page, locating a link, and clicking it.
Easier to wire up services to each other with domain names, serviceA.domain.tld is obvious, domain.tld:1234 is not
There is also path based, e.g. domain.tld/serviceA, domain.tld/serviceB
2 replies →
Another reason to have a domain for each is to get TLS for each service in a standard way.
That doesn't sound like a bad idea, but it's just as easy to create a bunch of LXC containers with their own MAC address and IP for me (and thus own hostname per service).
People do traefik etc for the ssl mostly. A lot of selfhoated things log you out quite fast over http