Hello people, I recently rented a vps server from OVH and I want to start hosting my own piefed instance and a couple other services. I am running debian 13 with docker, and I have nginx proxy manager almost set up. I want to set up subdomains so when I do social.my.domain it will go to my piefed instance, but how do I tell the machine to send piefed traffic to this subdomain and joplin traffic (for example) to another domain? Can I use nginx/docker natively for that or do I have to install another program. Thanks for the advice.
You must log in or register to comment.
It’s called a Reverse Proxy. The most popular options are going to be Nginx, Caddy, Traefik, Apache (kinda dated, but easy to manage), or HAProxy if you’re just doing containers.
FWIW I don’t find Apache dated at all. It’s mature software, yes, but it’s also incredibly powerful and flexible, and regularly updated and improved. It’s probably not the fastest by any benchmark, but it was never intended to be (and for self-hosting, it doesn’t need to be). It’s an “everything and the kitchen sink” web server, and I don’t think that’s always the wrong choice. Personally, I find Apache’s litlte-known and perhaps misleadingly named Managed Domains (mod_md/MDomain) by far the easiest and clearest way to automatically manage and maintain SSL certificates, it’s really nice and worth looking into if you use Apache and are using any other solution for certificate renewal.
I’ll be honest with you here, Nginx kind of ate httpd’s lunch 15 years ago, and with good reason.
It’s not that httpd is “bad”, or not useful, or anything like that. It’s that it’s not as efficient and fast.
The Apache DID try to address this awhile back, but it was too late. All the better features of nginx just kinda did httpd in IMO.
Apache is fine, it’s easy to learn, there’s a ton of docs around for it, but a massively diminished userbase, meaning less up to date information for new users to find in forums in the like.
Apache has the better open source tooling IMO.
I use both, but at work I prefer apache simply for its relative ease of setting up our SSO solution. There is probably a tool for that in nginx as well, but its either proprietary or hard to find (and I did try to find it, but setting up and learning apache and then SSO was actually easier for me).
Yup. The reverse proxy takes http/https requests from the WAN, and forwards them to the appropriate services on your LAN. It will also do things like automatically maintain TLS certificates, so https requests can be validated. Lastly, it can usually do some basic authentication or group access stuff. This is useful to ensure that only valid users or devices are able to reach services that otherwise don’t support authentication.
So for example, let’s say you have a service called
ExampServrunning on192.168.1.50:12345. This port is not forwarded, and the service is not externally available on the WAN without the reverse proxy.Now you also have your reverse proxy service, listening on
192.168.1.50:80and192.168.1.50:443… Port 80 (standard for http requests) and 443 (standard for https requests) are forwarded to it from the WAN. Your reverse proxy is designed to take requests from your various subdomains, ensure they are valid, upgrade them from http to https (if they originated as http), and then forward them to your various services.So maybe you create a subdomain of
exampserv.example.com, with an A-NAME rule to forward to your WAN IPv4 address. So any requests for that subdomain will hit ports 80 (for http) or 443 (for https) on your WAN. These http and https requests will be forwarded to your reverse proxy, because those ports are forwarded. Your reverse proxy takes these requests. It validates them (by upgrading to https if it was originally an http request, verifying that the https request isn’t malformed, that it came from a valid subdomain, prompting the user to enter a username and password if that is configured, etc.)… After validating the request, it forwards the traffic to192.168.1.50:12345where your ExampServ service is running.Now your ExampServ service is available internally via the IP address, and externally via the subdomain. And as far as the ExampServ service is concerned, all of the traffic is LAN, because it’s simply communicating with the reverse proxy that is on the same network. The service’s port is not forwarded directly (which is a security risk in and of itself), it is properly gated behind an authentication wall, and the reverse proxy is ensuring that all requests are valid https requests, with a proper TLS handshake. And (most importantly for your use case), you can have multiple services running on the same device, and each one simply uses a different subdomain in your DNS and reverse proxy rules.
In your DNS settings, from your domain provider, add all the A and AAAA records for the sub domains you want to use. So, when someone hits the port 443 using one of those domains, your Nginx Proxy Manager will decide which service to show to the client based on the domain.
how do I tell the machine to send piefed traffic to this subdomain
Configure your Nginx Proxy Manager. It should be using port 80 for HTTP, port 443 for HTTPS and another port for its WebUI (8081 is default, iirc).
So, if I type piefed.yourdomain.com in my address bar, the DNS tells my browser your IP, my browser hits your VPS on port 443, then Nginx Proxy Manager automatically sees that the user is requesting piefed, and will show me piefed.
For the SSL certificates, you can either generate a new certificate for every subdomain, or use a wild card certificate which can work on all subdomains.
how do I tell the machine to send piefed traffic to this subdomain and joplin traffic (for example) to another domain
You don’t send traffic to domains. You point all the domains to one host, and on that host, set up a reverse proxy like nginx, caddy, or traefik, and then configure HTTP routing rules. That proxy can run in docker. I use traefik and it does all the routing automatically once I add labels to my docker-compose file.
I use Nginx Proxy Manager for this.
If your goal is ease of use and scaling complexity along with your experience, and you’re planning to use Docker like you mentioned, then I recommend Traefic: https://doc.traefik.io/traefik/
If not, then I recommend Caddy or nginx.
Edit: ducking autocorrect changed “of” to “if”
The irony is delicious
I’m not using socker myself but npm and other services in proxmox containers and VMs. The concept is the same though.
NPM allows you to define a host, which needs to be the subdomain name, allows NPM to know how to handle and serve requests to said domain. In you case this would be the full social.my.domain. Additionally you need to set the local ip /port of the service you’re hosting. You can also use a local host name, which makes it easier to move services to other ips, which probably doesn’t happen often.
Finally HTTPs, SSL, TLS should be configured. This can be tricky if you don’t have specific instructions but should not be neglected!
