I’m sure I’m massively overthinking this, but any help would be greatly appreciated.

I have a domain name that I bought through NameCheap and I’ve pointed it to Cloudflare (i.e. updated the name servers). I have a Synology NAS on which I run Docker and a few containers. Up until now I’ve done this using IP addresses and ports to access everything (I have a Homepage container running and just link to everything from there).

But I want to setup SSL and start running Vaultwarden, hence purchasing a domain name to make it all easier.

I tried creating an A record in Cloudflare to point to the internal IP of my NAS (and obviously, this couldn’t be orange-clouded through CF because it’s internal to my LAN). I’m very reluctant to point the A record to the external IP of my NAS (which, for added headache is dynamic, so I’d need to get some kind of DDNS) because I don’t want to expose everything on my NAS to the Internet. In actual fact, I’m not precious about accessing any of this stuff over the internet - if I need remote access I have a Tailscale container running that I can connect to (more on that later in the post). The domain name was purely for ease of setting up SSL and Vaultwarden.

So I guess my questions are:

  • What is the best way to go about this - do I create a DDNS on the NAS and point that external IP address to my domain in Cloudflare, then use Traefik to just expose the containers I want to have access to using subdomains?
  • If so, then how do I know that all other ports aren’t accessible (I assume because I’m only going to expose ports 80 and 443 in Traefik?)
  • What do other people see (i.e. outside my network) if they go to my domain? How do I ensure they can’t access my NAS and see some kind of page?
  • Is there a benefit to using Cloudflare?
  • How would Pi-hole and local DNS fit into this? I guess I could point my router at Pi-hole for DNS and create my A records on Pi-hole for all my subdomains - but what do I need to setup initially in Cloudflare?
  • I also have a RPi that has a (very basic) website on it - how do I setup an A record to have Cloudflare point a sub-domain to the Pi’s IP address?
  • Going back to the Tailscale thing - is it possible to point the domain to the IP address of the Tailscale container, so that the domain is only accessible when I switch on the Tailscale VPN? Is this a good idea/bad idea? Is there a better way to do it?

I’m sure these are all noob-type questions, but for the past 6-7 years I’ve purely used this internally using IP:port combinations, so never had to worry about domain names and external exposure, etc.

Many thanks in advance!

    • schmurnanOP
      link
      English
      11 year ago

      OK so made a start with this. Spun up a Pi-hole container, added mydomain.com as an A record in Local DNS, and created a CNAME for traefik.mydomain.com to point to mydomain.com.

      In Cloudflare, I removed the mydomain.com A record and the www CNAME record.

      Doing an nslookup on mydomain.com I get

      Non-authoritative answer:
      *** Can't find mydomain.com: No answer
      

      Which I guess is to be expected.

      However, when I then navigate to http://traefik.mydomain.com in my browser, I’m met with a Cloudflare error page: https://imgur.com/XhKOywo.

      Below is the docker-compose of my traefik container:

      traefik:
          container_name: traefik
          image: traefik:latest
          restart: unless-stopped
          networks:
            - medianet
          ports:
            - 80:80
            - 443:443
          expose:
            - 8080
          volumes:
            - /etc/localtime:/etc/localtime:ro
            - /var/run/docker.sock:/var/run/docker.sock:ro
            - /volume1/docker/traefik:/etc/traefik
            - /volume1/docker/traefik/access.log:/logs/access.log
            - /volume1/docker/traefik/traefik.log:/logs/traefik.log
            - /volume1/docker/traefik/acme/acme.json:/acme.json
          environment:
            - TZ=Europe/London
          labels:
            - traefik.enable=true
            - traefik.http.routers.traefik.rule=Host(`$TRAEFIK_DASHBOARD_HOST`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
            - traefik.http.routers.traefik.service=api@internal
            - traefik.http.routers.traefik.entrypoints=traefik
      

      My traefik.yml is also nice and basic at this point:

      global:
        sendAnonymousUsage: false
      
      entryPoints:
        web:
          address: ":80"
        traefik:
          address: "8080"
      
      api:
        dashboard: true
        insecure: true
      
      providers:
        docker:
          endpoint: "unix:///var/run/docker.sock"
          watch: true
          exposedByDefault: false
      
      log:
        filePath: traefik.log
        level: DEBUG
      
      accessLog:
        filePath: access.log
        bufferingSize: 100
      

      Any ideas what’s going wrong? I’m unclear on why the domain is still routing to Cloudflare.

      • @[email protected]
        link
        fedilink
        English
        11 year ago

        It sounds like your client isn’t using PiHole for DNS, do you see the DNS lookup come through the pihole logs?

        • schmurnanOP
          link
          English
          11 year ago

          Actually, no I don’t see anything coming through.

          So the IP address of my router is 192.168.1.1, IP of my NAS is 192.168.1.116.

          Checked the DNS on my Mac and it’s 192.168.1.1. Checked the DNS on my NAS and it’s 192.168.1.1. I changed the DNS in my router to 192.168.1.116.

          Have I missed a step somewhere?

          • @darelik
            link
            English
            1
            edit-2
            1 year ago

            I think the pihole container needs to be on the host network or macvlan?

            • schmurnanOP
              link
              English
              1
              edit-2
              1 year ago

              I’ve just added in a macvlan network to my Pi-hole compose as well, not sure if it’s making any difference or not.

          • @[email protected]
            link
            fedilink
            English
            11 year ago

            It sounds like you haven’t updated your routers DHCP server to hand out the Pihole IP to clients. You can manually set the DNS server to the Pihole IP on your Mac for testing too.

            The flow should be: Clients > Pihole > Router > Public DNS

            Or you can skip the router: Clients > Pihole > Public DNS

            • schmurnanOP
              link
              English
              1
              edit-2
              1 year ago

              I wasn’t planning on using Pi-hole for DHCP - I have a LOT of reserved addresses on my network and I don’t fancy having to move them all over. My hope had been to use Pi-hole for DNS but keep the DHCP reservation with the router.

              I’ve manually updated the DNS on my Mac to 192.168.1.116 and I can now access the Traefik dashboard via http://traefik.mydomain.com:8080 (so, getting there). So some kind of issue with the DNS on my router I think - caching maybe?

              • @[email protected]
                link
                fedilink
                English
                11 year ago

                Yeah that’s fine, you just need to change the DHCP settings on your router so it gives the Pihole IP for DNS. It’s possible some routers don’t allow that though.

                • schmurnanOP
                  link
                  English
                  11 year ago

                  Figured it out. It’s a weird setting on Netgear routers whereby you have to also update the MAC address. All been working well for the last few hours and getting queries running through Pi-hole.

                  I’ve also got my Homepage container setup at http://home.mydomain.com and configured Traefik a little further so it’s now accessible from http://traefik.mydomain.com (no port).

                  For the past few hours I’ve been struggling with getting Pi-hole behind Traefik and accessible using http://pihole.mydomain.com. Only works if I stick /admin on the end, which defeats the object of using a subdomain. Found a forum post suggesting to use Traefik’s addPrefix after declaring the Host as pihole.mydomain.com, which works great for accessing the login screen, but when you enter the password it just loops back to the login screen.

                  Also tried a few other things that ultimately broke the Pi-hole container and took out my entire connection, as everything is dependent on Pi-hole for DNS! So need to figure out some kind of resiliency/backup for that (my router is using the NAS IP as it’s primary and only DNS server).

                  So, some progress. I’ve set Pi-hope back to IP:port and I’m gonna focus on getting other containers behind Traefik and leave Pi-hole till last. Then and only then will I look at SSL certificates (unless it’s advised to do it earlier?)

                  Any pointers on any of the above would be appreciated! And thanks again for getting me this far.

                  • schmurnanOP
                    link
                    English
                    11 year ago

                    Update from this morning.

                    So far I’ve got the Traefik dashboard and my Homepage container using subdomains. Pi-hole is still an issue that I need to figure out.

                    I’ve decided to start on the SSL certificates and am following a couple of guides. Once I have those in place, I’ll start moving more containers behind subdomains.

                    I might have to expose my NAS IP to the internet and link it via Cloudflare, because I use an ExpressVPN on my Mac at all times, and when it’s turned on I can’t access ***any ***of my subdomains - this is obviously because ExpressVPN use their own DNS entries and don’t use the ones I’ve set. That will probably prevent me from using Vaultwarden (which is the whole purpose for all of this in the first place) because if I’m on the VPN I won’t be able to access the Vaultwarden container.

                    Unless anyone knows of a workaround for that?

                    Next steps:

                    • Get SSL working
                    • Figure out how to access subdomains whilst on the VPN (or get a DDNS account, create an A record in Cloudflare and point it at the DDNS IP, and open up ports 80 and 443)
                    • Spin up a Vaultwarden container via a subdomain
                    • Put all my other services behind subdomains
                    • Figure out how to get Pi-hole working via Traefik and subdomain
                    • Figure out how to get Tailscale access to my containers when not on my LAN