I’ve been running 2 linodes for a number of years now - one has my website (wordpress) on it and one has a Foundry VTT server running. Both are separate linodes, and I use Google Domains to point [site.tld] to the wordpress VPS and foundry.[site.tld] to the other linode.
For a few services I run at home within my own network (Sonarr, Lidarr, Plex, etc.) I’ve started to use Docker and Portainer, and I like how easy it is to set things up (and remove them if they don’t work). I’d like to redo my VPS similarly - I’d like to have a single linode, as a Docker host, and have the main domain point to a Wordpress container, a subdomain point to a Foundry container, and be able to easily add other containers for something like freshrss, etc. My goal is to be able to quickly spin up a docker via a compose file (portainer would be preferred), have it automatically reach out to letsencrypt to get a cert for the relevant subdomain, and have that subdomain point to that docker container.
I’ve been doing some searching around, and there seem to be a number of options, things like nginx reverse proxy, traefik, etc. and there are a lot of conflicting results.
Does anyone here have an opinion on this or some advice as to what the best option to look into might be?
Everyone has an opinion, and at the end of the day, whatever works best for you is what you should stick with.
I like Traefik because you can mount
/var/run/docker.sock:/var/run/docker.sock:ro
to Traefik, then it can read labels from containers, and automatically wire up new instances based on labels on them. I’m sure there’s equivalent in other reverse proxy solutions, but as I said, it works for me and I like it.I give that container my Cloudflare origin certificate, everything gets encrypted in transit to Cloudflare, and then Cloudflare handles all the SSL management for me, as well as provide extra layer of DDOS protection.
Thanks for the suggestion! Does cloudflare essentially fulfill the same role as letsencrypt (with DDOS protection added)? I’ve heard of cloudflare but I’m not particularly familiar with them.
Yep! Basicall, they sit between you and your visitors as a reverse proxy. When you domain is accessed through their infrastructure (you set this up via DNS), they’ll sign SSL for you domains so you don’t need to worry about it. Using the origin certificate secures communication from your server to theirs, so there’s no point in the chain being left in the open. They’ll even do DDOS protection and some basic web application firewall for free as well.
Additionally, since they’re globally distributed, your website could have static content cached closer to your visitor, thereby giving a faster experience.
They’ve also added lots of great stuff to help with locking down remote access to your internal infrastructure. For example if I want to SSH into my homelab, I don’t have to expose my SSH globally, and when I try to access it, I get a browser pop up asking me to login to my SSO, and then grants access.
I really enjoy and recommend trying their free offering.
Yes, it can provide a SSL connection to the end-user even though you’re just serving http with no cert. However it is yet another moving part that can break or be mis-configured and yet another bunch of capitalists data-mining all the things.