Hi all,

I started self hosting nextcloud only. Now I have a domain name and I would like to selfhost more services and websites on subdomains without having to open up more ports on my router.

  1. Is it reasonable to use a reverse proxy server to avoid opening up more ports?
  2. Can I use a reverse proxy manager that simplifies SSL certs, etc?
  3. Can I put the HTTP/HTTPS services behind a reverse proxy, behind a free cloudflare DNS proxy to mask my IP address?
  4. And put other non-http services on the real IP address.
  5. Will all of this be more prone to failure and slow compared to forwarding 443 and 80 directly to my nextcloud server?

The other services I would like to eventually host and have accessible externally are

  • Jitsi
  • Mastodon instance (hoping to make some bots that mirror other social media to bring them into Mastodon)
  • blog website
  • Veilid maybe
  • OpenVPN over TCP on 443 (to get through restrictive firewalls on e.g. school wifi networks that don’t whitelist domains)
  • Synology to Synology backup.

I’m hoping to use Yunohost on a RPI to simplify hosting a lot of these things.

Here’s my plan where I’m looking for feedback. Am I missing any steps? Are my assumptions correct?

  1. Install reverse proxy on yunohost; configure cloudflare DNS and freedns.afraid.org to point towards the reverse DNS server.
  2. Configure the reverse DNS to redirect various subdomains to
  • the raspberry pi running nextcloud
  • the other raspberry pi running openvpn
  • the Synology running the backup service
  • services running on the yunohost raspberry pi

I have not been able to find good documentation about how to configure the yunohost reverse proxy, or how to deal with HTTP headers, or have correct certificates on all the subdomains as well as the reverse proxy. Looking for advice on how to move forward and or simply this setup.

    • azronEnglish
      12 minutes ago

      Caddy is the answer. Makes running a reverse proxy with certs totally straight forward.

  • @[email protected]English
    23 hours ago

    You can also run a free cloudflare tunnel. It’s what I us3 so I don’t have to open a port for my nextcloud but still want it to be able to sync to my phone while not on vpn

  • @[email protected]English
    54 hours ago

    Yes this is possible. I have a few hosted items with subdomains and I have it set up as follows:

    All subdomains point to the same IP. Router port forwards all 80/8080 traffic to server. I use Caddy in Docker to forward the requests based on the subdomain to the appropriate docker container hosting the actual service.

    This makes spinning up something new simple. You get a docker container of New Thing going, edit the CaddyFile to point to it too, set up new subdomain in cloudflare. No new open ports needed.

    Hope this helps!

  • @just_another_personEnglish
    24 hours ago

    You seem pretty focused on reverse proxies for some reason, but that isn’t security. An alternative is a VPN into your network. Simple solution that solves all of your asks if you don’t need many people accessing your services.

  • hendrikEnglish
    24 hours ago

    Check out yunohost.org (and similar projects) If you’re in for a turnkey-solution.

    But yes, a reverse proxy that does all the work and handles SSL is a nice solution. I also use that. It’s relatively easy to set up, doesn’t really slow down anything and makes a lot of stuff easier to manage.

    I use NGinx, but Caddy or Traefik will do the same. And I don’t use Cloudflare, so I can’t comment on that.

    And btw, Jitsi-Meet is going to require some more dedidated ports for the WebRTC, STUN, etc

  • @anamethatisntEnglish
    35 hours ago

    I’d look at wireguard / tailscale / headscale and hide your services behind a vpn

  • @[email protected]English
    25 hours ago

    There’s a good document from the SWAG reverse proxy that explains it all. I reverse proxy everything on my unraid server through swag and have for years.

  • dave@hal9000English
    15 hours ago

    Yeah, what @[email protected] suggested is definitely the easiest thing and super practical - I got family members on my tailnet for this purpose. I am however now also looking into some kind of tunneled, reverse proxied and authenticated way to expose a few of my services to other friends where I don’t want to have to put them on tailscale or potentially expose them to more than needed via that route.

    I haven’t started yet, but I am updating my network set up soon to install a dedicated OPNsense router as the edge for my network. From there, the plan is to have a cloudflare tunnel that accesses some of these services via a caddy reverse proxy, with Authelia for authentication. That’s the part I have studied enough to feel confident I can do. I am a little weaker on the networking aspects of this, which is where I need to study some more - like isolating those services that are exposed in my network, while still giving them access to some other needed resources within it, etc.

    • @[email protected]English
      14 hours ago

      Tailscale has the Funnel feature, which can funnel traffic into your Tailscale net for you.

      • dave@hal9000English
        14 hours ago

        Ooooh that looks interesting. I haven’t messed around much with tailscale since I set it up a few years back and hadn’t noticed this. Funny, I was just the other day wondering if they might have something like that, but didn’t look it up. Thanks!