I’m sure I’m massively overthinking this, but any help would be greatly appreciated.

I have a domain name that I bought through NameCheap and I’ve pointed it to Cloudflare (i.e. updated the name servers). I have a Synology NAS on which I run Docker and a few containers. Up until now I’ve done this using IP addresses and ports to access everything (I have a Homepage container running and just link to everything from there).

But I want to setup SSL and start running Vaultwarden, hence purchasing a domain name to make it all easier.

I tried creating an A record in Cloudflare to point to the internal IP of my NAS (and obviously, this couldn’t be orange-clouded through CF because it’s internal to my LAN). I’m very reluctant to point the A record to the external IP of my NAS (which, for added headache is dynamic, so I’d need to get some kind of DDNS) because I don’t want to expose everything on my NAS to the Internet. In actual fact, I’m not precious about accessing any of this stuff over the internet - if I need remote access I have a Tailscale container running that I can connect to (more on that later in the post). The domain name was purely for ease of setting up SSL and Vaultwarden.

So I guess my questions are:

  • What is the best way to go about this - do I create a DDNS on the NAS and point that external IP address to my domain in Cloudflare, then use Traefik to just expose the containers I want to have access to using subdomains?
  • If so, then how do I know that all other ports aren’t accessible (I assume because I’m only going to expose ports 80 and 443 in Traefik?)
  • What do other people see (i.e. outside my network) if they go to my domain? How do I ensure they can’t access my NAS and see some kind of page?
  • Is there a benefit to using Cloudflare?
  • How would Pi-hole and local DNS fit into this? I guess I could point my router at Pi-hole for DNS and create my A records on Pi-hole for all my subdomains - but what do I need to setup initially in Cloudflare?
  • I also have a RPi that has a (very basic) website on it - how do I setup an A record to have Cloudflare point a sub-domain to the Pi’s IP address?
  • Going back to the Tailscale thing - is it possible to point the domain to the IP address of the Tailscale container, so that the domain is only accessible when I switch on the Tailscale VPN? Is this a good idea/bad idea? Is there a better way to do it?

I’m sure these are all noob-type questions, but for the past 6-7 years I’ve purely used this internally using IP:port combinations, so never had to worry about domain names and external exposure, etc.

Many thanks in advance!

  • schmurnan@lemmy.worldOP
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Thanks. There’s definitely stuff in here I want to do, I just need to figure out the order of play and break it down a bit.

    As per reply to another comment.

    Do I have to port forward 80 and 443 no matter what? Ideally I don’t want to forward anything.

    Do I need DDNS in here somewhere, i.e. create a DDNS and link it to my NAS, create an A record in Cloudflare to point my domain to the external IP of the DDNS? Is that how I get into my NAS from the domain without worrying about the IP changing? How do I then prevent anybody accessing the NAS admin on port 5000/5001, as well as anything else except the containers I expose via Traefik?

    • MangoPenguin@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Do I have to port forward 80 and 443 no matter what? Ideally I don’t want to forward anything.

      You only need to port forward if you want external access without using a VPN or something like that. Like if you wanted friends to be able to access your server for example.

      Do I need DDNS in here somewhere, i.e. create a DDNS and link it to my NAS, create an A record in Cloudflare to point my domain to the external IP of the DDNS?

      Yes, but only if you want to port forward and have external access. If you want local access only then you don’t need port forwarding, DDNS, or any A records in cloudflare.

      How do I then prevent anybody accessing the NAS admin on port 5000/5001, as well as anything else except the containers I expose via Traefik?

      Assuming you did port forward 80/443, then the NAS admin wouldn’t be exposed since it’s on different ports.

      • schmurnan@lemmy.worldOP
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Thanks. I realise they’re all pretty basic questions. But brace yourself: more are on their way!

        So… no, I don’t want to give external access - I’m not running any services that anyone would want/need access to - other than perhaps my Jellyfin server, but not sure I even want anyone accessing that. So let’s assume for right now, no access to the outside world. Therefore, no port forwarding required.

        So to get access to my internal network from the domain, do I simply setup local DNS records in something like Pi-hole, to point mydomain.com to the internal IP or my NAS? Kind of like a network-wide equivalent of modding the /etc/hosts file on my machine?

        Perhaps a(nother) silly question but, what’s to stop me doing that now with a completely random domain name? Is there some kind of authentication I’d need to go through to prove that mydomain.com is, in fact, mine? Or does it simply not matter since it’s internal only?

        If I’ve understood correctly, then, I don’t need Cloudflare at all in my setup if there’s no external access? Nothing to proxy, nothing to protect?

        Assuming I get all of the above working and traffic routing to my containers, how would I then go about setting up SSL? Can that be done through Traefik rather than Cloudflare? Even if the domain isn’t external?

        • MangoPenguin@lemmy.blahaj.zone
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          1 year ago

          do I simply setup local DNS records in something like Pi-hole, to point mydomain.com to the internal IP or my NAS? Kind of like a network-wide equivalent of modding the /etc/hosts file on my machine?

          Yep exactly!

          Perhaps a(nother) silly question but, what’s to stop me doing that now with a completely random domain name?

          Nothing, it’s local to your network only so it only affects you. You could set google.com to return whatever IP you want for example, but it would prevent you from actually accessing google.

          If I’ve understood correctly, then, I don’t need Cloudflare at all in my setup if there’s no external access? Nothing to proxy, nothing to protect?

          The only thing you need Cloudflare (or another DNS-01 supported service) for, is getting letsencrypt SSL certificates. Since it uses automatically generated public DNS records on your domain name to verify that you own it.

          Can that be done through Traefik rather than Cloudflare? Even if the domain isn’t external?

          Yep it’s done through Traefik either way, their docs should have a section on SSL with cloudflare IIRC.

          • schmurnan@lemmy.worldOP
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            Absolute superstar, thanks for your help so far. I’ll make a start on some of this tomorrow and see how far I get — either with Traefik or NPM.

            Do I need to do anything with the domain itself on Cloudflare at the moment? Or do I just leave it with its current A record pointing at an IP address (it was done as part of the setup in Cloudflare so I have no idea what that IP address is).

            Obviously that domain in reality will just sit there doing nothing.

              • schmurnan@lemmy.worldOP
                link
                fedilink
                English
                arrow-up
                1
                ·
                1 year ago

                OK so made a start with this. Spun up a Pi-hole container, added mydomain.com as an A record in Local DNS, and created a CNAME for traefik.mydomain.com to point to mydomain.com.

                In Cloudflare, I removed the mydomain.com A record and the www CNAME record.

                Doing an nslookup on mydomain.com I get

                Non-authoritative answer:
                *** Can't find mydomain.com: No answer
                

                Which I guess is to be expected.

                However, when I then navigate to http://traefik.mydomain.com in my browser, I’m met with a Cloudflare error page: https://imgur.com/XhKOywo.

                Below is the docker-compose of my traefik container:

                traefik:
                    container_name: traefik
                    image: traefik:latest
                    restart: unless-stopped
                    networks:
                      - medianet
                    ports:
                      - 80:80
                      - 443:443
                    expose:
                      - 8080
                    volumes:
                      - /etc/localtime:/etc/localtime:ro
                      - /var/run/docker.sock:/var/run/docker.sock:ro
                      - /volume1/docker/traefik:/etc/traefik
                      - /volume1/docker/traefik/access.log:/logs/access.log
                      - /volume1/docker/traefik/traefik.log:/logs/traefik.log
                      - /volume1/docker/traefik/acme/acme.json:/acme.json
                    environment:
                      - TZ=Europe/London
                    labels:
                      - traefik.enable=true
                      - traefik.http.routers.traefik.rule=Host(`$TRAEFIK_DASHBOARD_HOST`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
                      - traefik.http.routers.traefik.service=api@internal
                      - traefik.http.routers.traefik.entrypoints=traefik
                

                My traefik.yml is also nice and basic at this point:

                global:
                  sendAnonymousUsage: false
                
                entryPoints:
                  web:
                    address: ":80"
                  traefik:
                    address: "8080"
                
                api:
                  dashboard: true
                  insecure: true
                
                providers:
                  docker:
                    endpoint: "unix:///var/run/docker.sock"
                    watch: true
                    exposedByDefault: false
                
                log:
                  filePath: traefik.log
                  level: DEBUG
                
                accessLog:
                  filePath: access.log
                  bufferingSize: 100
                

                Any ideas what’s going wrong? I’m unclear on why the domain is still routing to Cloudflare.

                  • schmurnan@lemmy.worldOP
                    link
                    fedilink
                    English
                    arrow-up
                    1
                    ·
                    1 year ago

                    Actually, no I don’t see anything coming through.

                    So the IP address of my router is 192.168.1.1, IP of my NAS is 192.168.1.116.

                    Checked the DNS on my Mac and it’s 192.168.1.1. Checked the DNS on my NAS and it’s 192.168.1.1. I changed the DNS in my router to 192.168.1.116.

                    Have I missed a step somewhere?