Text version of the video with all the commands: notthebe.ee/blog/easy-ssl-in-homelab-dns01/ To try everything Brilliant has to offer-free-for a full 30 days, visit brilliant.org/Wolfgang/ The first 200 of you will get 20% off Brilliant’s annual premium subscription
hi can you please make a video about pterodactyl and it should be running the pannel and the wings in same docker-compose file if you do that i will be very gratefull and thanks for this amazing video
Hey Wolfgang!! 😊 what about accessing our home lab securely from the outside world without using third party CDN like cloudflare? Please provide us with a solution in a next video?😊🙏🎉
Greetings to you. Do you have an explanation on how to replace the ip address of the carrier that is shown to the world to: domain HTTPS global. With its connection to a number: a computer.
Very nice video, this setup is more convenient than my own dns server. For anyone using a fritzbox router: You have to add your full domain as an exception to the "DNS rebind protection", because the fritzbox does not allow DNS resolution of domain names that point to private ips to protect against DNS rebinding attacks
This video could not have come at a better time! I've just started putting together my own home server and I've been driving myself insane with self-signed certificates. Thanks!
@@falxie_ nginx proxy manager. Yes, I barely touched JS and I had to ask chatgpt (which is suprisingly good for setting up simple stuff and writing simple shell script
Thank you, sir! This is a great video. For anyone using pfsense on their home network -- with a different domain than your purchased domain for your home lab -- you are going to want to add DNS host overrides for your purchased domain and the hosts that you are going to be proxying, all pointing to the IP address of the nginx proxy manager.
My man! You are my hero. I've watched so many videos trying to figure out how to do this exact thing and you explained it all so perfectly. And the written guide to accompany it was an added bonus and very much appreciated. Thank you, sir!
Wow, thank you for this video! I didn't know (or think of) that you could point a domain name to a private IP address. That makes creating SSL certificates super easy like this! Love you
hi, it seems is not working anymore, the certificate is added to the domain (using duckdns) but when you try to add it to your proxy host is in red state and it doesn't work. Does it work for anyone at this moment? (october 20. 2024). Also another domain I have with godaddy doesn't work because they have limited their API usage
Thank you - as I use Pi-hole, I had to add entries to the pi-hole local dns with the (sub-)domain names pointing to the proxy-manager. After that it run as you explained it.
Was this to get the SSL cert approved or for the handling of the proxy hosts after? I ask because I am using Pi-hole and cannot get past the activation of the duckdns cert.
@@JeronimoStilton14 same here. used LOCAL IP on the domain and increased the propagation time to 60. that fixed thee SSL part for me. could not access the hosts yet thought.
Tausend Dank Wolfgang. This is exactly what I was looking for. I was this close to setting up my own CA and getting a headache trying to add the root certs to all the devices.
I’ve found that some services require some special headers and if not configured correctly they break, that’s the hardest part for me, as finding the nginx headers needed for each services can be difficult
Take a look at SWAG's reverse proxy conf repository - they have examples for pretty much every popular web application: github.com/linuxserver/reverse-proxy-confs
This is such a great feature for self-hosting. Thanks for sharing. It's worth noting that some routers like Fritzboxes have a "DNS rebind protection" where you must add an exception. Otherwise you will bang your head against the wall why it doesn't work, like i did.
Yet another great video Wolfgang. Outstanding work. I've been wanting to do this for a while for my homelab and this video is the push I needed. Thank you.
Btw, great video! Thanks for explaining everything in such a concise and easy to understand manner. Just a heads up, apparently this method doesn't fully work on Chrome if you have Safe Browsing Standard or Enhanced protection enabled, for me I get the "Deceptive site ahead" warning for some of my local apps, like Jellyfin for example, but I don't get the warning for other apps like Code Server, so idk, just wanted to let you know. On Firefox I don't get warnings no matter what though, so that works just fine.
I finally got to set this up after watching the video months ago. I should have set up proxies long ago, much more convenient. One thing to mention is that this method works well with tailscale as well. I just put my server's tailscale IP instead of local network IP and it works perfectly. Really useful for privately sharing linux isos with friends.
Makes sense, though the traffic between the proxy and the service that is being accessed is still unencrypted correct? This gives the appearance like local traffic is encrypted, but really local traffic passes unencrypted to the reverse proxy before it is encrypted. I think it would have made sense to take an extra step and create a self-signed certificate that would be installed on the service and validated by the reverse proxy to ensure end-to-end encryption. Unless I'm missing something?
Do you have some starting point you can redirect me to set this up? I don't care for the convenience since I can just bookmark local ips but I care for a fully encrypted connection.
Thank you for this video, have always been wanting to access all my services through https rather than typing in my IP every time but couldn't as I thought it will take some time for me to study the nuances of the process. This has been an easy and fast setup.
Your Video is like a rescue ring. I had trouble understanding this concept with the traefik guides from Techno Tim but now that you've implementet a sceamtic drawing it helped alot. Thanks! Again a Video to exact right time :D My instructor wanted me to get the basic of dns and teach myself but i was only stuck at this internal external stuff so you safed me :D
@@brokenicelight i came up with a solution. i shutdown traefik and started up nginx proxy manager instead 🤣 i got it to work kinda. even authentik works with it. just, it only works when my vpn is active. when its turned off, it no longer works 🥲
This video was right on time! I was exploring how could I deploy things locally without deal with IPs and cert issues. Very valuable info, thanks for sharing.
Dude... this intro speaks directly to my soul. Completely spot-on how it feels. The Blade Runner segment is perfect. Going to do this on my home lab, that's turned into something I'd see in the field, at work. Too funny man 😂😂 *joined* 😂😂❤
Hey, very nice video, but i got an issue, i already use the nginx proxy manager in combination with a domain and cloudflare to expose some stuff to the outside world. is it also possible to use the same nginx pm and domain for the local ssl stuff?
This doesn't work for me. I didn't use duckdns, instead my own domain. I have the SSL certificate setup, I've likewise added in the * subdomain, and it doesn't route.
One minor correction about setting proxy hosts. Setting the forward hostname as localhost for any containers other than the Nginx Proxy Manager container leads to a 502 Bad Gateway error, even if all containers are running on the same network. I resolved it by using the IP address instead of localhost.
@@Cookie-ey1vr For me I used the IP address of my server. Both localhost and 127.0.0.1 spits 502. Then when I changed it to the IP of server it worked.
Pretty awesome and relatively easy to setup! One issue I noticed is that Safari password autofill treats everything under the proxy as the same site... meaning it will suggest passwords for services with different hostnames. This can get a bit unwieldy if you have a lot of services with their own username/passwords.
Even if i turn off the certificate and i set the ip to the ip of an other of my homeservers, the forwarding does not work . I get a connection refused error. What is the best way to debug that?
Gracias por este valioso contenido, hace tiempo que no encontraba como asignarle certificados válidos a un servicio que estuviera fuera Docker, pero ahora ya me di la idea de como poder solucionarlo gracias a tu vídeo ✌️
Hmm, i followed your setup, but for the 1st Proxy Host when clicking the link I always end up in Nextcloud instead for nginx. Even I add the IP and docker port. And it show the certificate is invalid...
Nice video! I've been doing something similar: wildcard certificates and wildcard dns pointing at my home's public IP. Then I have an nginx reverse proxy + SSL terminator and configs for my services. If I want a service to be publicly reachable, all I do is add an nginx config and boom, done. If I want something to be available only locally, I simply add an override into my pihole dns server or just add an ip-based allow/deny block to the nginx config. Simple, and the wildcards add a bit of security by obscurity - no more bots finding services by reading the DNS or certificate data. I'm getting my certs using dns-01 with the lego acme client.
you skipped the cloudflare api token, but with some extensive google search i found that you need to create your own API token with edit dns zones permissions set to all zones
Doesn't work for Cloudflare. There is no way of mapping an IP address for a challenge and when you add your name servers after the domain it fails. I don't want to use Duck DNS though. Maybe a video on how to do this using Cloudflare would be cool.
@@Skyluxe Hello, did you do something else ? On my end, I was able to map on cloudflare to my internal IP, and to create a ssl cert with the API. But when I try to redirect to the correct service in NGINX it doesn't work. I know that my port interal_IP:80 was already mapped (outside of NGINX), and my guess is that my network is not taking the info given by NGINX to go to the correct service. Thanks ;)
Thank you so much for this video, 1 thing I don't think anyone ran into is I had to wait almost a day for my registrar to reflect the IP changes. 🤦Now that I found you I'm going to look through your other video's Thanks again.
Thank you for this video. I have set it up at home, no longer public visibility for some services. Combined with Tailscale router (to access your local networks), it rocks !
Hey, your comment is exactly what I was looking for, I'm trying to also setup Tailscale alongside Nginx like in the video, but Tailscale also uses port 80, how did you manage it?
Nvm, I got it working, for some reason when I had CasaOS installed as a container before installing NPM, I'd get trouble installing NPM's container, however if I install NPM, configure it and only afterwards install Tailscale then it works just fine.
Although, on a separate note, how do you access your local environment using Tailscale when you're outside of your local network? Since duckdns points to a local IP, it doesn't really work for me outside of my local network, could you explain what you did?
Trolling both sides, maybe. Or a case of ruffling both sides, rather than antagonizing one side only. You can win regardless, especially with the spread of audience by Wolfgang.
Hi, thank you for that vdieo I built an Unraid server two years ago and I have been trying to fix that certificate issue since then. Unfortunately it does not work like described. After setting it up like you did with duckdns and nginx I can open the NGinx WEBUI like you butr any other proxy host gives me a 502 bad gateway error (tried vaultwarden and jellyfin) any idea what I could do wrong?
@@chrgeorgeson I did. I had a knot in my brain. I alwys wnated to point nginx to the https address of the service (e.g.: vaultwarden) but the whole point is that nginx is the https endpoint so you need to tell nginx to open the http (no S) URL. Then it works.
@@chrgeorgeson HA same thing for me , just commeneted. Guessing it has to do with the way unraid builds its docker network and uses the same IP... Not sure..
@@TheQwenton yes, I made the mistake to add the URL with httpS to nginx. That of course will not work as the connection between nginx and the actual website is regular http.
why don't just create a Own CA and import it into ur Root CA's and then sign a Certificate for ur HomeLab App with the CA and they will all be valid automatically
Danke Wolfgang! I find it absurd that we need to jump through these hoops, just to have valid SSL in our home networks, but you made those hoops much easier to jump through :)
Great video as always. Thank you for sharing it with us. I am using pfSense in my environment and having HAProxy, however I needed a second proxy manager, your video helped me a lot with setting up the second one. 👍
Have you tried to renew SSL certificate? I am able to add new Lets encrypt certificate via duckdns for different domain but I cannot renew the old one. I see the "Internal error" on the UI when I try to renew it manually and the message "Failed to renew certificate npm-2 with error: The DNS response does not contain an answer to the question: .. IN TXT" in the log.
You are an absolute legend for this video! I've been trying to fix my reverse proxy and could not get it to work. The "Propagation Seconds" change was an absolute saver! Thanks!
ATTENTION, small mkstame. If your service is on the local host of your Docker host, outside a Docker container, 127.0.0.1 will NOT reach that service, it will have the proxy container contact itself. You will have to either use the special ip or hostname for Docker local host addressing, or use the external network interface ip.
So if I want the auto renewal to work I need this reverse proxy to work all the time? My setup is something like this Internet -> proxmox -> firewall (pfsense) -> many vm's I guess the reverse proxy could be just another vm on my proxmox, right? And I need to make some firewall rules for it to be accessible on the Internet.
man i spent so long looking for a video like this, and it shows up right after i got it working. wouldve been nice to get this recommendation first lol
Works great on an Ubuntu VM instance running under proxmox. But I also like to torture myself trying to get these solutions to run under W11 > WSL2 > Docker > NPM, no luck so far no doubt some firewall issue. Thanks for the tutorial short and to the point.
This worked great on putting https secure connection locally on my new Raspberry Pi 5 running CasaOS! I just had to do a few modification on the ports and IP addresses but everything worked correctly at the end! Thanks! 👍
@@tooongs in terms of the CloudFlare cert? I just setup all my dns records through cloudflare and set them to proxied. Then I generated a cloudflare origin cert and imported them into npm. I also set my encryption on cloudflare to strict mode.
Is this solution workable if NPM is deployed as an app in TrueNAS Scale? I could create SSL cert and proxy host following your instructions but when trying to access the declared domain name as stated in proxy host, nothing is loading. My idea is to have NPM on TrueNAS Scale app to be the reverse proxy as per your video for my internal sites.
This is an amazing video, thank you very much. SSL cert errors set me off. I followed this and it worked flawlessly. I think modified to use my Tailscale VPN IP addresses and now I can access my home lab services anywhere with a nice certificate, makes me happy. Time to touch grass, thanks again.
This is pretty nifty. I guess the logical next step is to setup and use a VPN, so that these url's can resove for devices on VPN when outside of LAN. As well as setup Dashy / Homer for all the services.
I didn't know I needed this video until it was recommended to me. Amazing video and great explanations. Thanks for the caption. Greetings from Brazil. ✌🏽
I did not known Nginx Proxy Manager, I'll give it a try tonight to remove my Nginx and custom configurations (so I'll have to dockerize every app I use + maybe it's time to use Ansible to avoid making everything by hand haha). Thanks for the tutorial !
This is the first time I am hearing that putting services in the same compose yaml will ensure they share a sub network. Should I be putting most of my services together for that?
Nobody is telling about running NGINX Proxy manager outside of docker internal (bridge type) network. Its more usefull because if you want to expose for example service that is not in your docker, then you're unable to do this. If you set up network type in docker for nginx proxy manager to ipvlan (or macvlan if somebody prefer this way), you can have access to everything that is in your network, not only docker containers in the same bridge network. Solution with bridge network is good only when you expose only docker containers from your host
Great video! I've been wanting to get the mess of homelab services I have running all willy nilly standardized like this. Currently using CF tunnels, but I like self hosted much better.
I hope there's a part 2 to this video describing how to set it up so it works from the outside. I suppose using tailscale would allow it, and it has been noted in the comments, but a walkthrough would be appreciated. Looks like I'm not alone with this question here.
There are plenty of tutorials already showing how to make locally hosted services accessible from the outside. The point of this video is to set up a local-only access which still uses valid SSL certs
@@WolfgangsChannel I understand that. However, many people generally prefer to access stuff both from the inside and from the outside - as proven by the comments to this video as well. I'm not asking how to setup tailscale. The question is how this topic meshes with it. What has to be done to make it work seamlessly. It's it enough to e.g. set tailscale as subnet router, or are any other steps necessary?
Thks Wolfgang! I managed to add the SSL certificate to NGINX with duckdns, but i cannot access the Proxy HOSTs that i added. Do I need to forward any router ports? the IP on the duckdns domain is the local IP, correct? any other tips?
I am unable to get duckdns to work, i don't know if it is because i am behind a cgnat though, i was able to follow every step and it is technically working but it won't accept using the dns names
Really good video. One question I had after watching it a couple of times - I'm trying to set up local SSL for my Home Assistant server that runs in an IoT VLAN (and 2-way communications to other VLANs on the network isn't allowed) and I'm trying to determine if I'll need a proxy manager on each host that needs this solution, a single proxy manager in each VLAN to serve all the hosts on that subnet or a central proxy manager for all VLANs and then I pipe traffic to/from it, accordingly. Thank you!
![[#2024MAMA] G-DRAGON - 무제(Untitled, 2014)+POWER+HOME SWEET HOME+뱅뱅뱅+FANTASTIC BABY | Mnet 241123 방송](http://i.ytimg.com/vi/Ox29z5Nf1Uk/mqdefault.jpg)
Text version of the video with all the commands: notthebe.ee/blog/easy-ssl-in-homelab-dns01/
To try everything Brilliant has to offer-free-for a full 30 days, visit brilliant.org/Wolfgang/
The first 200 of you will get 20% off Brilliant’s annual premium subscription
Not related but I love your content man, keep it up
hi can you please make a video about pterodactyl and it should be running the pannel and the wings in same docker-compose file if you do that i will be very gratefull and thanks for this amazing video
Thanks for the share, but how about the npm network driver ?
i can see no details about it
thanks in advance (btw the npm never work for me)
Hey Wolfgang!! 😊 what about accessing our home lab securely from the outside world without using third party CDN like cloudflare? Please provide us with a solution in a next video?😊🙏🎉
Greetings to you. Do you have an explanation on how to replace the ip address of the carrier that is shown to the world to: domain HTTPS global. With its connection to a number: a computer.
Very nice video, this setup is more convenient than my own dns server.
For anyone using a fritzbox router: You have to add your full domain as an exception to the "DNS rebind protection", because the fritzbox does not allow DNS resolution of domain names that point to private ips to protect against DNS rebinding attacks
This is an excellent tip! Thanks!
Thank you! Now it is working as expected.
I was looking for this comment. Thanks alot! :)
Fixed my issue after pulling my hair for an hour
Hero, thank you for this comment.
This video could not have come at a better time! I've just started putting together my own home server and I've been driving myself insane with self-signed certificates. Thanks!
same here =)
wait y'all are using an application to manage your nginx reverse proxy? I was editing config files like a madman here 😭
This is the way.
@@sugoruyothis is the way.
Nginxproxmanager is really nice if you just want a gui and ssl rotation
😮
Me too... This is the way.
NPM is freakin awesome. It's crazy how easy it is to get setup and going with it and boom...you've got proper SSL and routing.
As (unfortunately) a JavaScript developer I was very confused by this statement for a moment
not quite for me... since I'm not a linux users 😂
mostly I used DNS domain record check for let's encrypt.
@@falxie_ haha yeah I have to think twice when seeing "NPM" now
@@falxie_ nginx proxy manager. Yes, I barely touched JS and I had to ask chatgpt (which is suprisingly good for setting up simple stuff and writing simple shell script
NPM is very confusing when you're not referring to Node Package Manager.
This is the simplest way to tackle certs I've seen, definitely trying this! I've been putting it off in my homelab for ages.
Doesn't work with Cloudflare.
Thank you, sir! This is a great video. For anyone using pfsense on their home network -- with a different domain than your purchased domain for your home lab -- you are going to want to add DNS host overrides for your purchased domain and the hosts that you are going to be proxying, all pointing to the IP address of the nginx proxy manager.
could you please explain further? Im having trouble on setting this up using my pfsense
could you please show this step, maybe in a short video? pFsense drives me crazy :(
Thanks, was pulling my hair out until I did dns host ovreride and it worked!
Add portainer to this and you have an easy way to manage all your containers. :)
Easy it might be defently not efficient. Running shell commands is just faster then navigating around in an GUI to do the same thing.
@@electricz3045 This is where we come to the whole CLI vs GUI discussion again. The right answer is of course your personal preference!
@@fabiandrinksmilk6205 I agree with you. I have multiple docker servers, including HA. It's much easier to manage with Portainer and portainer agents.
Yacht for a smaller yet lighter system that still works for basic setups!
I use exactly this setup for over a year and it just works flawlessly. Even auro-renewing the let's encrypt cert works without any issues.
No it doesn't.
"Don't worry about it! Not every bad thing in life is your fault." Thanks man I needed that.
My man! You are my hero. I've watched so many videos trying to figure out how to do this exact thing and you explained it all so perfectly. And the written guide to accompany it was an added bonus and very much appreciated. Thank you, sir!
No problem 👍
Wow, thank you for this video! I didn't know (or think of) that you could point a domain name to a private IP address. That makes creating SSL certificates super easy like this! Love you
I was almost giving up, but I saw the video and the kind explanation was sweet rain for a beginner like me. Thank you so much
hi, it seems is not working anymore, the certificate is added to the domain (using duckdns) but when you try to add it to your proxy host is in red state and it doesn't work. Does it work for anyone at this moment? (october 20. 2024). Also another domain I have with godaddy doesn't work because they have limited their API usage
I can't get this to work with my Cloudflare domain. Any pointers?
Posso emitir o certificado, mas o domínio não é público.
Thank you - as I use Pi-hole, I had to add entries to the pi-hole local dns with the (sub-)domain names pointing to the proxy-manager. After that it run as you explained it.
Thank you - just saved me a lot of head scratching...
you saved me soo much stress
OMG you legend. I've followed this video twice and hit a brickwall everytime, until I found your comment. Thankyou!
Was this to get the SSL cert approved or for the handling of the proxy hosts after? I ask because I am using Pi-hole and cannot get past the activation of the duckdns cert.
@@JeronimoStilton14 same here. used LOCAL IP on the domain and increased the propagation time to 60. that fixed thee SSL part for me. could not access the hosts yet thought.
Tausend Dank Wolfgang. This is exactly what I was looking for. I was this close to setting up my own CA and getting a headache trying to add the root certs to all the devices.
I’ve found that some services require some special headers and if not configured correctly they break, that’s the hardest part for me, as finding the nginx headers needed for each services can be difficult
Take a look at SWAG's reverse proxy conf repository - they have examples for pretty much every popular web application: github.com/linuxserver/reverse-proxy-confs
This is such a great feature for self-hosting. Thanks for sharing. It's worth noting that some routers like Fritzboxes have a "DNS rebind protection" where you must add an exception. Otherwise you will bang your head against the wall why it doesn't work, like i did.
Yet another great video Wolfgang. Outstanding work. I've been wanting to do this for a while for my homelab and this video is the push I needed. Thank you.
This solution is simply brilliant. I was searching for years for such an amazing and simple solution. Thank you.
Btw, great video! Thanks for explaining everything in such a concise and easy to understand manner.
Just a heads up, apparently this method doesn't fully work on Chrome if you have Safe Browsing Standard or Enhanced protection enabled, for me I get the "Deceptive site ahead" warning for some of my local apps, like Jellyfin for example, but I don't get the warning for other apps like Code Server, so idk, just wanted to let you know.
On Firefox I don't get warnings no matter what though, so that works just fine.
I finally got to set this up after watching the video months ago. I should have set up proxies long ago, much more convenient.
One thing to mention is that this method works well with tailscale as well. I just put my server's tailscale IP instead of local network IP and it works perfectly. Really useful for privately sharing linux isos with friends.
Makes sense, though the traffic between the proxy and the service that is being accessed is still unencrypted correct? This gives the appearance like local traffic is encrypted, but really local traffic passes unencrypted to the reverse proxy before it is encrypted. I think it would have made sense to take an extra step and create a self-signed certificate that would be installed on the service and validated by the reverse proxy to ensure end-to-end encryption. Unless I'm missing something?
This is not for security, it's for convenience
Do you have some starting point you can redirect me to set this up? I don't care for the convenience since I can just bookmark local ips but I care for a fully encrypted connection.
Lots of information in this video, thank you. The text-blog was very helpful to see the commands without copying them from the video.
Good to see a well done tutorial on the exact thing I’ve been trying to achieve for ages!
Thank you for this video, have always been wanting to access all my services through https rather than typing in my IP every time but couldn't as I thought it will take some time for me to study the nuances of the process. This has been an easy and fast setup.
Your Video is like a rescue ring. I had trouble understanding this concept with the traefik guides from Techno Tim but now that you've implementet a sceamtic drawing it helped alot. Thanks! Again a Video to exact right time :D My instructor wanted me to get the basic of dns and teach myself but i was only stuck at this internal external stuff so you safed me :D
did you get this to work for traefik? i need help for that x-x;
@@AinzOoalG0wn Sadly not now since i haven't had much time yet. But i want to get it working with traefik. Maybe we could stay connected?
@@brokenicelight i came up with a solution. i shutdown traefik and started up nginx proxy manager instead 🤣
i got it to work kinda. even authentik works with it.
just, it only works when my vpn is active. when its turned off, it no longer works 🥲
@@brokenicelight well if u find out a solution plz do share. i had to go back to traefik cause there were some issues in npm i could not resolve 🥲
This video was right on time!
I was exploring how could I deploy things locally without deal with IPs and cert issues.
Very valuable info, thanks for sharing.
Another great video. Clean and simple. Please, you need to teach us how to configure a home assistant dashboard like yours! 🤟
Wow, Thank you soooooooo much, You have no idea how much headache I went through just to land here and it worked.
Dude... this intro speaks directly to my soul. Completely spot-on how it feels. The Blade Runner segment is perfect.
Going to do this on my home lab, that's turned into something I'd see in the field, at work.
Too funny man 😂😂
*joined* 😂😂❤
Hey, very nice video, but i got an issue, i already use the nginx proxy manager in combination with a domain and cloudflare to expose some stuff to the outside world.
is it also possible to use the same nginx pm and domain for the local ssl stuff?
Thank You, I had been using an SSL per domain, didn't know you could create just one SSL cert. Now i do an have it set up thanks.
This doesn't work for me. I didn't use duckdns, instead my own domain. I have the SSL certificate setup, I've likewise added in the * subdomain, and it doesn't route.
pro tip: mine even with 120 didnt work, but 240 did!
This was just fantastic. I didn’t know I needed something like this in my life until I saw the video. Very well done thanks a lot.
One minor correction about setting proxy hosts. Setting the forward hostname as localhost for any containers other than the Nginx Proxy Manager container leads to a 502 Bad Gateway error, even if all containers are running on the same network. I resolved it by using the IP address instead of localhost.
where would you find the IP address in the docker container?
@@Cookie-ey1vr For me I used the IP address of my server. Both localhost and 127.0.0.1 spits 502. Then when I changed it to the IP of server it worked.
Pretty awesome and relatively easy to setup! One issue I noticed is that Safari password autofill treats everything under the proxy as the same site... meaning it will suggest passwords for services with different hostnames. This can get a bit unwieldy if you have a lot of services with their own username/passwords.
Even if i turn off the certificate and i set the ip to the ip of an other of my homeservers, the forwarding does not work . I get a connection refused error. What is the best way to debug that?
same
Gracias por este valioso contenido, hace tiempo que no encontraba como asignarle certificados válidos a un servicio que estuviera fuera Docker, pero ahora ya me di la idea de como poder solucionarlo gracias a tu vídeo ✌️
Hmm, i followed your setup, but for the 1st Proxy Host when clicking the link I always end up in Nextcloud instead for nginx. Even I add the IP and docker port. And it show the certificate is invalid...
Nice video! I've been doing something similar: wildcard certificates and wildcard dns pointing at my home's public IP. Then I have an nginx reverse proxy + SSL terminator and configs for my services. If I want a service to be publicly reachable, all I do is add an nginx config and boom, done. If I want something to be available only locally, I simply add an override into my pihole dns server or just add an ip-based allow/deny block to the nginx config. Simple, and the wildcards add a bit of security by obscurity - no more bots finding services by reading the DNS or certificate data. I'm getting my certs using dns-01 with the lego acme client.
But this setup he did in the video is only for local right? You will need a tunnel for public access!! That is if u have a static public ip!
Is your IP public or CGNATted?
This wont work for remote access if im cgnatted right?
@@mayurbn230 I don't have any tunnel or anything. I just forward the port in my router to my server. My IPv4 is a public, static IP shared with noone
@@Lucavon Oh makes sense then, mine is cgnatted, so i have to use a tunnel
I can not thank enough for this video. I was struggling to figure this out and your video helped me. Thank you
this is EXACTLY what I was looking for. You are a lifesaver! (I know I know.. first world problems)
you skipped the cloudflare api token, but with some extensive google search i found that you need to create your own API token with edit dns zones permissions set to all zones
Doesn't work for Cloudflare. There is no way of mapping an IP address for a challenge and when you add your name servers after the domain it fails. I don't want to use Duck DNS though. Maybe a video on how to do this using Cloudflare would be cool.
For me actually it does work with cloudflare. You have to deactivate the proxy (only DNS via cloudflare).
@@Skyluxe Hello, did you do something else ? On my end, I was able to map on cloudflare to my internal IP, and to create a ssl cert with the API. But when I try to redirect to the correct service in NGINX it doesn't work. I know that my port interal_IP:80 was already mapped (outside of NGINX), and my guess is that my network is not taking the info given by NGINX to go to the correct service. Thanks ;)
Thank you so much for this video, 1 thing I don't think anyone ran into is I had to wait almost a day for my registrar to reflect the IP changes. 🤦Now that I found you I'm going to look through your other video's Thanks again.
Does this have auto renewals of certs ?
Not by default
Thank you for this video.
I have set it up at home, no longer public visibility for some services.
Combined with Tailscale router (to access your local networks), it rocks !
Hey, your comment is exactly what I was looking for, I'm trying to also setup Tailscale alongside Nginx like in the video, but Tailscale also uses port 80, how did you manage it?
Nvm, I got it working, for some reason when I had CasaOS installed as a container before installing NPM, I'd get trouble installing NPM's container, however if I install NPM, configure it and only afterwards install Tailscale then it works just fine.
Although, on a separate note, how do you access your local environment using Tailscale when you're outside of your local network? Since duckdns points to a local IP, it doesn't really work for me outside of my local network, could you explain what you did?
@@Knufle I use Tailscale router to expose the network where the DNS entry resolves.
@@jims888 You have to use tailscale subnets to reach your ip addresses.
en-jinx one minute, engine-x the next! this is calculated trolling to stir up as much grumbling on both sides as possible
Trolling both sides, maybe. Or a case of ruffling both sides, rather than antagonizing one side only. You can win regardless, especially with the spread of audience by Wolfgang.
Learned something new, I wasn't aware that Letsencrypt can do wildcard certificates by now 🙌
Hi, thank you for that vdieo I built an Unraid server two years ago and I have been trying to fix that certificate issue since then. Unfortunately it does not work like described. After setting it up like you did with duckdns and nginx I can open the NGinx WEBUI like you butr any other proxy host gives me a 502 bad gateway error (tried vaultwarden and jellyfin) any idea what I could do wrong?
Simialr issues on my end. Did you ever get this working?
@@chrgeorgeson I did. I had a knot in my brain. I alwys wnated to point nginx to the https address of the service (e.g.: vaultwarden) but the whole point is that nginx is the https endpoint so you need to tell nginx to open the http (no S) URL. Then it works.
@@chrgeorgeson HA same thing for me , just commeneted. Guessing it has to do with the way unraid builds its docker network and uses the same IP... Not sure..
figure anything out?
@@TheQwenton yes, I made the mistake to add the URL with httpS to nginx. That of course will not work as the connection between nginx and the actual website is regular http.
Please make a video on how to setup pihole as DNS server on docker...
I'm so excited that I hit the like and subscribed at 1:37. Now continuing with the video! SSL freedom.
why don't just create a Own CA and import it into ur Root CA's and then sign a Certificate for ur HomeLab App with the CA and they will all be valid automatically
Danke Wolfgang! I find it absurd that we need to jump through these hoops, just to have valid SSL in our home networks, but you made those hoops much easier to jump through :)
Thank you for this! It seemed complicated but after following along I got everything working perfectly.
Great video as always. Thank you for sharing it with us. I am using pfSense in my environment and having HAProxy, however I needed a second proxy manager, your video helped me a lot with setting up the second one. 👍
Have you tried to renew SSL certificate? I am able to add new Lets encrypt certificate via duckdns for different domain but I cannot renew the old one. I see the "Internal error" on the UI when I try to renew it manually and the message "Failed to renew certificate npm-2 with error: The DNS response does not contain an answer to the question: .. IN TXT" in the log.
holy snap.. 20 seconds from 1:00 and my mind is blown. Of course that would work. It's so easy and it solves EVERYTHING.
You are an absolute legend for this video! I've been trying to fix my reverse proxy and could not get it to work. The "Propagation Seconds" change was an absolute saver! Thanks!
excellent. exactly what i was looking for. and thank you for having this info in blog post format too.
Omg this is EXACTLY what i've been looking for for months! Thank you so much!
That's a sub
I've been waiting for this for years...Thank you!!!!!!!!
Thankss !
Love how clear and fast you explain everything
ATTENTION, small mkstame. If your service is on the local host of your Docker host, outside a Docker container, 127.0.0.1 will NOT reach that service, it will have the proxy container contact itself. You will have to either use the special ip or hostname for Docker local host addressing, or use the external network interface ip.
Seriously thank you so much for this.... I have been trying to find something like this but no one had a solution for this !!!
So if I want the auto renewal to work I need this reverse proxy to work all the time?
My setup is something like this
Internet -> proxmox -> firewall (pfsense) -> many vm's
I guess the reverse proxy could be just another vm on my proxmox, right? And I need to make some firewall rules for it to be accessible on the Internet.
Did u make it work with this architecture?
Thank you! I managed to get this working with AWS Route53. The only difference is that the wildcard record needs to also be an A record, not a CNAME.
you're a lifesaver
man i spent so long looking for a video like this, and it shows up right after i got it working. wouldve been nice to get this recommendation first lol
Awesome!
This was the exact video I needed to find.
My local homelab is now secure and I can now use very long domainnames! Haha!
I have been following this channel for years and did not realized I am not subscribed.
Works great on an Ubuntu VM instance running under proxmox. But I also like to torture myself trying to get these solutions to run under W11 > WSL2 > Docker > NPM, no luck so far no doubt some firewall issue. Thanks for the tutorial short and to the point.
This worked great on putting https secure connection locally on my new Raspberry Pi 5 running CasaOS! I just had to do a few modification on the ports and IP addresses but everything worked correctly at the end! Thanks! 👍
Great and to-the-point video!
I have a domain already at GoDaddy, and I'm kind of confused how to get an API key for the DNS verification.
Any inputs?
Great video. Got me up and running when I first set up npm. I changed to custom certs from Cloudflare, which last for 15 years though.
Hey man, I'm curious. How is yours setup?
@@tooongs in terms of the CloudFlare cert? I just setup all my dns records through cloudflare and set them to proxied. Then I generated a cloudflare origin cert and imported them into npm. I also set my encryption on cloudflare to strict mode.
you should paste all commands for making easy
I set up passbolt last night and have the problem you just solved in this video thank you
Is this solution workable if NPM is deployed as an app in TrueNAS Scale? I could create SSL cert and proxy host following your instructions but when trying to access the declared domain name as stated in proxy host, nothing is loading. My idea is to have NPM on TrueNAS Scale app to be the reverse proxy as per your video for my internal sites.
This is an amazing video, thank you very much. SSL cert errors set me off. I followed this and it worked flawlessly. I think modified to use my Tailscale VPN IP addresses and now I can access my home lab services anywhere with a nice certificate, makes me happy. Time to touch grass, thanks again.
This is pretty nifty. I guess the logical next step is to setup and use a VPN, so that these url's can resove for devices on VPN when outside of LAN.
As well as setup Dashy / Homer for all the services.
Man this video is exactly what I was looking for. Thank you
I didn't know I needed this video until it was recommended to me. Amazing video and great explanations. Thanks for the caption. Greetings from Brazil. ✌🏽
I did not known Nginx Proxy Manager, I'll give it a try tonight to remove my Nginx and custom configurations (so I'll have to dockerize every app I use + maybe it's time to use Ansible to avoid making everything by hand haha).
Thanks for the tutorial !
i think it's nicer if you used docker or podman gui like podman desktop, which is even simpler
This is the first time I am hearing that putting services in the same compose yaml will ensure they share a sub network. Should I be putting most of my services together for that?
This is useful, thanks. Waiting for my AML-S905X-CC and then I'll set this up.
Thank you very much for this genius tipp ... !!!! You are the best !!!! Installed and works directly.
I've been going mad trying to get step-ca to work. Had no idea you could put a private IP in the public DNS record. Very simple solution.
Nobody is telling about running NGINX Proxy manager outside of docker internal (bridge type) network. Its more usefull because if you want to expose for example service that is not in your docker, then you're unable to do this. If you set up network type in docker for nginx proxy manager to ipvlan (or macvlan if somebody prefer this way), you can have access to everything that is in your network, not only docker containers in the same bridge network.
Solution with bridge network is good only when you expose only docker containers from your host
True - that’s the way I have it set up on my home network. A bit more complicated though and requires a router with VLAN support
Danke Wolfgang, dank deiner Anleitung war die Einrichtung sehr einfach! :)
This is what i have been searching for. Thanks for the super easy to follow video. Saved me lots of pain. Great work. Cheeeeeeeeers!
omg I was waiting for a tutorial using precisly docker and DuckDNS together and you just upload this perfect tutorial ! You save my time
Why does my nginx proxy manager login page say bad gateway? I double checked the email and password still when I click login, it says "bad gateway"
Great video! I've been wanting to get the mess of homelab services I have running all willy nilly standardized like this. Currently using CF tunnels, but I like self hosted much better.
I hope there's a part 2 to this video describing how to set it up so it works from the outside. I suppose using tailscale would allow it, and it has been noted in the comments, but a walkthrough would be appreciated. Looks like I'm not alone with this question here.
There are plenty of tutorials already showing how to make locally hosted services accessible from the outside. The point of this video is to set up a local-only access which still uses valid SSL certs
@@WolfgangsChannel I understand that. However, many people generally prefer to access stuff both from the inside and from the outside - as proven by the comments to this video as well. I'm not asking how to setup tailscale. The question is how this topic meshes with it. What has to be done to make it work seamlessly. It's it enough to e.g. set tailscale as subnet router, or are any other steps necessary?
@@BoraHorzaGobuchul? Setup your own dns server?
Thks Wolfgang! I managed to add the SSL certificate to NGINX with duckdns, but i cannot access the Proxy HOSTs that i added. Do I need to forward any router ports? the IP on the duckdns domain is the local IP, correct? any other tips?
I am unable to get duckdns to work, i don't know if it is because i am behind a cgnat though, i was able to follow every step and it is technically working but it won't accept using the dns names
Really good video. One question I had after watching it a couple of times - I'm trying to set up local SSL for my Home Assistant server that runs in an IoT VLAN (and 2-way communications to other VLANs on the network isn't allowed) and I'm trying to determine if I'll need a proxy manager on each host that needs this solution, a single proxy manager in each VLAN to serve all the hosts on that subnet or a central proxy manager for all VLANs and then I pipe traffic to/from it, accordingly.
Thank you!