Comment on Route domain name to Docker containers on Synology NAS?
Kangie@lemmy.srcfiles.zip 9 months ago
You’re on the right track. I’m on mobile so will be brief, edit from a laptop in a while.
You can use subdomains, which is my preferred way if making services work with traefik, but you could also look for, say, example.com/potato to get to the potato service; this may work better with DDNS.
You’re correct in your assessment that you only expose 80 and 443 for the Traefik container and access everything else through that. Also only use 80 to redirect to 443.
Don’t expose the NAS directly to the web, instrad look at port forwarding on your router, it should be able to forward requests received on only 80 and 443 to the NAS while still blocking everything else.
My only complaint about Synology stuff is that I couldn’t get Traefik in swarm mode going!
Any questions reach out.
schmurnan@lemmy.world 9 months ago
Thanks. Yep, subdomains was what I’d planned on: traefik.mydomain.com to access the Traefik dashboard; home.mydomain.com to access the Homepage container. I was planning on spinning up an Authelia container as well to provide 2FA for the services I want protecting. I guess it’d also be nice to have some kind of landing page for traffic coming directly to www.mydomain.com or mydomain.com as well.
Ideally I don’t want to port forward, so would I need to rely on Traefik to redirect the traffic from port 80 to port 443, and then proxy from port 443 to the required container? How do I therefore stop traffic from hitting the DSM admin on ports 5000/5001 for example?
I need to figure out a starting point to get traffic from my domain into my NAS (safely) then start spinning up containers and have Traefik route them appropriately, then I can look at Pi-hole/local DNS and Tailscale. And then I guess SSL.
Kangie@lemmy.srcfiles.zip 9 months ago
That’s not quite how it works - the port forwarding is on your internet gateway to allow traffic on those ports to a specific host internal to your network. That’s your only option if you want these services to be available on the wider web.
My recommendation around using 80 to redirect to 443 is because in 2023 there’s no reason for that traffic to be unencrypted - just listen on 80 and say "Hey, go to example.com" instead.
If you don’t care about that you can do internal only DNS + VPN into the network and still get the benefits of free SSL certificates via the LetsEncrypt DNS01 challenge.
schmurnan@lemmy.world 9 months ago
Thanks, and yeah sorry, what I meant was to listen on both ports 80 and 443 and have a redirect in Traefik from 80 to 443 - I don’t plan on having anything directly accessible over port 80.
As per another post, I’ve hit a stumbling block:
OK so made a start with this. Spun up a Pi-hole container, added mydomain.com as an A record in Local DNS, and created a CNAME for traefik.mydomain.com to point to mydomain.com.
In Cloudflare, I removed the mydomain.com A record and the www CNAME record.
Doing an nslookup on mydomain.com I get
Which I guess is to be expected.
However, when I then navigate to traefik.mydomain.com in my browser, I’m met with a Cloudflare error page: https://imgur.com/XhKOywo.
Below is the docker-compose of my traefik container:
My traefik.yml is also nice and basic at this point:
Any ideas what’s going wrong? I’m unclear on why the domain is still routing to Cloudflare.