[question] Help me access my local homeserver using a public domain name

Submitted ⁨⁨3⁩ ⁨weeks⁩ ago⁩ by ⁨TheHobbyist@lemmy.zip⁩ to ⁨selfhosted@lemmy.world⁩

Hi folks,

I’m trying to setup HTTPS for my local services on my home network. I’m gotten a domain name mydomain.tld and my homeserver is running at home on let’s say 192.168.10.20. I’ve setup Nginx Proxy Manager and I can access it using its local ip address as I’ve forwarded ports 80 and 443 to it. Hence, when I navigate on my computer to http://192.168.10.20/ I am greeted with the NPM default Congratulations screen confirming that it’s reachable. Great!

Next, I’ve setup an A record on my registrar pointing to 192.168.10.20. I think I’ve been able to confirm this works because when I check on an online DNS lookup tool like https://centralops.net/CO/Traceroute as it says 192.168.10.20 is a special address that is not allowed for this tool.. Great!

Now, what I’m having trouble with, is the following: make it such that when I navigate to http://mydomain.tld/ I get to the NPM welcome screen at http://192.168.10.20/. When I try this, I’m getting the firefox message:

Hmm. We’re having trouble finding that site.
We can’t connect to the server at mydomain.tld.

Strangely, whenever I try to navigate to http://mydomain.tld/ it redirects me to https://mydomain.tld/, so I’ve tried solving this using a certificate, using the DNS-01 challenge from NPM, and setting up a reverse proxy from https://mydomain.tld/ to http://192.168.10.20/ and with the wildcard certificate from the challenge, but it hasn’t changed anything.

I’m unsure how to keep debugging from here? Any advice or help? I’m clearly missing something in my understanding of how this works. Thanks!

source

Comments

Sort:hotnew top

30p87@feddit.org ⁨3⁩ ⁨weeks⁩ ago
The obvious question: Do you want to access your server only from within your network or also from anywhere else?

source
- TheHobbyist@lemmy.zip ⁨3⁩ ⁨weeks⁩ ago
  Good question. I’m only interested in accessing it from my home network and through my tailscale network.
  
  source
  - Agility0971@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
    Then you don’t need to inform the rest of the world about your domain. Just use the hostname of the server on your tailnet and it should work all the time
    
    source
    -> View More Comments
0x01@lemmy.ml ⁨3⁩ ⁨weeks⁩ ago
You set the A record to your internal ip address from within your router?

Nginx configs have a lot of options, you can route differently depending on the source context

So a couple questions:

Do you only want to access this from your local network? If so setting up a domain name in the broader internet makes no sense, you’re telling the whole world what local ip within your switch/router is your server. Make your own dns or something if you just want an easier way to hit your local resources

do you want to access this from the internet, like when you’re away from home? Then the ip address you add to your a record should be your isp’s public ip address you were assigned, it will not start with 192.168, then you have your modem forward the port to your local system (nginx)

If you don’t know what you are doing and have a good firewall setup do not make this service public, you will receive tons and tons of attacks just for making a public a record.
source
- TheHobbyist@lemmy.zip ⁨3⁩ ⁨weeks⁩ ago
  The A record was set on my registrar, so on a public DNS, so to speak.
  
  It allows me to use HTTPS on a private service without setting up any custom DNS locally and without me using any selfsigned certificates and with all my IP addresses being private. It’s a good solution for me to have the real certificates using the default public infrastructure while keeping everything private. What’s the danger of sharing that my private server is accessible at 192.168.10.20 for the external world? What could they do with that information?
  
  I use my tailscale network to which I expose my local network to allow remote access. Works great for me.
  
  source
  - 0x01@lemmy.ml ⁨3⁩ ⁨weeks⁩ ago
    Then next I would examine the redirect and check your stack, is it a 302, 304, etc, is there a service identifying header with the redirect?
    
    After that I would try to completely change your setup for testing purposes, greatly simplify things removing as many variables as possible, maybe setup an api server with a single route on express or something and see if that can be faithfully served
    
    If you can’t serve with even a simple setup then you need to go back to the drawing board and try a different option
    
    source
    -> View More Comments
TangledRockets@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
The IP address you’ve used as an example would not work. That is a ‘local’ address, ie home address. If you want DNS to resolve your public domain name to your home server, you need to set the A record to your ‘public’ IP address, ie the external address of your modem/router. Find this by going to whatismyip.com or something similar.

That will connect your domain name with your router. You then set up port forwarding on the router to pass requests to the server.

source
Mitchie151@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
You can’t point to 192.168.X.X that’s your local network IP address. You need to point to your public IP address which you can find by just searching ‘what is my IP’. Note that you can’t be behind CGNAT for this, and either need a static IP or dynamic DNS configuration. Be aware of the risks involved exposing your home server to the internet in this manner.

source
- slazer2au@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
  
  You can’t point to 192.168.X.X that’s your local network IP address. You need to point to your public IP address
  
  That’s not true at all. That is exactly how I have my setup. A wildcard record at Porkbun pointing to the private IP of my home server so when I am home I have zero issues accessing things.
  
  source
  - HelloRoot@lemy.lol ⁨3⁩ ⁨weeks⁩ ago
    
    A wildcard record at Porkbun pointing to the private IP of my home server
    
    Which can not be 192.168.X.X
    
    read: en.wikipedia.org/wiki/IP_address#Private_addresse…
    
    source
    -> View More Comments
- TheHobbyist@lemmy.zip ⁨3⁩ ⁨weeks⁩ ago
  You sure can. You can see someone doing just that here successfully:
  
  www.yewtu.be/watch?v=qlcVx-k-02E
  
  source
  - Mitchie151@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
    Okay sure, for a specific use case yes you can point a record to a private IP, however this explicitly doesn’t expose your homelab to the web as OP is trying to achieve.
    
    source
frongt@lemmy.zip ⁨3⁩ ⁨weeks⁩ ago
Try a different browser, or the curl command in another comment. Your understanding so far is correct, though unusual, typically it’s not recommended to put LAN records in WAN DNS.

But if you’ve ever run HTTPS there before, Firefox might remember that and try to use it automatically. I think there’s a setting in Firefox. You might also try the function to forget site information, both for the name and IP. I assume you haven’t turned on any HTTP-to-HTTPS redirect in nginx.

Also verify that nginx is set up with a site for that name, or has a default site. If it doesn’t, then it doesn’t know what to do and will fail.

source
- TheHobbyist@lemmy.zip ⁨2⁩ ⁨weeks⁩ ago
  This was a good suggestion, indeed other browsers seem to work just fine, I updated my post with a new edit. I’m making progress, it seems I’m having some specific issue with Firefox, my default browser.
  
  source
  - frongt@lemmy.zip ⁨2⁩ ⁨weeks⁩ ago
    Yeah, either check for that setting I mentioned or clear the site data.
    
    source
whereyaaat@lemmings.world ⁨2⁩ ⁨weeks⁩ ago
You don’t need a domain name for HTTPS.

source
- TheHobbyist@lemmy.zip ⁨2⁩ ⁨weeks⁩ ago
  I’m not trying to expose it to the internet and there are indeed multiple solutions to get HTTPS. This one works with a real domain name is what works best for me :)
  
  source
Evilschnuff@feddit.org ⁨3⁩ ⁨weeks⁩ ago
Why do you need a domain on an internet facing dns if you can just define it with your local dns? Unless you want to access your services via internet, in which case you would need a public ip.

source
- TheHobbyist@lemmy.zip ⁨3⁩ ⁨weeks⁩ ago
  To have HTTPS without additional setup on all the devices which I use to access my services and without having to setup my own DNS server.
  
  source
Davel23@fedia.io ⁨2⁩ ⁨weeks⁩ ago
The easy answer is to enable NAT loopback (also sometimes called NAT hairpinning) on your edge router.

source
- TheHobbyist@lemmy.zip ⁨2⁩ ⁨weeks⁩ ago
  This was not required in my case, but maybe it solves other issues?
  
  source
  - Davel23@fedia.io ⁨2⁩ ⁨weeks⁩ ago
    It solves all your issues. No weird, non-standard DNS records. Just turn it on and everything both on your local network and external (if you want it to) works via domain name.
    
    source
Jumuta@sh.itjust.works ⁨2⁩ ⁨weeks⁩ ago
why are you trying to downgrade https to http? if you’ve set up dns-01 properly it should just work with https.

how did you configure dns-01?

source
- TheHobbyist@lemmy.zip ⁨2⁩ ⁨weeks⁩ ago
  Yes, it was an attempt at doing on step at the time, but I realize I’ve been able to make it work in some browsers and on some DNS using HTTPS, as hoped. I’m now mostly trying to solve specific DNS issues, trying to understand why there are some cases where it’s not working (i.e. in Firefox regardless of DNS setting, when calling dig, curl or host).
  
  source
princessnorah@lemmy.blahaj.zone ⁨2⁩ ⁨weeks⁩ ago
It’s very likely that DNS servers aren’t going to propagate that A name record because of it being an internal IP. What DNS settings are you using for Tailscale? You could also check that the address is resolving locally with the command host mydomain.tld which should return mydomain.tld has address 192.168.10.20 if things are set up correctly.

source
jabberwockiX@piefed.social ⁨2⁩ ⁨weeks⁩ ago
Sorry this will most definitely not work with your local IP address on an external DNS. That is not routable over the internet. I have a 192.168.10.20 IP address in my home network as well. You need to go to whatsmyip.com or ipchicken.com and get your external IP and put that in the DNS at your registrar. Most likely you will need a Dynamic DNS provider as your ISP probably gives you a dynamic public IP address that will change occasionally.

If you just want to resolve mydomain.tld INTERNALLY so you can use a mydomain.tld HTTPs certificate then you just need to add mydomain.tld to your INTERNAL DNS server pointing at your INTERNAL IP address for your server. Likely your router is set up as a DNS server but it just forward all requests to the external DNS which is why you just get sent to mydomain.tld instead of your internal server.

source
- TheHobbyist@lemmy.zip ⁨2⁩ ⁨weeks⁩ ago
  It does work. In my first edit I’m sharing multiple examples of others making it work, and I’ve made it work in some cases which I explain in my second edit. I’m not using an HTTP challenge, but a DNS challenge which is not specific to any IP address and does not require the IP address to be reachable from outside my network. I only care about accessing the endpoint from within my home network. The use of a real domain allows me to make use of the public chain of trust infrastructure and DNS allowing me to reach my homeserver using any device without having to setup any specific local DNS or installing any custom certificate on any of my devices.
  
  source
  - aaravchen@lemmy.zip ⁨2⁩ ⁨weeks⁩ ago
    Try turning off WiFi on your phone and see if you can connect from there. Connecting from a device within your home network to a another device in your home network is different than connecting from a device out on the internet to a device in your home network. Phone using data is a good way to check that “internet device to home network” case.
    
    source
    -> View More Comments
  - non_burglar@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
    No, it is not fully working.
    
    Many have tried to explain to you that your setup only works for YOU on YOUR subnet.
    
    Your are then asking other public tools meant to lookup public ips with publicly-available DNS names to resolve your internal addresses, which they obviously don’t know anything about, and you’re getting those errors from tools that follow rfc because you are putting the equivalent of “bedroom” on the outside of an envelope and expecting the post office to know that it means YOUR bedroom.
    
    For dns to work properly, the authoritative DNS server should be able to create a reverse lookup record for every a record that allow a DNS client to ask “what record do you have for this IP?” and get a coherent response. Since 192.168.10.0/24 is a non-routable network, you will never have such a reverse record.
    
    Wolfgang has done you a disservice by giving you a shortcut that works as a side-effect of dns before you fully understood how DNS works.
    
    source
    -> View More Comments
BaroqueInMind@piefed.social ⁨2⁩ ⁨weeks⁩ ago
One thing you probably forgot to check is if your TLD registrar supports DyDNS and you have it set on both sides of the route.

source
- TheHobbyist@lemmy.zip ⁨2⁩ ⁨weeks⁩ ago
  Would you mind explaining further what you mean by “setting it up on both sides of the route”? Much appreciated!
  
  source
  - BaroqueInMind@piefed.social ⁨2⁩ ⁨weeks⁩ ago
    https://www.cloudflare.com/learning/dns/glossary/dynamic-dns/
    
    source
humanamerican@lemmy.zip ⁨3⁩ ⁨weeks⁩ ago
Have you considered using a mesh VPN instead of opening a port to the public? Nebula and TailScale are both great options that have a free tier which is more than enough for most home use cases. With Nebula you can even selfhost your discovery node so nothing is cloud-based, but then you’re back to opening firewall ports again.

Anyway, its going to be more secure than even a properly configured reverse proxy setup and way less hassle.

source
aaravchen@lemmy.zip ⁨2⁩ ⁨weeks⁩ ago
Given your setup, I presume you’re trying to access your server via a domain name, from within your home network?

Or maybe your example IP address is just confusing. IP addresses in the ranges 192.168.0.0/16, 172.16.0.0/12, and 10.0.0.0/8 are all reserved for “private routing” and are not routable on the larger internet.Your home will gave devices with those IP addresses because it’s a private LAN that uses Network Address Translation (NAT) at the boundary with your ISP. Your ISP might also have it’s own NAT called Carrier-Grade NAT (CGNAT) that has another translation boundary where it reaches the internet. If your ISP doesn’t have CGNAT, and allows incoming connections on your desired ports, you !at be able to use the IP address your ISP assigned your router as the pubic IP, but if not you’ll need to figure out some other routing method (e.g. VPS hosting a private VPN exit point with routing rules to allow incoming and entry point somewhere in your network with routing rules to reply thru that VPN).

source
- aaravchen@lemmy.zip ⁨2⁩ ⁨weeks⁩ ago
  If you’re just trying to do this within your home network, you’re doing what’s called “split DNS”, where the DNS in your home network is different from the global DNS.
  
  I do this for services I host, though usually I can also access them remotely as well, just from a different IP address. The easiest from the TLS certificates (TLS is what gives you the S in HTTPS) is to use DNS-01 challenges for tour LetsEncrypt/ZeroSSL certificate generation.
  
  source
  - TheHobbyist@lemmy.zip ⁨2⁩ ⁨weeks⁩ ago
    Thanks for your response. Indeed, this is only for myself within my home network. No split DNS required, the public DNS record mentions my local private IP address which of course will only resolve to my homeserver from within my home network and will not lead anywhere for anyone else from any other network. That’s all what makes this great. Yes, I did the DNS challenge as I mentioned in my OP and retrieved a wildcard certificate for all my local needs :)
    
    source
    -> View More Comments
slazer2au@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
Without posting your config we can’t really do much.

I have a similar setup with Traefik getting a cert for a public domain for my private server but didn’t have any issues.

source