Hosting multiple services with one IP address.

Submitted ⁨⁨3⁩ ⁨days⁩ ago⁩ by ⁨a_person@piefed.social⁩ to ⁨selfhosted@lemmy.world⁩

Hello people, I recently rented a vps server from OVH and I want to start hosting my own piefed instance and a couple other services. I am running debian 13 with docker, and I have nginx proxy manager almost set up. I want to set up subdomains so when I do social.my.domain it will go to my piefed instance, but how do I tell the machine to send piefed traffic to this subdomain and joplin traffic (for example) to another domain? Can I use nginx/docker natively for that or do I have to install another program. Thanks for the advice.

source

Comments

Sort:hotnew top

just_another_person@lemmy.world ⁨3⁩ ⁨days⁩ ago
It’s called a Reverse Proxy. The most popular options are going to be Nginx, Caddy, Traefik, Apache (kinda dated, but easy to manage), or HAProxy if you’re just doing containers.

source
- cecilkorik@lemmy.ca ⁨3⁩ ⁨days⁩ ago
  FWIW I don’t find Apache dated at all. It’s mature software, yes, but it’s also incredibly powerful and flexible, and regularly updated and improved. It’s probably not the fastest by any benchmark, but it was never intended to be. It’s an “everything and the kitchen sink” web server, and I don’t think that’s always the wrong choice. Personally, I find Apache’s litlte-known and perhaps misleadingly named Managed Domains (mod_md/MDomain) by far the easiest and clearest way to automatically manage and maintain SSL certificates, it’s really nice and worth looking into if you use Apache and are using any other solution for certificate renewal.
  
  source
  - just_another_person@lemmy.world ⁨3⁩ ⁨days⁩ ago
    I’ll be honest with you here, Nginx kind of ate httpd’s lunch 15 years ago, and with food reason.
    
    It’s not that httpd is “bad”, or not useful, or anything like that. It’s that it’s not as efficient and fast.
    
    The Apache DID try to address this awhile back, but it was too late. All the better features of nginx just kinda did httpd in IMO.
    
    Apache is fine, it’s easy to learn, there’s a ton of docs around for it, but a massively diminished userbase, meaning less up to date information for new users to find in forums in the like.
    
    source
    -> View More Comments
- kumi@feddit.online ⁨3⁩ ⁨days⁩ ago
  
  HAProxy if you’re just doing containers
  
  What makes you say that? HAProxy a very competent, flexible, performant and scalable general proxy. The more container-oriented would be Traefik.
  
  source
  - just_another_person@lemmy.world ⁨3⁩ ⁨days⁩ ago
    HAProxy is not meant for complex routing or handling of endpoints. It’s a simple service for Load Balancing or proxying alone. All the others have better features otherwise.
    
    source
    -> View More Comments
- mic_check_one_two@lemmy.dbzer0.com ⁨3⁩ ⁨days⁩ ago
  Yup. The reverse proxy takes http/https requests from the WAN, and forwards them to the appropriate services on your LAN. It will also do things like automatically maintain TLS certificates, so https requests can be validated. Lastly, it can usually do some basic authentication or group access stuff. This is useful to ensure that only valid users or devices are able to reach services that otherwise don’t support authentication.
  
  So for example, let’s say you have a service called ExampServ running on 192.168.1.50:12345. This port is not forwarded, and the service is not externally available on the WAN without the reverse proxy.
  
  Now you also have your reverse proxy service, listening on 192.168.1.50:80 and 192.168.1.50:443… Port 80 (standard for http requests) and 443 (standard for https requests) are forwarded to it from the WAN. Your reverse proxy is designed to take requests from your various subdomains, ensure they are valid, upgrade them from http to https (if they originated as http), and then forward them to your various services.
  
  So maybe you create a subdomain of exampserv.example.com, with an A-NAME rule to forward to your WAN IPv4 address. So any requests for that subdomain will hit ports 80 (for http) or 443 (for https) on your WAN. These http and https requests will be forwarded to your reverse proxy, because those ports are forwarded. Your reverse proxy takes these requests. It validates them (by upgrading to https if it was originally an http request, verifying that the https request isn’t malformed, that it came from a valid subdomain, prompting the user to enter a username and password if that is configured, etc.)… After validating the request, it forwards the traffic to 192.168.1.50:12345 where your ExampServ service is running.
  
  Now your ExampServ service is available internally via the IP address, and externally via the subdomain. And as far as the ExampServ service is concerned, all of the traffic is LAN, because it’s simply communicating with the reverse proxy that is on the same network. The service’s port is not forwarded directly (which is a security risk in and of itself), it is properly gated behind an authentication wall, and the reverse proxy is ensuring that all requests are valid https requests, with a proper TLS handshake. And (most importantly for your use case), you can have multiple services running on the same device, and each one simply uses a different subdomain in your DNS and reverse proxy rules.
  
  source
nutbutter@discuss.tchncs.de ⁨3⁩ ⁨days⁩ ago
In your DNS settings, from your domain provider, add all the A and AAAA records for the sub domains you want to use. So, when someone hits the port 443 using one of those domains, your Nginx Proxy Manager will decide which service to show to the client based on the domain.

how do I tell the machine to send piefed traffic to this subdomain

Configure your Nginx Proxy Manager. It should be using port 80 for HTTP, port 443 for HTTPS and another port for its WebUI (8081 is default, iirc).

So, if I type piefed.yourdomain.com in my address bar, the DNS tells my browser your IP, my browser hits your VPS on port 443, then Nginx Proxy Manager automatically sees that the user is requesting piefed, and will show me piefed.

For the SSL certificates, you can either generate a new certificate for every subdomain, or use a wild card certificate which can work on all subdomains.

source
frongt@lemmy.zip ⁨3⁩ ⁨days⁩ ago

how do I tell the machine to send piefed traffic to this subdomain and joplin traffic (for example) to another domain

You don’t send traffic to domains. You point all the domains to one host, and on that host, set up a reverse proxy like nginx, caddy, or traefik, and then configure HTTP routing rules. That proxy can run in docker. I use traefik and it does all the routing automatically once I add labels to my docker-compose file.

source

Decronym@lemmy.decronym.xyz ⁨3⁩ ⁨days⁩ ago

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

Fewer Letters	More Letters
DNS	Domain Name Service/System
HTTP	Hypertext Transfer Protocol, the Web
HTTPS	HTTP over SSL
IP	Internet Protocol
NAT	Network Address Translation
SSL	Secure Sockets Layer, for transparent encryption
VPS	Virtual Private Server (opposed to shared hosting)
nginx	Popular HTTP server

[Thread #1001 for this comm, first seen 14th Jan 2026, 02:55] [FAQ] [Full list] [Contact] [Source code]

source

kumi@feddit.online ⁨3⁩ ⁨days⁩ ago
The right nginx config will do this. Since you already have Nginx Proxy Manager, you shouldn’t need to introduce another proxy in the middle just for this.

source
kaotic@lemmy.world ⁨3⁩ ⁨days⁩ ago
I use Nginx Proxy Manager for this.

source
deadcade@lemmy.deadca.de ⁨3⁩ ⁨days⁩ ago
The job of a reverse proxy like nginx is exactly this. Take traffic coming from one source (usually port 443 HTTPS) and forward it somewhere else based on things like the (sub)domain. A HTTPS reverse proxy often also forwards the traffic as HTTP on the local machine, so the software running the service doesn’t have to worry about ssl.

Be sure to get yourself a firewall on that machine. VPSes are usually directly connected to the internet without NAT in between. If you don’t have a firewall, all internal services will be accessible, stuff like databases or the internal ports of the services you host.

source
- kossa@feddit.org ⁨3⁩ ⁨days⁩ ago
  
  all internal services will be accessible
  
  What? Only when they are configured to listen on outside interfaces. Which, granted, they often are in default configuration, but when OP uses Docker on that host, chances are kinda slim that they run some rando unconfigured database directly. Which still would be password or authentication protected in default config.
  
  I mean, it is never wrong slapping a firewall onto something, I guess. But OTOH those “all services will be exposed and evil haxxors will take you over” is also a disservice.
  
  source
  - deadcade@lemmy.deadca.de ⁨3⁩ ⁨days⁩ ago
    I’ve seen many default docker-compose configurations provided by server software that expose the ports of stuff like databases by default (which exposes it on all host interfaces). Even outside docker, a lot of software, has a default configuration of “listen on all interfaces”.
    
    I’m also not saying “evil haxxors will take you over”. It’s not the end of the world to have a service requiring authentication exposed to the internet, but it’s much better to only expose what should be public.
    
    source
    -> View More Comments
- a_person@piefed.social ⁨3⁩ ⁨days⁩ ago
  What service would you recommenced for firewall. The firewall I use on my laptop is ufw, should I use that on the vps or is their a different service that works better?
  
  source
  - kumi@feddit.online ⁨3⁩ ⁨days⁩ ago
    Firewalld.
    
    sudo apt-get install firewalld systemctl enable --now firewalld # ssh on port 22 opened but otherwise most things blocked by default firewall-cmd --get-active-zones firewall-cmd --info-zone=public firewall-cmd --zone=public --add-port=1234/tcp firewall-cmd --runtime-to-permanent
    
    There are some decent guides online. Also take a look in /etc/firewalld/firewalld.conf and see if you want to change anything.
    
    You need to know about zones, ports, and interfaces for the basics. Services are optional. Policies are more advanced.
    
    source
  - deadcade@lemmy.deadca.de ⁨3⁩ ⁨days⁩ ago
    UFW works well, and is easy to configure. UFW is a great option if you don’t need the flexibility (and insane complexity) that manually managing iptables rules offers,
    
    source
    -> View More Comments
  - K3can@lemmy.radio ⁨3⁩ ⁨days⁩ ago
    ufw is just a fancy frontend for iptables, but hasn’t been updated for nftables, yet.
    
    Firewalld is an option that supports both, and if you happen to be running cockpit as well, the cockpit-firewall plugin provides a simple GUI for the whole thing.
    
    source
voodooattack@lemmy.world ⁨3⁩ ⁨days⁩ ago
If your goal is ease if use and scaling complexity along with your experience, and you’re planning to use Docker like you mentioned, then I recommend Traefic: doc.traefik.io/traefik/

If not, then I recommend Caddy or nginx.

source
Foofighter@discuss.tchncs.de ⁨3⁩ ⁨days⁩ ago
I’m not using socker myself but npm and other services in proxmox containers and VMs. The concept is the same though.

NPM allows you to define a host, which needs to be the subdomain name, allows NPM to know how to handle and serve requests to said domain. In you case this would be the full social.my.domain. Additionally you need to set the local ip /port of the service you’re hosting. You can also use a local host name, which makes it easier to move services to other ips, which probably doesn’t happen often.

Finally HTTPs, SSL, TLS should be configured. This can be tricky if you don’t have specific instructions but should not be neglected!

source