Jump to content

Possible for domain to point to a docker container? (pfSense)


Recommended Posts

For the past few days I have been attempting to make so that if I type in the browser address bar, for example "nextcloud.home.arpa" pfSense would resolve that domain to a local IP, 10.10.111.3:8666 in this case.

 

I feel it's possible but I can't get it working. I just want to use domains because I can't remember all the IP's and port numbers. Domain override works but you can't enter port numbers.

Link to comment

Do you have your own domain (like you registered/paid $10/year for it), or you're trying to do it completely free?

 

You have certificates for your domain?

 

3 hours ago, Pstark said:

if I type in the browser address bar, for example "nextcloud.home.arpa"

 

In my experience (which isn't much) that will want a secure connection with a valid SSL/TLS (call it what you want) certificate. It MUST resolve to "httpS" in most browsers or you'll get a warning (even in your own house -- the nerve) :)

 

I have this working (reverse proxy) in pfSense for both local and public and hidden addresses.

 

My time is limited. I'm following this thread.

 

MrGrey.

 

 

 

Link to comment
5 minutes ago, MrGrey said:

Do you have your own domain (like you registered/paid $10/year for it), or you're trying to do it completely free?

 

You have certificates for your domain?

 

 

In my experience (which isn't much) that will want a secure connection with a valid SSL/TLS (call it what you want) certificate. It MUST resolve to "httpS" in most browsers or you'll get a warning (even in your own house -- the nerve) :)

 

I have this working (reverse proxy) in pfSense for both local and public and hidden addresses.

 

My time is limited. I'm following this thread.

 

MrGrey.

 

 

 

I'm trying to resolve nextcloud.home.arpa locally, to the docker container. I can access nextcloud from anywhere via the my WAN domain. I want an internal domain.

Link to comment
9 hours ago, Pstark said:

I'm trying to resolve nextcloud.home.arpa locally, to the docker container

You need your home dns server to resolve that to an IP. And you need your clients (browsers) to use that dns server. For me, this is dns resolver in pfsense, resolving to haproxy frontend

 

Further, you need something running at default web ports on the resolved IP address to proxy that host name to corresponding docker ip:port. For me this is haproxy running in pfsense. Without this layer, you can also directly resolve the name to docker IP, but then you will have to use name:port in browser

Link to comment
On 4/25/2023 at 12:10 AM, Pstark said:

Is there a guide to do this?

I don't know of a guide, I had prior experience with haproxy and looked up whatever I needed help for to set it up. Broadly, I think it means:

 

1. Change pfsense web UI port, so that 80/443 are freed up for haproxy

 

2. Install haproxy addon in pfsense. Create a frontend to listen at 80 or 443 on a pfsense IP (let's assume pfsense IP) . Create a backend this frontend routes to. I would start with http to begin with until you understand how it works

 

3. Have your local domain resolve to haproxy frontend IP (let's assume my.home resolves to pfsense IP) 

 

4. On the haproxy backend, create ACLs to map each app-name.my.home sub domain to it's respective ip and port wherever that app is running (the Docker ip and port in unraid) 

 

That should resolve app-name.my.home if your clients use pfsense dns

 

In my case, I have a more evolved setup:

- I have a public domain x.com

- I have mapped home.x.com to haproxy frontend IP

- I have acme plugin in pfsense to issue a wildcard certificate for *.home.x.com from letsencrypt. This allows me to setup a proper https frontend for haproxy, and this is also why I use a public domain name

- I have a https frontend running at port 443 using the wildcard certificate. This is how I access my backend apps. All my backend apps are http, so ssl terminates at haproxy

- I also have a http frontend running at port 80 which simply redirects to https. 

 

Please note my whole setup is intranet only. None of this is exposed to the internet. I use a VPN into my network if I need to access these remotely

Edited by apandey
Link to comment
  • 4 weeks later...
On 4/24/2023 at 9:10 AM, Pstark said:
On 4/22/2023 at 8:42 AM, apandey said:

For me this is haproxy running in pfsense.

Is there a guide to do this?

 

On 4/21/2023 at 11:29 PM, Pstark said:

I'm trying to resolve nextcloud.home.arpa locally, to the docker container.

 

It won't work. (in my experience).

 

If you want pfSense to route local it will, by default. If you want to "fool" it by not having any way to "publicly" verify a "public" certificate then, well, if you can do it, it's a security flaw.

 

MrGrey.

 

 

Link to comment
11 hours ago, MrGrey said:

If you want pfSense to route local it will, by default. If you want to "fool" it by not having any way to "publicly" verify a "public" certificate then, well, if you can do it, it's a security flaw.

home.arpa is not a public TLD, so you need to use a self signed certificate. Since you are signing your own, you need to add the root signing cert to trust store of clients (which should all be under your own control inside the home network). The verification will work fine, and serves the trust chain as designed

If you use a public domain, you can get a public trust certificate from any of the issuers, this is what I do

If the connection is unencrypted, none of this matters

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...