wazabees Posted September 4, 2020 Share Posted September 4, 2020 Hello! I hope I'm posting in the right place - maybe this is a pfSense question. I am currently trying to assign FQDN to my docker containers running on my Unraid server. The reason is that I want to switch from exposing my dockers to the internet and instead connect to my LAN through OpenVPN for increased security. I have a pfSense router running my OpenVPN server. On my pfSense router I have rules to forward HTTP and HTTPS traffic to the NginxProxyManager on Unraid, and it's working as intended with certificates from LetsEncrypt. I have e.g. nextcloud.mydomain.com, piwigo.mydomain.com, freshrss.mydomain.com working perfectly. However, now that I want to switch to using OpenVPN and removing the pfSense rules to forward HTTP and HTTPS, I still want easy-to-remember FQDN on my dockers. For instance nextcloud.lan, piwigo.lan and freshrss.lan. I use the DNS resolver on pfSense and I know that DNS does not understand ports. I can easily add a host override and create unraid.lan that points to my Unraid server IP, but I can't wrap my brain around how to create the LAN hostnames/FQDN I want to use, as the dockers are running on various ports on the same IP. Am I making sense, by the way? I figured maybe NginxProxyManager could solve this for me, but I have no clue how to get started. My Google-fu has failed me and I mainly find information about how to setup a reverse proxy exposing docker containers to the internet. Any suggestions would be most helpful! Disclaimer: I am a networking noob. Unraid 6.8.3 pfSense 2.4.5-p1 Quote Link to comment
S1dney Posted September 4, 2020 Share Posted September 4, 2020 Why don't you put the docker containers on br0 and assign their unique IP address so DNS is able to distinct based on IP. If you want to route traffic to a different port on the same IP you would have to inspect the DNS address queried and route accordingly, which is where a reverse proxy would come into play. The easiest solution for you (that does not require you to dive into the reverze proxy stuff as a networking n00b ) 1 Quote Link to comment
wazabees Posted September 4, 2020 Author Share Posted September 4, 2020 16 minutes ago, S1dney said: Why don't you put the docker containers on br0 and assign their unique IP address so DNS is able to distinct based on IP. Hm, probably because I had no idea that I could! Thanks, that's a great tip! 17 minutes ago, S1dney said: The easiest solution for you (that does not require you to dive into the reverze proxy stuff as a networking n00b ) Yeah, sometimes I'll go for the easier route, when I just want things to work. Is this the best solution though? Or does a reverse proxy make more sense? I could just assign a unique IP address for NginxProxyManager and let that handle the rest, which would make it a bit easier for me to go back to exposing dockers to the internet in the future, should I want to do that (I'd need to know more about intrusion detection and prevention first..). I must admit that I enjoy poking at stuff for edutainment, but sometimes my other half just want things to work. 1 Quote Link to comment
S1dney Posted September 4, 2020 Share Posted September 4, 2020 3 hours ago, wazabees said: Hm, probably because I had no idea that I could! Thanks, that's a great tip! You're welcome. 3 hours ago, wazabees said: Is this the best solution though? Or does a reverse proxy make more sense? Hahah well you're basically answering your self. If you was exposing the services to the outside world it would make sense to send the traffic through a reverse proxy so you would only have to open up one port. Another use case for that reverse proxy would be hosting two containers on the host's address that require the same port to function (like the common 80 or 443), the reverse proxy would be able to route traffic to those ports based on hostnames and allow you to use that port for the client application that expects the server to be available on that port. I have also looked at (or actually implemented it) the nginx reverse proxy, but decided just to put the container on a different IP and call it a day. My todo list still has Traefik on it hahah, but too much on there atm Also, I can so much relate to this statement hahah: 3 hours ago, wazabees said: I must admit that I enjoy poking at stuff for edutainment That's why unraid is so much fun! Cheers man. 1 Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.