This works best for those who have either a static IP address or a long lease. We have never seen our WAN IP change and we do not pay for a static IP. Just in case, that happens, I've DDNS that automatically updates the IP address.
For this setup, I'll be sticking to Nginx Proxy Manager for keeping track of our hosts and SSL certificates. I found it is the most user friendly application for this purpose. More specifically, I use the jlesage/docker-nginx-proxy-manager docker image.
I want to preface this by expressing that it is best to run Nginx Proxy Manager on a dedicated machine, VM, container or the likes. This way we have access to port 80 and 443 on the machine so we won't have any conflicts with ports. Port 80 and 443 are the ONLY ports we have to expose on our router to get this setup and working. This allows us to create more services on our network and expose them to the internet WITHOUT opening more ports for those services to be accessed remotely. Pretty rad isn't it?
Another thing to note is if this machine goes down, all of the hosts will go down with it. That's why it is a good reason to separate this from your other shenanigans.
I run Nginx Proxy Manager on a Raspberry Pi but I won't be discussing that aspect of the setup.
Nginx Proxy Manager works in conjunction with Docker. Docker allows us to install services and applications and assign ports during installation. These ports are what we use to route our traffic when exposing them using Nginx Proxy Manager. This guide assumes you already know how to use Docker. It's important that you understand the fundamentals and basics of Docker before moving forward.
Begin by executing the following compose command. I use Portainer for easier management, but you can just as easily toss the compose file on your machine and run a docker-compose up -d.
I've setup my portainer to run on port 9000.
After a fresh install, use the following credentials to login:
- Email address:
You should immediately change the login credentials before moving forward.
I've configured my router to assign static IP address to the raspberry pi. It is configured to run on IP 10.0.0.31
So in my case I have to forward ports 80 and 443 to 10.0.0.31 in my router. I assume you already knew this but just in case...
Here you can see I added 3 rules for port 22, 80 and 443 to the IP of the machine Nginx Proxy Manager is hosted on. Now, from here on out, Nginx Proxy Manager will act as our "pseudo router" where we only need to route the traffic to the domain rather than opening more ports.
- Log into your Google Domains dashboard and go to the DNS page and click Manage under Dynaminc DNS
- Select Type A
- Put your domain name in
- Add your WAN IP. You could also use ipconfig.me
- Save the record.
For this part, we have to have a service in mind that we want to expose. It's best to only expose services that have authentication. Such as a Bitwarden.
Take note of the docker host IP and the port Bitwarden is running on.
In Nginx Proxy Manager go to Hosts
Click on Add Proxy Host button (upper right)
NOTICE: The Domain Name is the domain we setup in Google Domain. We are Forwarding the domain to the IP of our Bitwarden/Docker host on port 8977.
Click SSL at the top to request a SSL certificate then click where it says "None" to drop down and select "Request a new SSL Certificate".
Now tick and agree to Let's Encrypt ToS. Then click Save.
When it's finished, it will close and take you to the dashboard. You will have to go back into this menu under SSL and enable "Force SSL" for this Host. This will ensure that your domain is only accessed on https no matter how it is typed into the address bar.
Now that we have established that our root domain is pointing to our WAN IP, we can add more records using subdomains and CNAMES. Each record from here forward will be added as a CNAME derived from our A record. This way if our WAN IP does ever change, all we have to do is change the IP on the A record we made and all of our CNAMES will inherit the new IP.
You will discover when using Nginx Proxy Manager, some apps like Bitwarden require https enabled to work properly. As you tinker with it, you will learn things like this and it will make more sense how things work.
You can support the Nginx Proxy Manager developer on the original Github page.