Hi @wendell, First I wanted to thank you. Lately you have been covering every
topic I have been working on / planning for: Workstation build, Home Server Series
Zettlekasten ( I started litterally reading about this topic 2 weeks before I
saw it on your YT channl), ā¦ I can say leaving
TS was the best thing you ever did
Now back to the topic. I would say Iām a heavy tinkerer with home workstations
services and proxying. In the last years most of my services have been running
in the cloud and I started recently upgrading toward a full at-home hosting so
this thread was perfectly timed.
I am still in the process of the migration and trying to figure out the best
architecture. I will first describe my previous current architecture that served
me well in the last years, then the new one I am upgrading toward. Hoping this
writeup might help someone, it will probably intersect with the Home Server
Series thread.
Table Of Content
#1. Current Architecture
## V1 - Nginx Reverse Proxy + DOCKER
### DNSMASQ and Wireguard
## V2 - Caddy Proxy + Docker
## V2 - Exporting services through TOR
#2. Upgrade to home hosting
## Automated forward service proxying ?
1. Current Architecture
V1 - NGINX REVERSE PROXY + DOCKER
Simplified Diagram (see Example Scenario Below) :
Docker Services :: NG rev proxy :: Cloud Host(A) -----WG-----(WG PROXY VPN(B))----WG----- (OpenSense)| -> HOME
|dnsmasqs |dnsmasq | |dnsmasq \__ Laptops,phones ...
|______ secure machines
I was previously a heavy nginx user, especially the reverse proxy features. I
remember around 2012 using Nginx reverse proxy to automatically setup
subdomains to host git branches for testing. I also used to manually setup my
cloud services and proxy them through nginx. Then Docker appeared and I jump
on the wagon right away. Around the same time also appeared Wireguard, it
was the base to my current architecture which have been serving me for almost 6
years without a single major issue.
My setup allows me to have a safe access to my services from anywhere just by connecting to my VPN proxy(B). Almost everything runs on docker, and
all my machines including the cloud server are interconnected with wireguard.
I discovered later nginx-proxy for docker
and it turned proxying services to a whole new level. I could now provision
docker services and have them instantly and automatically proxied through nginx
by just adding the right labels to the containers. Everything is connected
through wireguard from my host server to my home and my phones/laptops and friends/family who join my VPN. I also run a speparate VPS as a pure VPN to avoid mixing my personal trafic and the rest of the trafic generated by the services.
DNSMASQ and Wireguard
I have multiple dnsmasq instances handling network translation between all my
machines as well as the docker containers that I select.
On Docker, I run a special docker image of dnsmasq
which automatically handles the network translation of my docker containers. So
I run one instance for each docker network that I use for proxying services.
Now the little magic is to name the networks the same way I name my DNS
suffixes.
There is an other dnsmasq instance on the host itself which does some extra forwarding with my VPN so that I can have my services reachable.
Then there is the VPN Host (B) which also runs dnsmasq. This allows me to have access to proxied services as soon as I join my VPN by just knowing the name of the
proxied service + the domain suffix.
The domain suffixes with dnsmasq and wireguard allow me to emulate subdomains
but for my private intranet over internet.
EXAMPLE SCNEARIO
Letās use a calibre service for ebooks as an example. The service name is
calibre Letās also say my DNS suffix for reaching my containers on docker is
wg.services
. I create a docker network named wg.services
and run the dnsmasq
instance over it. On my phone after I connect to my VPN, I can just type
calibre.wg.services
topic access my ebook server.
V2 - Using caddy and caddy-docker-proxy
My next update was moving from nginx to caddy which
was much more minimal and flexible for me and comes with automated letencrypt certificates out of the box. Itās minimal size means I can run as many caddy instances as I need and I often use it to host static HTML pages as portals to my services. The
Caddyfile structure is very simple and can even be generated by code if needed.
The automated proxying is handled by caddy-docker-proxy. It has the same function as nginx-proxy and can handle any caddy directive that can be written in a Caddyfile.
Exporting services through TOR
As an extra backup option in case my VPN is down I started testing exporting
services through TOR using docker-tor-hidden-services.
Big advantage, I donāt need to worry about SSL or Wireguard. I can just setup
strong passwords just in case. Theoretically I should be the only one knowing
the onion address and the traffic is encrypted by default.
I also have portal to my services through TOR with just a few lines of Caddyfile.
2 Upgrading to home hosting
So I built this Threadripper workstation to host all my services and I started
thinking about a way to safely make them availble publicly without exposing my
IP. Since I have a lot of services that are TCP/UDP based and not only HTTP, I
need a good multipurpose proxy service.
Automated Forward Service Proxy
My goal is to automate the export of the services running home to my cloud VPS
proxy machine. To do that I need a reverse proxy solution that offers an API so
that I can add a script that updates the proxy when new services come up
or down.
So far I these are my options:
I am planning to do a progressive migration where I bring services slowly to my
home server while experimenting with different options. My choice will boil down
to the least long term effort solution.