On my Lan I have 192.168.1.111 hosting a bunch of various services not containerized. All connections are done either from my internal lan or from wireguard going through 192.168.1.111 so no external traffic bar wireguard.
I’ve set the host name of 111 in the hosts file inside the router and 111 and it works for all devices expect the ones connecting via wireguard.
But I dont want to have to use hostname+port for every service, I’d like each service to have its own name. I’d also like certs.
Can someone point me in the right direction for what I need to do? I’m thinking maybe this requires a local DNS server which im hesitant to run because im happy using 8.8.8.8.
For certs do I create a single cert on the 192.168.1.111 and then point all the applications to it?
As others have said, reverse proxy. My experience is with Caddy and LetsEncrypt. If you wanted to step it up a couple notches, you could go with Cloudflare tunnels/zero trust. With the latter scenario, you’ll need a domain name that you can change the nameservers to Cloudflare assigned nameservers. With the Cloudflare option, you don’t have to fiddle with ports, UFW, or NAT. Just install on your server and it punches a fully encrypted tunnel.
Reverse proxies! They can redirect based on the dns name used to get to them. This is based on layer 7 data though so just http(s) services and not multiple ssh tunnels for example.
k3s/rke2 (k8s distros) do it automatically with Traefik when you use the gateway or ingres apis
Also for DNS a fun option is sslip.io which lets you do <some service>-192-168-1-10.sslip.io and it redirects to your ip but with a dns name added.
Though your router likely has an easy way to add local entries for dns and also upstream for the rest (i.e. 8.8.8.8)
I have a TP-Link router with OpenWRT and use it to make local DNS entries for my services, like jellyfin.lan and forgejo.lan. I’m also running k3s, which comes with Traefik as a built-in reverse proxy.
What about hosting a homepage with links to all other services ?
You need a thing called reverse proxy. There are many available.
Some suggested nginx, I recommend to give a try to caddy. It’s easier than nginx and includes the certificate management as well.
NPM, Nginx Proxy Manager also has a UI and certificate management.
I would consider zoraxy.
https://github.com/tobychui/zoraxy
Single go binary, works on Windows natively if you need that and somewhat more feature rich than npm (if your not custom writing configs)
Currently using nginx-proxy-manager for exactly this purpose. Nice and easy-to-use UI, including automatic LetsEncrypt ssl certificates :)
+1 for caddy, I’ve been using it in my homelab for years and the configuration is just trivial
Nginx proxy manager can help you with all of that.
basically want a domain name that you can use to subdomain each service off.
E.g:
https://service1.auth.local/ -> proxies your first service (192.168.1.111:4567)
Https:/service2.auth.local -> proxies to the second (192.168.1.123:9876) And so on.
If you purchase an actual domain name, you can get letencrypt certs via nginx proxy manager, and it all works very smoothly.
Ok thanks ill give that ago tonight. I never would have thought of a proxy manager.
Traefik’s configs are a little less cumbersome if you’re managing a lot of services.
I used nginx proxy manager for a while. Nowadays I use caddy, and I wouldn’t want to look back. It has no gui but a caddyfile. It works much smoother for me.
You can of course do it manually with plain nginx, it’s just a little more effort. Good luck :)
deleted by creator
You can use mDNS so you don’t have to type IP address.
To do this properly, you’ll need to set up a reverse proxy that publishes your different ports on different IP addresses.
Then you can use DNS or (locally) a hosts file for name resolution.Yes, reverse proxy, but you don’t want to publish on different IP addresses. Your services should bind to one IP, different ports, and the reverse proxy accepts it all on 443 and routes it based on the host header.
I use traefik for this, set labels in the docker compose and it Just Works. It also gets certs for me based on the acme DNS challenge. Some people use caddy instead of traefik and they seem happy with it.
Ideally the services should only bind to localhost and not 0.0.0.0 or similar as well. Allowing both proxied and non-proxied requests will 99/100 times cause problems, and then one time it doesn’t it is just confusion for no benefit.
First off, get of for DNS!!! Use 9.9.9.9 (quad9) or DNS.watch for God’s sake! Even 1.1.1.1 is better!
I live in a remote country and the other providers are slow. I could switch to cloudflare i guess
Dns.watch is global as is quad9. Says available in 110 countries
Why?
Yeah, i assume you’re like a lot of other people where you don’t want everything you do to be tracked online. The service from Google is functional and all, by not trustworthy.
You can adjust this on your device (per device) or on your home modem/router/gateway, etc to cover all devices. Keeps Google, MS, Apple, ISP from tracking all online queries for all devices.
You can go one step further andd block all outgoing requests from all devices over port 53 and leave your router configured to do them all, then just configure you’re DHCP settings to use your gateway (like 192.168.1.1) for both gateway and DNS
I think they’re complaining any Google DNS. It’s just a privacy matter. Google will heavily track your DNS requests
Can also use mullvad’s DNS, it’s free
This would be done either via a reverse proxy (for public access via a domain you own, ex: service1.reticulatedpasta.com), or via a local DNS server if only being accessed via LAN without a signed SSL cert. For a reverse proxy, I use caddy which also manages SSL certs.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters CA (SSL) Certificate Authority DHCP Dynamic Host Configuration Protocol, automates assignment of IPs when connecting to a network DNS Domain Name Service/System HTTP Hypertext Transfer Protocol, the Web IP Internet Protocol NAT Network Address Translation SSL Secure Sockets Layer, for transparent encryption nginx Popular HTTP server
7 acronyms in this thread; the most compressed thread commented on today has 12 acronyms.
[Thread #113 for this comm, first seen 24th Feb 2026, 01:20] [FAQ] [Full list] [Contact] [Source code]
Certificates can have multiple usages and you didn’t specify the purpose in your case. A certificate is not necessarily tied to an IP or even a server. However, if you want to authenticate the server with a certificate, you will need the IP address to be resolved by a DNS. So, you should clarify what you actually want to accomplish. Do you expect your certificates to be self-signed or signed by a certification authority? A certification authority cannot validate a private IP address.
Sorry, a cert for https because im sick of the annoying browser warning. Self signed is fine and I can use certbot for that I believe.
You already have a self-signed cert. That’s why you get the warning.
self-signed won’t get rid of any warnings, it will just replace “warning this site is insecure” with “warning this site uses a certificate that can’t be validated”, no real improvement. What you need is a cert signed by an actual certificate authority. Two routes for that:
-
Create your own CA. This is free, but a PITA since it means you have to add this CA to every single device you want to be able to access your services. Phones, laptops, desktops, etc.
-
Buy a real domain, and then use it to generate real certs. You have to pay for this option ($10-20/year, so not a lot), but it gets you proper certs that will work on any device. Then you need to set up a reverse proxy (nginx proxy manager was mentioned in another post, that will work), configure it to generate a wildcard cert for your domain using DNS-01 challenge, and then apply that cert to all of your subdomains. Here’s a pretty decent video that walks you through the process: https://m.youtube.com/watch?v=TBGOJA27m_0
.uk domains are very cheap, $5ish AUD, which is ~2.5usd.
-
DNS?
