Multiple websites from one server, and one IP address.

[BykowskiOlaf]

Hi everyone, i have quite a specific issue i need to figure out. I want to access 3 things from my .dev domain (google domains), I want to:

• Access a website hosted with nginx ( not yet ready, so i'll need it in the future ) through 'charlieschocolatefactory.dev' (NOTE: Not my real domain name.)
• Access nextcloud jail through 'cloud.charlieschocolatefactory.dev'
• If possible, access mineos jail gui through 'mc.charlieschocolatefactory.dev'

So far I've set up a type "A" DNS on google domains with host name 'cloud.mydomain.dev' pointing to my server at 1.2.3.4. I've tried using certbot to generate a certificate using This guide in the nextcloud jail, but come up with this

Show : error

The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot

I'm not sure if what I'm doing is even possible, and so any guidance on this would be very appreciated.

Thanks in advance!

 

[Jailer]

You're going to have to set up a reverse proxy and use it for SSL termination with a wildcard certificate. There are multiple ways of doing this so how you go about it is up to you. I set mine up with nginx in a jail and use certbot and seperate certificates for each subdomain since wildcard domains weren't available when I initially set mine up.

 

[danb35]

First, how you'd secure Nextcloud depends on how you installed it. If you used the best method, in my totally humble and unbiased opinion, then it handles the certificate for you--just forward ports 80/443 to that jail, have appropriate DNS entries made, and it takes care of the rest. You can, if you like, put that behind a separate reverse proxy, or you can use the Caddy installation in that jail as a reverse proxy for your website and mineos jail.

 

[BykowskiOlaf]

First, how you'd secure Nextcloud depends on how you installed it. If you used the best method, in my totally humble and unbiased opinion, then it handles the certificate for you--just forward ports 80/443 to that jail, have appropriate DNS entries made, and it takes care of the rest. You can, if you like, put that behind a separate reverse proxy, or you can use the Caddy installation in that jail as a reverse proxy for your website and mineos jail.

I haven't unfortunately :'(( , I'll give it a shot next time I install nextcloud. And I've been looking into this and have some questions if I may.

• I recently saw that you can assign multiple IPs to a single NIC, would that be a route worth going down?
• Is there any way to make additional IPs for my machine, and 'pass' them to the jail so they can use them? I think this would eliminate a lot of my trouble when it comes setting up the DNS.
• And if not, is it a lot of hassle to reinstall NextCloud using your script?
• Also, how can I have it so I dont need to specify ports in the browser, if I only have one public IP, how can i use port 80 and 443 for all the servers at once, is that something that nginx/caddy can do?
  
  Sorry if these questions are trivial or stupid, I'm just getting into networking and sysadmin stuff.

Thanks for the quick response!

 

[BykowskiOlaf]

You're going to have to set up a reverse proxy and use it for SSL termination with a wildcard certificate. There are multiple ways of doing this so how you go about it is up to you. I set mine up with nginx in a jail and use certbot and seperate certificates for each subdomain since wildcard domains weren't available when I initially set mine up.

Hi, I'm not really understanding the wildcard domains. From what I read ( here & here ), you can use them if you're not sure what domain the user will be using to access the resources you're hosting. In my problem, i have a known domain i want to use, but multiple servers from one ip, if I can somehow use them, if you could please explain further I'd be grateful.

Thanks for your time!

 

[danb35]

Yes, it's possible to assign multiple IP addresses to a single NIC, and in theory possible to have multiple public IP addresses from your ISP (though in practice the latter is likely either impossible or expensive)--but that really isn't necessary or even beneficial. The solution to that, as well as the question about ports, is to use a reverse proxy. It's best IMO, if possible, for that to be on your router--for example, pfSense has HAProxy available, and OPNsense has both that and Caddy. Failing that, you can run it on another machine, in a VM on your NAS, or in a jail on your NAS. You then, on your router, forward ports 80/443 to wherever you're running the reverse proxy.

The reverse proxy then takes incoming HTTP/HTTPS requests and forwards them--based on name and/or path--to the appropriate internal IP/port/path. It also generally handles obtaining and renewing TLS certs and encryption/decryption.

I use Caddy on my OPNsense box as a reverse proxy. If you want to run it on your NAS, I have a script for that too:

Reverse Proxy using Caddy (with optional automatic TLS)

Many users install a variety of web applications in jails on their FreeNAS servers, and often those applications run on non-standard ports like 6789, 8181, 7878, etc. These port numbers are far from intuitive, and the applications often either...

www.truenas.com

 

[BykowskiOlaf]

Wow, you really have a script for everything, okay, I'm not looking to buy a new router as budget is tight right now, but maybe in the future, what would you recommend? But I'll give your script a go. I'll post updates if I encounter any problems.

 

[danb35]

For a router, first, I like to separate the function of the network router from that of the wireless access point--that way, upgrades to the one are independent from upgrades to the other. For the latter function, I've been happy with Unifi access points for a number of years, particularly with the ability to put multiple access points on the same network and have them easily work together. They do require network controller software to set them up, but that can run in a jail on your NAS, if you like. Another option would be used Ruckus access points with the Unleashed firmware. They also work well in a multi-AP setup, but without the need for a dedicated controller. But they're pricey, even used.

For the router itself, I've long been using a x86 computer running routing software, and there are lots of options there. I'm currently using OPNsense, having moved from pfSense; some discussion of that change is here: https://www.truenas.com/community/threads/pfsense-vs-opnsense.75837/ Other than pfSense, other options would include Nethserver 7, and Mikrotik's RouterOS, among no doubt others. Some more information here: https://www.youtube.com/watch?v=0bTjibLYSOo

For the hardware, any of those options would run on pretty much any commodity PC, but I've been using small, fanless mini-PCs for a while. I'm currently using this one:

https://www.aliexpress.us/item/3256803806717938.html