Hello people, I recently rented a vps server from OVH and I want to start hosting my own piefed instance and a couple other services. I am running debian 13 with docker, and I have nginx proxy manager almost set up. I want to set up subdomains so when I do social.my.domain it will go to my piefed instance, but how do I tell the machine to send piefed traffic to this subdomain and joplin traffic (for example) to another domain? Can I use nginx/docker natively for that or do I have to install another program. Thanks for the advice.
You must log in or # to comment.
In your DNS settings, from your domain provider, add all the A and AAAA records for the sub domains you want to use. So, when someone hits the port 443 using one of those domains, your Nginx Proxy Manager will decide which service to show to the client based on the domain.
how do I tell the machine to send piefed traffic to this subdomain
Configure your Nginx Proxy Manager. It should be using port 80 for HTTP, port 443 for HTTPS and another port for its WebUI (8081 is default, iirc).
So, if I type piefed.yourdomain.com in my address bar, the DNS tells my browser your IP, my browser hits your VPS on port 443, then Nginx Proxy Manager automatically sees that the user is requesting piefed, and will show me piefed.
For the SSL certificates, you can either generate a new certificate for every subdomain, or use a wild card certificate which can work on all subdomains.
The job of a reverse proxy like nginx is exactly this. Take traffic coming from one source (usually port 443 HTTPS) and forward it somewhere else based on things like the (sub)domain. A HTTPS reverse proxy often also forwards the traffic as HTTP on the local machine, so the software running the service doesn’t have to worry about ssl.
Be sure to get yourself a firewall on that machine. VPSes are usually directly connected to the internet without NAT in between. If you don’t have a firewall, all internal services will be accessible, stuff like databases or the internal ports of the services you host.
all internal services will be accessible
What? Only when they are configured to listen on outside interfaces. Which, granted, they often are in default configuration, but when OP uses Docker on that host, chances are kinda slim that they run some rando unconfigured database directly. Which still would be password or authentication protected in default config.
I mean, it is never wrong slapping a firewall onto something, I guess. But OTOH those “all services will be exposed and evil haxxors will take you over” is also a disservice.
I’ve seen many default docker-compose configurations provided by server software that expose the ports of stuff like databases by default (which exposes it on all host interfaces). Even outside docker, a lot of software, has a default configuration of “listen on all interfaces”.
I’m also not saying “evil haxxors will take you over”. It’s not the end of the world to have a service requiring authentication exposed to the internet, but it’s much better to only expose what should be public.
Yep, fair. Those docker-composes which just forward the ports to the host on all interfaces should burn. At least they should make them 127.0.0.1 forwards, I agree.