I have a few selfhosted services, but I’m slowly adding more. Currently, they’re all in subdomains like linkding.sekoia.example etc. However, that adds DNS records to fetch and means more setup. Is there some reason I shouldn’t put all my services under a single subdomain with paths (using a reverse proxy), like selfhosted.sekoia.example/linkding?

  • I prefer subdomains, personally. A lot of services expect to run on the root of the web server, so although you can sometimes configure them to use a path, it’s kind of a pain.

    Also, migrating services from one server to another will be a lot easier with subdomains since all you have to do is change the A and AAAA records. I use ZeroTier for a lot of my services, and that’s really nice since, even if I move a container to another machine, the container’s ZeroTier IP address will stay the same, so I don’t even need to update DNS. With paths, migration would involve a lot more work.

  •  dan   ( @dan@lemm.ee ) 
    link
    fedilink
    181 year ago

    The only problem with using paths is the service might not support it (ie it might generate absolute URLs without the path in, rather than using relative URLs).

    Subdomains is probably the cleanest way to go.

  • Try not to use paths, you’ll have some weird cross-interactions when two pieces of software set the same cookie (session cookies for example), which will make you reauthenticate for every path.

    Subdomains are the way to go, especially with wildcard DNS entries and DNS-01 letsencrypt challenges.

  •  Midas   ( @midas@ymmel.nl ) 
    link
    fedilink
    10
    edit-2
    1 year ago

    I’ve kinda been trimming the amount of services I’ve exposed through subdomains, it grew so wild because it was pretty easy. I’d just set a wildcard subdomains to my ip and the caddy reverse proxy created the subdomains.

    Just have a wildcard A record that points *. to your ip address.

    Even works with nested domains like “home.” and then “*.home”

  • Depends on the usage and also service. I’m using subfolders for all my Tasmota switches. Like https://switch.domain.org/garage this makes it easier to maintain because I don’t need to mess around with a new subdomain for ever new device. On the other side, I like unique services on a subfomain: video or audio. I can switch the application behind, but the entry point remains.

  • Everyone is saying subdomains so I’ll try to give a reason for paths. Using subdomains makes local access a bit harder. With paths you can use httpS://192etc/example, but if you use subdomains, how do you connect internally with https? Https://example.192etc won’t work as you can’t mix an ip address with domain resolution. You’ll have to use http://192etc:port. So no httpS for internal access. I got around this by hosting adguard as a local DNS and added an override so that my domain resolved to the local IP. But this won’t work if you’re connected to a VPN as it’ll capture your DNS requests, if you use paths you could exclude the IP from the VPN.

    Edit: not sure what you mean by “more setup”, you should be using a reverse proxy either way.

    • You’ll have to use http://192etc:port. So no httpS for internal access

      This is not really correct. When you use http this implies that you want to connect to port 80 without encryption, while using https implies that you want to use an ssl connection to port 443.

      You can still use https on a different port, Proxmox by default exposes itself on https://proxmox-ip:8006 for example.

      Its still better to use (sub)domains as then you don’t have to remember strings of numbers.

      • I understand, though if the services you’re hosting are all http by themselves, and https due to a reverse proxy, if you attempt to connect to the reverse proxy it’ll only serve the root service. I’m not aware of a method of getting to subdomains from the reverse proxy if you try to reach it locally via ip.

        • Generally a hostname based reverse proxy routes requests based on the host header, which some tools let you set. For example, curl:

          curl -H 'Host: my.local.service.com' http://192.168.1.100
          

          here 192.168.1.100 is the LAN IP address of your reverse proxy and my.local.service.com is the service behind the proxy you are trying to reach. This can be helpful for tracking down network routing problems.

          If TLS (https) is in the mix and you care about it being fully secure even locally it can get a little tricky depending on whether the route is pass through (application handles certs) or terminate and reencrypt (reverse proxy handles certs). Most commonly you’ll run into problems with the client not trusting the server because the “hostname” (the LAN IP address when accessing directly) doesn’t match what the certificate says (the DNS name). Lots of ways around that as well, for example adding the service’s LAN IP address to the cert’s subject alternate names (SAN) which feels wrong but it works.

          Personally I just run a little DNS server so I can resolve the various services to their LAN IP addresses and TLS still works properly. You can use your /etc/hosts file for a quick and dirty “DNS server” for your dev machine.

    • Edit: not sure what you mean by “more setup”, you should be using a reverse proxy either way.

      I’m using cloudflare tunnels (because I don’t have a static IP and I’m behind a NAS, so I would need to port forward and stuff, which is annoying). For me specifically, that means I have to do a bit of admin on the cloudflare dashboard for every subdomain, whereas with paths I can just config the reverse proxy.

    • I got around this by hosting adguard as a local DNS and added an override so that my domain resolved to the local IP. But this won’t work if you’re connected to a VPN as it’ll capture your DNS requests

      Why didn’t you use your hosts file?

      • That would also work, though I also wanted other devices like my mobile and tv to work the same way while at home. With mobile, setting DNS for the Wi-Fi network means it’ll access local while at home and via cloudflared while roaming, without having to log out and in on apps to change the server address.