The internet can feel like it's built for speed. You join a new service and you're presented with a feed. The name tells you all you need to know. The feed is the actor. You are the thing that is acted upon. You don't control the feed. Your role is
  • ohshit604@sh.itjust.worksEnglish
    1·
    3 hours ago

    While i appreciate the detailed response here i did make another comment letting OP know i’m in a similiar situation as them, i use Docker Engine & Docker Compose for my self-hosting needs on a 13th Gen Asus Nuc (i7 model) running Proxmox with a Debian 12 VM. My reverse proxy is traefik and i am able to receive SSL certificates on port :80/:443 (also have Fail2Ban setup) however, i can’t for the life of me figure out how to expose my containers to the internet.

    On my iPhone over LTE/5G trying my domain leads to an “NSURLErrorDomain” and my research of this error doesn’t give me much clarity.

    This is a snippet of my docker-compose.yml 
    services:
  homepage:
    image: ghcr.io/gethomepage/homepage
    hostname: homepage
    container_name: homepage
    networks:
      - main
    environment:
      PUID: 0 # optional, your user id
      PGID: 0 # optional, your group id
      HOMEPAGE_ALLOWED_HOSTS: my.domain,*
    ports:
      - '127.0.0.1:3000:3000'
    volumes:
      - ./config/homepage:/app/config # Make sure your local config directory exists
      - /var/run/docker.sock:/var/run/docker.sock #:ro # optional, for docker integrations
      - /home/user/Pictures:/app/public/icons
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.homepage.rule=Host(`my.domain`)"
      - "traefik.http.routers.homepage.entrypoints=https"
      - "traefik.http.routers.homepage.tls=true"
      - "traefik.http.services.homepage.loadbalancer.server.port=3000"
      - "traefik.http.routers.homepage.middlewares=fail2ban@file"
      # - "traefik.http.routers.homepage.tls.certresolver=cloudflare"
      #- "traefik.http.services.homepage.loadbalancer.server.port=3000"
      #- "traefik.http.middlewares.homepage.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.0/24, 172.18.0.0/16, 208.118.140.130"
      #- "traefik.http.middlewares.homepage.ipwhitelist.ipstrategy.depth=2"
  traefik:
    image: traefik:v3.2
    container_name: traefik
    hostname: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - main
    ports:
      # Listen on port 80, default for HTTP, necessary to redirect to HTTPS
      - target: 80
        published: 55262
        mode: host
      # Listen on port 443, default for HTTPS
      - target: 443
        published: 57442
        mode: host
    environment:
      CF_DNS_API_TOKEN_FILE: /run/secrets/cf_api_token # note using _FILE for docker secrets
      # CF_DNS_API_TOKEN: ${CF_DNS_API_TOKEN} # if using .env
      TRAEFIK_DASHBOARD_CREDENTIALS: ${TRAEFIK_DASHBOARD_CREDENTIALS}
    secrets:
      - cf_api_token
    env_file: .env # use .env
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./config/traefik/traefik.yml:/traefik.yml:ro
      - ./config/traefik/acme.json:/acme.json
      #- ./config/traefik/config.yml:/config.yml:ro
      - ./config/traefik/custom-yml:/custom
      # - ./config/traefik/homebridge.yml:/homebridge.yml:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`traefik.my.domain`)"
      #- "traefik.http.middlewares.traefik-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.0/24, 208.118.140.130, 172.18.0.0/16"
      #- "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_CREDENTIALS}"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`my.domain`)"
      #- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=my.domain"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.my.domain"
      - "traefik.http.routers.traefik-secure.service=api@internal"
      - "traefik.http.routers.traefik.middlewares=fail2ban@file"

    Image of my port-forwarding rules (note; the 3000 internal/external port was me “testing”)

    Edit: I should note the Asus Documentation for Port-forwarding mentions this:

    1. Port Forwarding only works within the internal network/intranet(LAN) but cannot be accessed from Internet(WAN).

    (1) First, make sure that Port Forwarding function is set up properly. You can try not to fill in the [ Internal Port ] and [ Source IP ], please refer to the Step 3.

    (2) Please check that the device you need to port forward on the LAN has opened the port. For example, if you want to set up a HTTP server for a device (PC) on your LAN, make sure you have opened HTTP port 80 on that device.

    (3) Please note that if the router is using a private WAN IP address (such as connected behind another router/switch/modem with built-in router/Wi-Fi feature), could potentially place the router under a multi-layer NAT network. Port Forwarding will not function properly under such environment.

    Private IPv4 network ranges:

    Class A: 10.0.0.0 – 10.255.255.255

    Class B: 172.16.0.0 – 172.31.255.255

    Class C: 192.168.0.0 – 192.168.255.255

    CGNAT IP network ranges:

    The allocated address block is 100.64.0.0/10, i.e. IP addresses from 100.64.0.0 to 100.127.255.255.

    I want to highlight the fact that i may be under a multi-layered NAT, the folks in my household demand the ISP router given that i have PiHole running DNS blocking and my Asus Router routes all outbound connections through a VPN tunnel, besides DDNS obviously which my router also handles, i have to run these routers in bridged-mode so that they share the same WAN IP but, if I am able to receive SSL/TLS certificates from LetsEncrypt on port :80/:443 that means port-forwarding is working as intended right?