--> Server w/ UFW, Nginx/services in Docker
Router ---|
--> Laptop
I have a DNS record example.com pointing to my public IP, and I want to access the server by using the DNS record (and not the private IP), but without port forwarding - only on my local network.
How can I make this happen, exactly? Accessing the private IP of the server works, but I want to use the hostname. Using the hostname gives me ERR_CONNECTION_REFUSED because my router is not port forwarding. If I port forward on the router level (80 → server:80) then I’m able to access things fine, but then it’s exposed to the world. This last idea is further complicated by UFW and Docker not interacting very well (blocking something on UFW doesn’t mean Docker is inaccessible), and I’ve found this ufw-docker tool that seemed useful but does not work for me - exposing the containers’ port 80 doesn’t make a difference to whether I can access it or not.
edit: I guess I should also mention that UFW allows my private network to port 80, and Docker has 80->80 on the reverse proxy container (+ some internal host → port mappings).
If you only need it accessible from inside your network by using the hostname (something.example.com) you could point the A record to your internal IP address. The client device will get a local IP when querying the hostname and connect to that.
If you want the service to be accessible from outside your network, but only for you and without forwarding a port, you could use a VPN to put your client on the same network as your would be at home.
Sounds like what you’re looking for is a reverse proxy. There are many available (NPM, SWAG, Caddy, etc). Personally, I use swag, but like I said there are many available.
Edit: Just re-read your post. We may need more info on your setup to help you out. Sounds like you already have a reverse proxy setup but it’s not working correctly? If you don’t want to port forward ANY ports, you’ll need a VPN.
A few things you probably want to look are tools like Nginix Proxy Manager, Caddy, or Traefik for Reverse Proxies. You might need these as well: Cloudflared, Tailscale, or Twingate as these can point to an end point and make things resolvable via a dns without much setup.
As for UFW, I believe you need to restart the docker service every time you load in a new UFW config so that they don’t stomp on each other. Of course this only matters if you are exposing ports on the host.
Wow, this is actually exactly what I want and incredibly simple. I was going to set up a VPN later to access stuff from outside my home network too so it’d be completely fine to have it point to an internal IP, I can’t believe I didn’t think of it. Thanks so much!
OK, so to clarify what you are asking for, you want to be able to use a an easy to type URL such as example.local while you are on your local network (but only when you are on your local network).
I’ve wanted to do something similar and here are the options I’ve found:
setup a local network DNS system such as pihole to redirect.
if using tailscale, setup magicDNS.
With those in mind I’m just going to mention that although there is an unofficial standard of denoting local URLs with the .local. top level domain, this is technically discouraged. You should only use domains which you are authorized. This can be a domain that you own or one that someone has authorized your use. Two examples of authorized use include Tailscale’s magicDNS (where you are assigned domains such as test-net.TS.net) and the home.arpa domain,which is authorized for home network usage and will not resolve outside of your home network.
A local network DNS also sounds like an interesting idea! I’d eventually want to set up Tailscale/headscale for my local network so I might go with the magic DNS option.
I am using PiHole to run the dns, with tailscale to handle the vpn portion.
MagicDNS isn’t very powerful right now (no subdomains per computer etc) but it does allow you to choose a server on your network as the DNS provider.