this post was submitted on 28 May 2024
25 points (100.0% liked)

Selfhosted

40183 readers
557 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Would it be possible to use ports 443 and 80 for both Adguard Home and Vaultwarden? They're both on the same machine, Vaultwarden will be in a docker container and Adguard Home not. I'm doing this on an Ubuntu server.

top 11 comments
sorted by: hot top controversial new old
[–] [email protected] 19 points 5 months ago (1 children)

You're looking for a proxy, a way to divvy out requests between the two containers. The proxy will listen on those ports and then split the traffic to the two other containers (which are listening on 2 different ports)

Start looking into nginx reverse proxy, traefik, or caddy

[–] [email protected] 5 points 5 months ago

I’ve just started doing that on my setup this week.

Personally, I went for nginx. Fairly straightforward to get up and running. Suddenly, my containers (as well as a couple of other VMs and devices) have their own host names and no trailing port numbers.
Much tidier.

[–] [email protected] 7 points 5 months ago* (last edited 5 months ago) (2 children)

As others have said, a reverse proxy is what you need.

However I will also mention that another tool called macvlan exists, if you're using containers like podman or docker. Setting up a macvlan network for your containers will trick your server into thinking that the ports exposed by your services belong to a different machine, thus letting them use the same ports at the same time. As far as your LAN is concerned, a container on a macvlan network has its own IP, independent of the host's IP.

Macvlan is worth setting up if you plan to expose some of your services outside your local network, or if you want to run a service on a port that your host is already using (eg: you want a container to act as DNS on port 53, but systemd-resolved is already using it on the host).

You can set up port forwarding at your router to the containers that you want to publicly expose, and any other containers will be inaccessible. Meanwhile with just a reverse proxy, someone could try to send requests to any domain behind it, even if you don't want to expose it.

My network is set up such that:

  • Physical host has one IP address that's only accessible over lan.
  • Containerized web services that I don't want to expose publicly are behind a reverse proxy container that has its own IP on the macvlan.
  • Containerized web services that I do want to expose publicly have a separate reverse proxy container, which gets a different IP on the macvlan.
  • Router has ports 80 and 443 forwarding only to the IP address for my public proxy
[–] [email protected] 2 points 5 months ago

Just as a warning, the macvlan stuff isn't well documented and seems to have hard limits. I worked with it a couple of years ago and had to eventually read a lot of Docker code to figure some stuff out, and the host was only able to successfully set up 4 macvlan networks at a time - the fifth (and any following ones) were never reachable, even though I used the same scripts as for all other ones.

Things might have improved in the meantime.

[–] [email protected] 2 points 5 months ago* (last edited 5 months ago) (1 children)

Not OP, but thanks for the write up !

Regarding macvlan's with docker, I tried to use them in the past and while I liked the idea of having every container on it's own mac /ip address in the home network space, I couldn't get the host to communicate directly with them.

Everyone on the LAN could talk to my containers, except the host itself. IIRC there was/is some tricky part where you have to change the default route and create new iptables to make it work that way, but It seemed rather hacky and not secure at all.

Now that I'm a bit more experienced with docker and all, do you know if this is possible or still one of the downside of macvlan's?

Edit: reference. I see he updated his post in 2023, maybe worth a new shot !!

[–] [email protected] 3 points 5 months ago

Yeah, I believe there's some kind of bridge mode you must enable on the host's interface.

[–] [email protected] 7 points 5 months ago

You could use Nginx reverse proxy and map the proper domain names to the right ports

[–] [email protected] 6 points 5 months ago

Directly no. How would Adguard know the request is for Vaultwerden and suppress the 404?

As others have said, you will need a reverse proxy to make this work. The proxy will listen on port 80/443 and direct the request to the correct application based on path or domain name. Adguard and VW will need to listen on other ports.

[–] [email protected] 3 points 5 months ago* (last edited 5 months ago)

If you can assign a second IP address to the network interface, then just do so, and bind the docker container to one, and Adguard Home to the other. Otherwise, the reverse proxy based on the server name is the way.

[–] [email protected] 2 points 5 months ago* (last edited 5 months ago)

If you're using them for your private use them just put them on different ports. Why do you want them both on the same ports?

You'll have to do this even if you use a reverse proxy. And also for a reverse proxy to work you'll need domains defined in DNS.

[–] [email protected] 1 points 5 months ago* (last edited 5 months ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
DNS Domain Name Service/System
HTTP Hypertext Transfer Protocol, the Web
IP Internet Protocol
nginx Popular HTTP server

3 acronyms in this thread; the most compressed thread commented on today has 14 acronyms.

[Thread #770 for this sub, first seen 28th May 2024, 20:05] [FAQ] [Full list] [Contact] [Source code]