Skip to main content Using nginx to access local services with a domain name : r/selfhosted
r/selfhosted icon
Go to selfhosted

Using nginx to access local services with a domain name

I want to access my local services using a domain name instead of IP. I set up nginx to forward subdomains to different services. I can't restrict access to the local network in nginx due to docker IP address related reasons (as discussed on this thread: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1105), so they are publicly accessible.

Is it insecure to have public access to internal IP addresses through nginx?

If so, is there a better way to do this?

Fast engineer teams aren’t boxed in by their software management tools. Switch to monday dev and try for free today.
Sign Up
monday.com
Thumbnail image: Fast engineer teams aren’t boxed in by their software management tools. Switch to monday dev and try for free today.
Sort by:
Best
Open comment sort options

Are you only interested in accessing the services while on LAN? If so, you could set up pihole and create local dns entries which would point to the nginx server. Nginx would then forward them to the machine and port number for the service.

You could also combine this with a vpn like tailscale to allow remote access. That way nothing needs to be exposed to the internet.

}

You don't even need a reverse proxy unless you want to access the services from outside. And even then, NAT alone would suffice if you used different ports.

}

That seems like a good idea. I already have pihole set up, how do you create local DNS entries?

I'm using WireGuard for remote access.

}
More replies More replies

Unless you need to access your services outside your local network then there's no reason to allow traffic going to Nginx Proxy Manager from the world.

You can create subdomains that point to local IP addresses. If you want TLS look into letsencrypt dns challenge, that method does not require incoming access to your server from the world.

My setup has a *.lan.whatevermydomain.com wildcard record hosted at Cloudflare pointing to 192.168.1.110. For added security the server's configured to only allow ports 80 and 443 to be accessed, IP address restrictions aren't needed since it's behind NAT and the router isn't configured to allow 80 and 443 to go to that server (or any machine for that matter). Nginx Proxy Manager grabs a wildcard certificate via DNS challenge. End result is that I can access all my local services on domains as long as I'm connected to my local network, outside access isn't possible.

}

This is also a good option for OP. Seems to be no current need for world traffic directed to your network.

}
More replies

Set up a local DNS server, or, if you just have a handful of machines, even just /etc/hosts might be enough. On the DNS servers you could literally use any domain name, though I prefer to have a made up ".lan" or ".home" domain and then subdomains. This way, if your resolve.conf is set to have that as the search domain, you can just reference the subdomains.

}
More replies

Is it insecure to have public access to internal IP addresses through nginx?

If you are port forwarding and have no authentication, yes. If you only want to access these services locally then you don't need to port forward. If the services don't have authenticate methods of their own you can something like authelia to add some.

}

I am forwarding ports 80 and 443 to nginx. If I use nginx to access [IP]:[port] will that port be forwarded too?

}
More replies

limit access with iptables at the host via https://docs.docker.com/network/iptables/

}