I’m new to self hosting and just starting to experiment with web development. I’ve been reading and cross-referencing several guides, but I’m having trouble figuring out how to put together all the pieces to achieve what I’m looking for. Maybe the perfect tutorial is out there, but I just haven’t found the right search terms.
On my Raspberry Pi 4, I have a few Docker containers already up and running:
- Pi Hole with network-mode set to host so it can handle DHCP too
- Watchtower to keep the Pi Hole up-to-date
- Portainer to check on the status of things
In addition those, I’m planning to host a personal website, a small Matrix server, and a few other things eventually. For portability reasons and my own professional development, I want to go all-in on Docker Compose and keep each piece in its own separate container.
The main thing I’m struggling with is figuring out how to configure nginx-proxy-manager and my Docker networks to expose only the containers I want to expose while keeping my other containers safe. More specifically, how do I handle the conflicting ports between Pi Hole and nginx-proxy-manager without exposing my Pi Hole’s admin page to the public internet? Can I use the same reverse proxy to manage all my local and public services at the same time?
Another piece that I’m feeling unsure about is pointing my domain name to the right IP address and setting up SSL encryption. It feels like there are a lot of ways to mess it up. What do I need to do to keep things safe and secure? How important is something like Cloudflare tunnel?
I will absolutely start doing more research on firewalls, thank you for the suggestion. That’s exactly the kind of obvious thing that I was afraid I would miss.
Dnsmasq is actually already built-in to Pi Hole, I’m pretty sure that’s how it redirects advertiser domains to 0.0.0.0 and handles DHCP. I see that I can add more local domains right from the web interface. I didn’t realize I could give each containers its own local IP addresses, though. That would make getting to local services much more clean and simple.
I don’t have a static IP, and I’m certainly not keen on giving my ISP any more money. I’ll look more into DDNS services too.
Keep in mind that docker can bypass iptables-based firewall like UFW. When in doubt, do a port scan from an external machine to check which ports are actually open to the internet.
I haven’t gotten in to containers yet, but there should be some way to let each one use a unique IP. At the very least, give your Pi multiple addresses and then have the service in each container only listen on its assigned address.