this post was submitted on 09 Apr 2026
10 points (91.7% liked)

Selfhosted

58420 readers
1008 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

  7. No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
10
Hairpin dns issue (lemmy.world)
submitted 1 day ago by mortalic@lemmy.world to c/selfhosted@lemmy.world
26 comments fedilink hide all child comments
 

I've got Immich working great on Unraid, but if I'm on my network I can't really use it. Just fails to resolve the dns. I looked it up and it's that my router doesn't support hairpin or something. It's a Aginet hb810. I found a workaround in the Immich client where you can add a second entry that's network specific, but it doesn't seem to work very reliably.

What are my options?

you are viewing a single comment's thread
view the rest of the comments
[–] cecilkorik@lemmy.ca 2 points 19 hours ago* (last edited 19 hours ago) (1 children)

I'd argue that your internally hosted site should not be published on ports other than 80/443. Published is the key word here, because the sites themselves can run on whatever port you want and if you want to access them directly on that port you can, but when you're publishing them and exposing them to the public you don't want to be dealing with dozens of different services each implementing their own TLS stack and certificate authorities and using god-knows-what rules for security and authentication. You use a proxy server to publish them properly. And there's no reason you can't or shouldn't use that same interface internally too. Even though you technically might be able to directly access the actual ports the services are running on on your local network, you really probably shouldn't, for a lot of reasons, and if you can, maybe consider locking that down and making those services ONLY listen on 127.0.0.1 or isolated docker networks so nothing outside the proxy host itself can reach them.

If you don't want your services to listen on 80/443 themselves that's reasonable and good practice, but something should be, and it should handle those ports responsibly and authoritatively to direct incoming traffic where it needs to go no matter the source. Even if (or especially if) you need to share that port with various other services for some reason, then either way you need it to operate that port as a proxy (caddy, nginx, even Apache can all do this easily). 443 is the https port, and in the https-only world we should all be living in, all https traffic should be using that port at least in public, and the https TLS connection should be properly terminated at that port by a service designed to do this. This simplifies all sorts of things, including domain name management and certificate management.

tl;dr You should have a proxy that publishes all your services on port 443 according to their domain name. When https://photos.mydomain.com/ comes in, it hits port 443 and the service on port 443 sees it's looking for "photos", handles the certificates for photos, and then decides that immich is where it is going and proxies it there, which is none of anyone else's business. Everyone, internal or external, goes through the same, consistent, and secure port 443 entrance to your actual web of services.

[–] tko@tkohhh.social 1 points 19 hours ago* (last edited 19 hours ago) (1 children)

The challenge here is that the host is Unraid, which publishes its own interface on 80/443. My reverse proxy is of course handling all requests for my sites, but that is ALSO running on a container, and must be listening on something other than 80/443 when using host or bridge networking.

So, if I'm following along correctly, I would need to put my reverse proxy on a different host (bare metal or VM) in order for it to listen on 80/443.

[–] cecilkorik@lemmy.ca 2 points 15 hours ago* (last edited 15 hours ago) (1 children)

I'm not too familiar with unraid but from a little research I just did it seems like you're right. That does seem like a really unfortunate design decision on their part, although it seems like the unraid fans defend it. Obviously, I guess I cannot be an unraid fan, and I probably can't help you in that case. If it were me, I would try to move unraid to its own port (like all the other services) and install a proxy I control onto port 443 in its place, and treat it like any other service. But I have no idea if that is possible or practical in unraid. I do make opinionated choices and my opinion is that unraid is wrong here. Oh well.

[–] tko@tkohhh.social 1 points 15 hours ago (1 children)

Totally fair... I appreciate you engaging with me, your perspective is appreciated! I won't defend Unraid's choice when it comes to the UI ports, but I will simply say that there are things that are really nice about Unraid from a usability standpoint.

Thanks again for your thoughts!

[–] cecilkorik@lemmy.ca 2 points 14 hours ago

Convenience is great until it becomes inconvenient. But that's a journey we all make :)