I don't see anyone else recommending it here but you can also use Traefik, that's what I use. I've set it up so that I can automatically add any docker hosted apps based on the container tags, it makes it convenient to use.
this post was submitted on 24 Feb 2026
57 points (96.7% liked)
Selfhosted
56939 readers
764 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
-
No low-effort posts. This is subjective and will largely be determined by the community member reports.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 2 years ago
MODERATORS
You need a thing called reverse proxy. There are many available.
Some suggested nginx, I recommend to give a try to caddy. It's easier than nginx and includes the certificate management as well.
NPM, Nginx Proxy Manager also has a UI and certificate management.
I would consider zoraxy.
https://github.com/tobychui/zoraxy
Single go binary, works on Windows natively if you need that and somewhat more feature rich than npm (if your not custom writing configs)
Currently using nginx-proxy-manager for exactly this purpose. Nice and easy-to-use UI, including automatic LetsEncrypt ssl certificates :)
+1 for caddy, I've been using it in my homelab for years and the configuration is just trivial
Nginx proxy manager can help you with all of that.
basically want a domain name that you can use to subdomain each service off.
E.g:
https://service1.auth.local/ -> proxies your first service (192.168.1.111:4567)
Https:/service2.auth.local -> proxies to the second (192.168.1.123:9876) And so on.
If you purchase an actual domain name, you can get letencrypt certs via nginx proxy manager, and it all works very smoothly.
Ok thanks ill give that ago tonight. I never would have thought of a proxy manager.
You can of course do it manually with plain nginx, it's just a little more effort. Good luck :)
I used nginx proxy manager for a while. Nowadays I use caddy, and I wouldn't want to look back. It has no gui but a caddyfile. It works much smoother for me.
Traefik's configs are a little less cumbersome if you're managing a lot of services.
As others have said, reverse proxy. My experience is with Caddy and LetsEncrypt. If you wanted to step it up a couple notches, you could go with Cloudflare tunnels/zero trust. With the latter scenario, you'll need a domain name that you can change the nameservers to Cloudflare assigned nameservers. With the Cloudflare option, you don't have to fiddle with ports, UFW, or NAT. Just install on your server and it punches a fully encrypted tunnel.
Reverse proxies! They can redirect based on the dns name used to get to them. This is based on layer 7 data though so just http(s) services and not multiple ssh tunnels for example.
k3s/rke2 (k8s distros) do it automatically with Traefik when you use the gateway or ingres apis
Also for DNS a fun option is sslip.io which lets you do -192-168-1-10.sslip.io and it redirects to your ip but with a dns name added.
Though your router likely has an easy way to add local entries for dns and also upstream for the rest (i.e. 8.8.8.8)
I have a TP-Link router with OpenWRT and use it to make local DNS entries for my services, like jellyfin.lan and forgejo.lan. I’m also running k3s, which comes with Traefik as a built-in reverse proxy.
To do this properly, you'll need to set up a reverse proxy that publishes your different ports on different IP addresses.
Then you can use DNS or (locally) a hosts file for name resolution.
Yes, reverse proxy, but you don't want to publish on different IP addresses. Your services should bind to one IP, different ports, and the reverse proxy accepts it all on 443 and routes it based on the host header.
I use traefik for this, set labels in the docker compose and it Just Works. It also gets certs for me based on the acme DNS challenge. Some people use caddy instead of traefik and they seem happy with it.
Ideally the services should only bind to localhost and not 0.0.0.0 or similar as well. Allowing both proxied and non-proxied requests will 99/100 times cause problems, and then one time it doesn't it is just confusion for no benefit.
What about hosting a homepage with links to all other services ?
I did consider that but im trying to build a website and its painful and the thought of doing anything more with css makes me wanna die.
Is there any plug and play home pages you could suggest?
See the section "Personal dashboards" of this great resource page I often refer to: https://github.com/awesome-selfhosted/awesome-selfhosted
This would be done either via a reverse proxy (for public access via a domain you own, ex: service1.reticulatedpasta.com), or via a local DNS server if only being accessed via LAN without a signed SSL cert. For a reverse proxy, I use caddy which also manages SSL certs.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:
| Fewer Letters | More Letters |
|---|---|
| CA | (SSL) Certificate Authority |
| DHCP | Dynamic Host Configuration Protocol, automates assignment of IPs when connecting to a network |
| DNS | Domain Name Service/System |
| HTTP | Hypertext Transfer Protocol, the Web |
| IP | Internet Protocol |
| NAT | Network Address Translation |
| SSL | Secure Sockets Layer, for transparent encryption |
| nginx | Popular HTTP server |
7 acronyms in this thread; the most compressed thread commented on today has 7 acronyms.
[Thread #113 for this comm, first seen 24th Feb 2026, 01:20] [FAQ] [Full list] [Contact] [Source code]
First off, get of for DNS!!! Use 9.9.9.9 (quad9) or DNS.watch for God's sake! Even 1.1.1.1 is better!
Why?
I think they're complaining any Google DNS. It's just a privacy matter. Google will heavily track your DNS requests
Yeah, i assume you're like a lot of other people where you don't want everything you do to be tracked online. The service from Google is functional and all, by not trustworthy.
You can adjust this on your device (per device) or on your home modem/router/gateway, etc to cover all devices. Keeps Google, MS, Apple, ISP from tracking all online queries for all devices.
You can go one step further andd block all outgoing requests from all devices over port 53 and leave your router configured to do them all, then just configure you're DHCP settings to use your gateway (like 192.168.1.1) for both gateway and DNS
I live in a remote country and the other providers are slow. I could switch to cloudflare i guess
Dns.watch is global as is quad9. Says available in 110 countries
Can also use mullvad’s DNS, it’s free
Certificates can have multiple usages and you didn't specify the purpose in your case. A certificate is not necessarily tied to an IP or even a server. However, if you want to authenticate the server with a certificate, you will need the IP address to be resolved by a DNS. So, you should clarify what you actually want to accomplish. Do you expect your certificates to be self-signed or signed by a certification authority? A certification authority cannot validate a private IP address.
Sorry, a cert for https because im sick of the annoying browser warning. Self signed is fine and I can use certbot for that I believe.
self-signed won't get rid of any warnings, it will just replace "warning this site is insecure" with "warning this site uses a certificate that can't be validated", no real improvement. What you need is a cert signed by an actual certificate authority. Two routes for that:
-
Create your own CA. This is free, but a PITA since it means you have to add this CA to every single device you want to be able to access your services. Phones, laptops, desktops, etc.
-
Buy a real domain, and then use it to generate real certs. You have to pay for this option ($10-20/year, so not a lot), but it gets you proper certs that will work on any device. Then you need to set up a reverse proxy (nginx proxy manager was mentioned in another post, that will work), configure it to generate a wildcard cert for your domain using DNS-01 challenge, and then apply that cert to all of your subdomains. Here's a pretty decent video that walks you through the process: https://m.youtube.com/watch?v=TBGOJA27m_0
.uk domains are very cheap, $5ish AUD, which is ~2.5usd.
You already have a self-signed cert. That's why you get the warning.
You can use mDNS so you don't have to type IP address.
DNS?