Using dynamic IP and reverse proxy for my VMs and Containers

[heldmar]

Hi!

I have been using Proxmox for a while. I use it for my homelab, and I wish to be able to use my own domain (through subdomains) into my entire homelab, being able to access the different VMx and LXCs with subdomains, such as: subdomain1.domain.com --> LXC101, subdomain2.domain.com --> VM102, etc.

The 2 challenges are:

1) I have dynamic IP (and varies around each hour)
2) I am not sure how to set this up, although I have read a lot about rever-proxies, but none of these seem to adjust to my need.

The challenge #1, I think I was able to solve it, as I use no-ip.com free service. So, I already have a small LXC set up in my system with the no-ip client to automatically update the domain every 5 mins, so my IP varies but no-ip already points it automatically.

Then, I have my own domain set up in AWS, and I created a CNAME for subdomain1.domain.com to point to my no-ip domain, so every time my no-ip domain changes the CNAME gets updated (works most of the time, although it might have some delays sometimes).

Now, how can I make the proxmox cluster to reverse-proxy things up? Do I need to install a reverse proxy on the host machine (so, basically over proxmox)? I wouldn't want to install anything on top of proxmox, only within it with LXCs or VMs.

Thoughts?

 

[vescovialex]

Do you have a firewall that can do the port forwarding to this machine that you want to be accessible from the outside?

I have a lxc with reverseproxy installed, all calls on 80 and 443 is forwarded from my firewall to my lxc and in my reverseproxy I have the configuration files for the subdomains

 

[heldmar]

I do have a router (actually is a network mesh) which would allow me to do port forwarding, yes.

Now, if I do that, from that reverseproxy-lxc can I just assign domains to point to my other LXCs and VMs in Proxmox? That's actually my question on this.

Also, what reverseproxy are you using?

 

[vescovialex]

I'm using nginx.

First you have to point the DNS of subdomains of your domain to your public IP.

Then the firewall/router had to port forward on the IP of the lxc and in lxc you have to create for every subdomain a file with the right configuration.

And the magic will be done

I'll send you an example of the configuration file from my nginx later if you want.

 

[heldmar]

OK, I think I will have to try it.

I would appreciate it if you could send me the conf file!

Let me know if you can post it here or if you prefer to use direct message instead.

 

[vescovialex]

Here you have one default config file...it's pretty simple the config file.
You have just to change the domain

 

[heldmar]

Thank you @vescovialex ! I will try it

 

[vescovialex]

You're welcome @heldmar, let me know if it's working

 

[Westikane]

I see it's been a while since you've posted, but I'm curious—have you tried using Tailscale or Zerotier to help with dynamic IP handling? They’ve made things a lot easier for me when exposing VMs behind NAT with changing public IPs. Also wondering if anyone here has tried using Cloudflare Tunnels instead of the usual reverse proxy setups? It seems like a simple fix for dynamic IPs without port forwarding.

 

[UdoB]

Also wondering if anyone here has tried using Cloudflare Tunnels instead of the usual reverse proxy setups?

If you have an external VPS or are willing to rent one for a dollar or two per month, take a look here: https://github.com/fosrl/pangolin = "Tunneled Reverse Proxy Server with Access Control - Your own self-hosted zero trust tunnel."

This is a free Cloudflare Tunnel clone. Some (many?) functions are missing, of course. It only has the bandwidth _you_ give it. It includes CrowdSec to fight attacks. It removes the necessity to open ports on your home router completely.

Oh, and you own the underlying key for the Letsencrypt certficates, not some thirdparty provider. This is important for paranoia level seven and above ;-)


I am in a test phase for three weeks now; until now it works really great. Especially the automatic certificate handling works like a charm (I have problems to renew certificates using my current NPM (Nginx Proxy Manager) setup. Pangolin will probably replace that construct.)

Note that I am talking about a Homelab, light traffic, nothing important.