Redshirt1701

How To Manage Your Home Lab with a Custom Domain, SSL, Pihole and Traefik

Posted on by Dylan

May 5th, 2024

I’ve been playing with my raspberry pies for awhile now and have found that accessing them has been a real pain. Managing the IP addresses caused me to keep lists, just to remember all of them.  I ran into two issues:

  • Trying to remember the IP address and ports for all the different services and equipment.
  • Dealing with self signed certificates and the whole “this site may be dangerous turn around now” thing. I get really tired of having to get around that warning.

Tracking IPs has caused me to create lists, change lists, shortcuts, build boards like Homepage etc and be overwhelmed with it all.  To give some context I currently have 24 services running and a few urls I regularly use.  All these services have static IPs (DHCP reserved on my OPNsense router). There are several services on each Pi or virtual machine, so I’m also tracking ports in addition to the IP addresses.

I have about 6-8 devices with self signed certificates, the afore mentioned opnsense router, 4 Pimox nodes, one Proxmox nodes, several Portainers and a Freepbx box..

The solution to this organizational nightmare – urls with ssl that go to the service,  as if they were on the web but are still behind my firewall. so instead of going to 192.168.3.27:9000 I go to https://portainer.mylocaldomain.com The process uses a purchased domain, Traefik, Let’s Encrypt, a wild card certificate and Pihole.  I’m able to give every service their own URL.  Add in getHomepage and I’m able to create a landing page to keep everything in one place.

The process works for docker, non-docker services and urls.  It’s a bit of a trick to setup, the guides below do a great job of walking through the process.  Once I finished the first few and understood what I was doing, adding new services takes a couple minutes with a few lines of code.

I don’t port forward Traefik to the internet so the domain and URLs stay safe inside my firewall.  If I want to expose a service or two I could by adding a reverse proxy (nginx or another Traefik instance) in front of this Traefik instance and only send those specific services, like websites, that I want to send to the internet.  With a second reverse proxy I can also use an external domain in addition to my internal domain.

The basics of how it works, in the very wrong terms that I understand it in:

  • Traefik gets the wild card cert from Let’s Encrypt
  • Create on Pihole “Local DNS” DNS records to point to the Traefik IP.
  • Traefik then points urls to the service’s IPs.
  • When the url is used, by passing through traefik a certificate is used so when you get to the service, the url is https.
  • The end product – you can type in the url to get to the service, without errors on a SSL secured connection.  You can also make a dashboard with getHomepage, Homer, Heimdall, etc and put everything in one place.  I use getHomepage.

Examples of URLs I use:

  • opensense.mydomain.com
  • portainer.mydomain.com
  • homelab.mydomain.com…

Other people describe the process of setting this up better than I can.  Rather than re-invent the wheel, here are the three videos I used to pull my solution together.  Make sure you also use their instruction pages linked in the description to augment the videos.

Traefik 3 and FREE Wildcard Certificates with Docker

Techno Time describes some things differently here. the two videos in concert really helped me.
Put Wildcard Certificates and SSL on EVERYTHING – Traefik Tutorial

Jim has some slightly different processes that helped me:
SSL Certificates Made EASY With Traefik Proxy, Clouflare, and Let’s Encrypt – Tutorial

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.