On my Lan I have 192.168.1.111 hosting a bunch of various services not containerized. All connections are done either from my internal lan or from wireguard going through 192.168.1.111 so no external traffic bar wireguard.
I’ve set the host name of 111 in the hosts file inside the router and 111 and it works for all devices expect the ones connecting via wireguard.
But I dont want to have to use hostname+port for every service, I’d like each service to have its own name. I’d also like certs.
Can someone point me in the right direction for what I need to do? I’m thinking maybe this requires a local DNS server which im hesitant to run because im happy using 8.8.8.8.
For certs do I create a single cert on the 192.168.1.111 and then point all the applications to it?
First off, get of for DNS!!! Use 9.9.9.9 (quad9) or DNS.watch for God’s sake! Even 1.1.1.1 is better!
Can also use mullvad’s DNS, it’s free
DNS?
Nginx proxy manager can help you with all of that.
basically want a domain name that you can use to subdomain each service off.
E.g:
https://service1.auth.local/ -> proxies your first service (192.168.1.111:4567)
Https:/service2.auth.local -> proxies to the second (192.168.1.123:9876) And so on.
If you purchase an actual domain name, you can get letencrypt certs via nginx proxy manager, and it all works very smoothly.
deleted by creator
Ok thanks ill give that ago tonight. I never would have thought of a proxy manager.
I used nginx proxy manager for a while. Nowadays I use caddy, and I wouldn’t want to look back. It has no gui but a caddyfile. It works much smoother for me.
You can of course do it manually with plain nginx, it’s just a little more effort.
To do this properly, you’ll need to set up a reverse proxy that publishes your different ports on different IP addresses.
Then you can use DNS or (locally) a hosts file for name resolution.Yes, reverse proxy, but you don’t want to publish on different IP addresses. Your services should bind to one IP, different ports, and the reverse proxy accepts it all on 443 and routes it based on the host header.
I use traefik for this, set labels in the docker compose and it Just Works. It also gets certs for me based on the acme DNS challenge. Some people use caddy instead of traefik and they seem happy with it.
This would be done either via a reverse proxy (for public access via a domain you own, ex: service1.reticulatedpasta.com), or via a local DNS server if only being accessed via LAN without a signed SSL cert. For a reverse proxy, I use caddy which also manages SSL certs.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters CA (SSL) Certificate Authority DNS Domain Name Service/System HTTP Hypertext Transfer Protocol, the Web IP Internet Protocol SSL Secure Sockets Layer, for transparent encryption nginx Popular HTTP server
[Thread #113 for this comm, first seen 24th Feb 2026, 01:20] [FAQ] [Full list] [Contact] [Source code]
Certificates can have multiple usages and you didn’t specify the purpose in your case. A certificate is not necessarily tied to an IP or even a server. However, if you want to authenticate the server with a certificate, you will need the IP address to be resolved by a DNS. So, you should clarify what you actually want to accomplish. Do you expect your certificates to be self-signed or signed by a certification authority? A certification authority cannot validate a private IP address.
Sorry, a cert for https because im sick of the annoying browser warning. Self signed is fine and I can use certbot for that I believe.
self-signed won’t get rid of any warnings, it will just replace “warning this site is insecure” with “warning this site uses a certificate that can’t be validated”, no real improvement. What you need is a cert signed by an actual certificate authority. Two routes for that:
-
Create your own CA. This is free, but a PITA since it means you have to add this CA to every single device you want to be able to access your services. Phones, laptops, desktops, etc.
-
Buy a real domain, and then use it to generate real certs. You have to pay for this option ($10-20/year, so not a lot), but it gets you proper certs that will work on any device. Then you need to set up a reverse proxy (nginx proxy manager was mentioned in another post, that will work), configure it to generate a wildcard cert for your domain using DNS-01 challenge, and then apply that cert to all of your subdomains. Here’s a pretty decent video that walks you through the process: https://m.youtube.com/watch?v=TBGOJA27m_0
.uk domains are very cheap, $5ish AUD, which is ~2.5usd.
-
