Hi everyone

Thanks for all the advice on buying a domain. Its a big week for me. Getting on grapheneos, buying a domain, and I also recently started self hosting my contacts and calendar. I love this way of life.

My original plan was to one of the xyz 1.1111b domains for $1 a year but most of the feedback I got said just go with cloudflare. Its a lot more money than I had planned but all the security features are baked in and I feel that’s worth the extra money.

Here are my questions. I use the latest version of truenas community

  1. How do I connect my domain to my server apps? I’ve got a series of apps I’d love to he able to access without tailscale and solely use the domain.
  2. I have heard the term DNS a million times but don’t really understand it. What do.I need to know about DNS to keep security up and stay protected
  3. I’d like to let family access my media server, are there any considerations I need to make?
  4. How can I use one domain to access multiple services on my server? Do I need to pay extra for subdomains?

Thank you for any advice

  • Jason2357@lemmy.ca
    link
    fedilink
    English
    arrow-up
    0
    ·
    15 days ago

    Step 1: buy a couple extra years and set an annual reminder in your calendar. If you are happy with it, you will be together a long time and don’t want it to expire on you while on a vacation or something.

    • clif@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      15 days ago

      Step 2: find domains of people/companies you don’t like and set a calendar reminder for when their domain expires so you can be petty and make fun of them with a parody site if they forget to renew.

      … Or is that just me?

  • artyom@piefed.social
    link
    fedilink
    English
    arrow-up
    0
    ·
    16 days ago

    How do I connect my domain to my server apps?

    Go to your domain provider and configure it to point requests to your server IP address. Use reverse proxy to connect those requests to a specific “app”. Most often NGINX.

    I have heard the term DNS a million times but don’t really understand it

    The oversimplified version is that it’s “the phone book of the internet”. Users domain requests are sent to it and then it forwards said requests to the appropriate IP address.

    I’d like to let family access my media server, are there any considerations I need to make?

    Are you hosting on a VPS or a home server?

    How can I use one domain to access multiple services on my server?

    Subdomains

    Do I need to pay extra for subdomains?

    No.

    • softotteep@pawb.social
      link
      fedilink
      English
      arrow-up
      0
      ·
      14 days ago

      I’d recommend Caddy for newbies. Not only is the configuration generally easier than NGINX, but it also handles all your certificates completely automatically.

  • foremanguy@lemmy.ml
    link
    fedilink
    English
    arrow-up
    0
    ·
    14 days ago
    1. You need port forwarding and hosting a reverse proxy into your infrastructure
    2. You shouldn’t really worry about DNS in that case, only make sure you’re domain resolve to the right IP
    3. As I said in 1. you will have to port forward to get access from outside (maybe you want to setup fail2ban on the reverse proxy to limit a bit spam)
    4. Reverse-proxy. No, you own a part of the domain so all the subdomain are belonging to you as well. Ex. When you buy test.com you don’t buy the com domain but you buy media.test.com for example
  • pmk@piefed.ca
    link
    fedilink
    English
    arrow-up
    0
    ·
    16 days ago

    My general advice at this point is, if you haven’t already, to document the setup for your future self. It quickly gets out of hand with the amount of passwords, credentials, certificates, firewall settings, docker containers left and right, configs, workarounds, custom shell scripts, ansible scripts, git repos, backup locations and passwords, etc. Right now everything is fresh in your mind, but 6 months from now you may need to restore from a backup or an OS upgrade goes wrong, and then you’ll appreciate being able to remember the details.

    • lyralycan@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      0
      ·
      15 days ago

      I second this! I’ve learned to note everything down during my experience installing services with Proxmox, and have recently started converting my notes to Public guides, just in case it helps anyone to not start from scratch

  • Strider@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    15 days ago

    Someone has to say it: when you’re asking these questions it shows that you still have a lot to learn. That itself is fine.

    But you’re at significant risk when putting a service on the internet so it would be best maybe to have someone at your side to assist you with beginner mistakes.

    • Tangent5280@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      15 days ago

      What is your opinion on using Claude or similar to cross check decisions for robustness? Yay or Nay?

      • Strider@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        15 days ago

        I think it can be a good thing, and while it is better than not doing it it is no comparison to an expert. This is not to say it’s worthless or anything though!

      • Rekorse@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        0
        ·
        14 days ago

        You won’t be able to tell if Claude is giving you good answers or not. You’d have to have someone who knows about this stuff check it for you, but at that point you should just have that person help you.

    • philanthropicoctopus@thelemmy.clubOP
      link
      fedilink
      English
      arrow-up
      0
      ·
      11 days ago

      Your not wrong. I guess that’s why I’m posting here, just trying to figure how what I’m doing and what it all means

      If you have any advice for learning I’ll definently look at it

      • Strider@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        11 days ago

        Hmm, I would propose setting things up in your LAN step by step. But it would take a long time.

        • setting up your own dns
        • setting up your own webserver

        It’s something someone experienced could make (poc style - proof of concept) in an hour or so, just to show how it works, but it’s a lot for a beginner.

        Still, you could start making a simple Webserver hosting a page and then setting up dns for it and pointing a client to the dna server and see how that works.

        It’s infinetly expandable.

  • irmadlad@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    15 days ago

    Now what

    Congratulations on the new domain name! Now what? Well, first you don’t tell anyone here what it is. /s Since you are already with Cloudflare, why not go all out and set up Cloudflare Tunnels/Zero Trust? Once you install Cloudflare Tunnels/Zero Trust on the server, you no longer need to do all that port fiddling, NAT fiddling, none of that. If you decide to go the Cloudflare Tunnels/Zero Trust route, I have some set up notes you might find beneficial. I’d be more than happy to share them. It isn’t that setting up Cloudflare Tunnels/Zero Trust is hard, but it was a bit touch and go for me, but I got there, and wrote that shit down. LOL

    @pmk@piefed.ca has some great advice about documentation. DO IT! Write everything down during deploy. After a successful deploy, distill your notes and clean them up. Make them a part of your 3,2,1 backup scheme.

    • Jason2357@lemmy.ca
      link
      fedilink
      English
      arrow-up
      0
      ·
      15 days ago

      I just don’t get this take of getting your own domain and seld-hosting, but run it all through cloudflare. Its sad.

      • flandish@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        15 days ago

        some folks dont want to manage a server and instead just host a static site at something dot com and move on. being an eng for well over 25 years now, i really only care to expose what i self host at home to the public through wireguard and then “locally” hit my svcs. wireguard goes down? cool. fix when i get home.

        • Jason2357@lemmy.ca
          link
          fedilink
          English
          arrow-up
          0
          ·
          15 days ago

          I absolutely agree, to the point where I thought you were agreeing with a different post I made. This is the way!

          There are lots of free or nearly free ways to host a static site with your domain, and basically walk away from it for years at a time just fine. I wouldn’t use Cloudflare just on principal for just static site hosting, but its fine I guess. All the software forges host pages for free, and a bunch of smaller outfits like Neocities. Even a static site on a VPS is nearly zero maintenance. When was the last time there was a CVE for remote code execution that would effect a Linux VPS hosting only a static webpage via Caddy or Ngnix and key-based SSH? (I don’t actually think there has been one).

          Absolutely, I use a VPN for self hosted services I can’t be bothered to secure properly and don’t need exposed to all that mess. Wireguard is amazing. I used OpenVPN for years and it was such a pain in the ass mobile. I remember when it first came out, I set it up and made a SIP VoIP call with my phone. I could toggle between WiFi and cellular networks without the audio even glitching, let alone a call dropping. That was honestly like black magic back then.

      • foggy@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        15 days ago

        That’s a gatekeeper-ass take. It isnt sad in any way shape or form. What an elitist proclamation.

        If you build your own infra internally and want a billion dollar industry to be your point of entry because you’re not confident in hardening a vps or don’t wanna pay for that on top of everything else (yet), so the fuck what?

        REEEE YOU MUST OWN ALL OF YOUR INFRA

        🙄

        Get bent. If cloudflare goes down again (for another whole handful of minutes, the horror!!) they are clearly ramping to make the jump to a VPS when the finances and/or cybersecurity chops feel ready and the needs arise. “Sad”? Please. Get off your high horse. You make the rest of self hosters look bad.

        • non_burglar@lemmy.world
          link
          fedilink
          English
          arrow-up
          0
          ·
          15 days ago

          I mean, there’s a difference between not gatekeeping when talking about cloudflare and completely waving Cloudflare’s banner on your front lawn.

          • Cloudflare has full access to your traffic, and privacy is a very strong motivator for a good chunk of self-hosters.
          • You might also be interested in Cloudflare’s unending string of bad actor captcha redirects that Cloudflare inexplicably won’t resolve, for all their 800lb gorilla strength in warding off DOS volumetric attacks.
          • Another thing you would think Cloudflare has resolved: captcha hell.

          So yeah, I wouldn’t have phrased it the way original comment was phrased, but holy cow, bro… Cloudflare is far from perfect and the people that will have existential problems with Cloudflare are very likely to be self-hosters.

          • foggy@lemmy.world
            link
            fedilink
            English
            arrow-up
            0
            ·
            15 days ago

            I’m not out here to Stan for cloudflare. It’s just a totally valid tool for the job, there are valid reasons to use it, and as we agree, it’s not productive to tell a newcomer that their choice of meeting their needs is “sad”

            In fact, it’s an unwelcoming thing to say. If we want folks to stop using cloud services, we can’t shame the valid paths to get there.

        • Jason2357@lemmy.ca
          link
          fedilink
          English
          arrow-up
          0
          ·
          15 days ago

          Sorry to have made you upset. I consider Cloudflare to be the “gatekeeper” here.

          I have seen all the walkthroughs and it looks like the worst of both worlds -false sense of security and more complexity and weird non-transferrable knowledge than first glance. I suggest they use a VPN to connect to anything you can’t secure easily, as there are lots of options, and far smaller attack surface than a Cloudflare “protected” (hint: its not protected from anything but the lazyest automated attacks) proxy.

          Note: I understand moderate sized businesses using Cloudflare because DDOS attacks for ransom are a thing and a days outage can cost a lot of money. But its a protection racket and I don’t blame victims.

          • foggy@lemmy.world
            link
            fedilink
            English
            arrow-up
            0
            ·
            15 days ago

            I think you missed my point. You are mistaking your preferred architecture with moral superiority.

            Cloudflare is not “gatekeeping” someone from self-hosting. It is an optional tool. A person choosing to use it because they are new, budget-conscious, or not ready to expose services directly is not sad, fake self-hosting, or somehow philosophically impure.

            You can absolutely argue that Cloudflare has tradeoffs. That is fair. It adds dependency, abstraction, and vendor-specific knowledge. It is not magic security dust. No disagreement there.

            But telling a beginner “this is sad” because they are using a mainstream protective layer while learning is exactly the kind of gatekeeping that makes self-hosting communities hostile to newcomers.

            Also, “just use a VPN” is not a universal answer. VPNs are great for private admin access. They are not always the right solution when someone wants family members to access media or services without managing VPN clients, device support, troubleshooting, and onboarding. Different threat models, different usability needs.

            The helpful response would have been: “Cloudflare can be useful, but understand what it does and does not protect you from. Don’t expose admin panels. Use MFA, strong auth, least privilege, good backups, updates, reverse proxy rules, and keep anything sensitive behind a VPN.”

            That is useful advice.

            “This is sad” is just self-hosting purity signaling.

            I have tagged you as “selfhosting gatekeeper” for future reference.

        • lightnsfw@reddthat.com
          link
          fedilink
          English
          arrow-up
          0
          ·
          15 days ago

          There’s nothing wrong with wanting to keep corporations out of your stuff. Everything ran by them is constantly enshittifying. It’s their nature to do so. What happens when cloudflare rugpulls you?

          • foggy@lemmy.world
            link
            fedilink
            English
            arrow-up
            0
            ·
            15 days ago

            There’s plenty wrong with shaming people en route to that path for not being 100% there.

            That is all I said.

              • foggy@lemmy.world
                link
                fedilink
                English
                arrow-up
                0
                ·
                15 days ago

                this is sad

                They literally led by throwing shame unto OP.

                That’s how they opened their response.

                It is not sad. Suggesting it is sad is a “gatekeeper-ass thing” to say.

                • lightnsfw@reddthat.com
                  link
                  fedilink
                  English
                  arrow-up
                  0
                  ·
                  15 days ago

                  Saying something is sad isn’t shaming it. It’s saying it makes you sad. Which can be caused by whatever depending on the purpose. You wouldn’t say someone expressing that at a funeral was shaming the deceased would you?

  • Decronym@lemmy.decronym.xyzB
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    15 days ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    DNS Domain Name Service/System
    Git Popular version control system, primarily for code
    ISP Internet Service Provider
    NAT Network Address Translation
    SSH Secure Shell for remote terminal access
    TLS Transport Layer Security, supersedes SSL
    VPN Virtual Private Network
    VPS Virtual Private Server (opposed to shared hosting)
    nginx Popular HTTP server

    [Thread #36 for this comm, first seen 2nd Jul 2026, 12:10] [FAQ] [Full list] [Contact] [Source code]

  • frongt@lemmy.zip
    link
    fedilink
    English
    arrow-up
    0
    ·
    16 days ago

    I would strongly encourage continuing to use tailscale or another VPN. The more you expose to the Internet, the more opportunities you present to an attacker. If you family also uses the VPN client, they can access the systems in the same way.

    Plenty of learning material out there on DNS. But no, you don’t have to pay extra for subdomains. You can put the records up on cloudflare or host them internally. Generally it’s considered bad practice to put local records in public DNS, but it doesn’t actually matter that much.

    You can set up a reverse proxy to route traffic to each service based on the domain name used. Most people use caddy, some use traefik, and some use nginx proxy manager.

    • someonesmall@lemmy.ml
      link
      fedilink
      English
      arrow-up
      0
      ·
      16 days ago

      This. Do not expose any service to the internet or even LAN. All clients need to connect via VPN to your machine, no matter if from LAN/home or on the road (WAN/Internet). You can still use a reverse proxy and custom domain names so inside the VPN network everything is HTTPS and each service has a nice domain name.

      • valar@lemmy.ca
        link
        fedilink
        English
        arrow-up
        0
        ·
        16 days ago

        This seems a bit extreme to me. I have services exposed to the Internet, with reverse proxy and auth.

        • queerlilhayseed@piefed.blahaj.zone
          link
          fedilink
          English
          arrow-up
          0
          ·
          16 days ago

          I think it’s good advice for beginners. If you’re inside a VPN you get a little more breathing room to figure out how to properly provision and wire up your services without having do deal with all the security and scaling concerns that can come from public hosting. Also, new hosters are really likely to set up their reverse proxy and not patch it and leave it open to known vulnerabilities that get exploited months or years down the line… not that that ever happened to me…

          Anyway, I think inside a VPN is a good way to get your feet wet. Setting up a public website is fun but I wouldn’t advise it as a first step.

    • philanthropicoctopus@thelemmy.clubOP
      link
      fedilink
      English
      arrow-up
      0
      ·
      16 days ago

      This is where I get really lost. I’m probably going to get this wrong so here goes

      My understanding was tailscale is to connect different machines across the internet, but that a traditional VPN hides your information

      I got a domain so I could use my traditional VPN and access my server. At the moment, every time I want to access my server, I have to turn off my VPN so I can turn on tailscale. That’s the exact scenario I’m trying to avoid by getting the domain.

      Again, I’m sure I’ve got some stuff wrong here but that’s my current understanding

      • frongt@lemmy.zip
        link
        fedilink
        English
        arrow-up
        0
        ·
        15 days ago

        If you really want to, you can use tailscale to home, then route your outbound traffic over the other VPN. But that’s a bit tricky to set up and it’ll probably be pretty slow.

        Using a VPN for privacy is overrated, unless you have a government or ISP that is actively snooping on your traffic. The majority of connections are already encrypted with https.

  • valkyre09@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    16 days ago

    Cloudflare tunnels is a great way to expose services on your network to the web.

    You run a program in your server, it makes a tunnel, then you configure it on the website to visit the internal link in your network, eg

    If you’re hosting a web server at home, you could have something like:

    www.mydomain.net > http://192.168.1.55:8080/

    You can also have cloudflare protect access to that website with email verification, google / Microsoft accounts etc.

    It’s a lot to learn, but it’s very handy once you get the hang of it.

    Here’s a YouTube video on the basics: https://youtu.be/Q5dG8g4-Sx0?is=J7KvNZoyjsEq33fO

    • philanthropicoctopus@thelemmy.clubOP
      link
      fedilink
      English
      arrow-up
      0
      ·
      16 days ago

      Thank you for this tip

      I have just set it up and holy shit it worked straight away! This is so exciting!

      My question, now that my apps are exposed to the internet, aside from having strong passwords is there anything else I should be doing to keep safe?

      I just read no media servers on free tunnels so I’ll have to use nginx for jellyfin

      • Svinhufvud@sopuli.xyz
        link
        fedilink
        English
        arrow-up
        0
        ·
        15 days ago

        Using cloudflare tunnels means that the TLS is terminated at cloudflare. This means that cloudflare has the capability to snoop on your traffic, so you have trust cloudflare not to do that, especially if your traffic contains sensitive information.

        Also, the ‘no media in free tunnels’ is outdated information as far as I know, so be sure to check up to date information on that.

  • Svinhufvud@sopuli.xyz
    link
    fedilink
    English
    arrow-up
    0
    ·
    16 days ago

    I recommend you make A and AAAA records for the top level domain you own, and then set the needed subdomains as CNAME entries.

    example.com points to your IP addresses, and the subdomains point then to your top level name.

    This avoids you having to point a new IP at multiple places (be it manually or by dyndns) when/if your public IP changes.

    Then you can set up a reverse proxy (caddy for example, it comes with automatic TLS), bind ports 80 and 443 to it, and route the traffic based on the domain name a client is trying to connect to.

    So jellyfin.example.com would lead to your reverse proxy which would forward it somewhere internally, say 192.168.1.10:8096 for example.

    This way you can use one top level domain for multiple services, and not have to specify ports when connecting externally

    • lyralycan@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      0
      ·
      edit-2
      15 days ago

      I kept all my certificates separate - have I been wasting time with 15 subdomains each with their own cert and A record? I have wondered. And then set in my reverse proxy a single domain.tld cert for each entry? TIA.

      I wrote bash scripts to run via cron to keep my IPs updated, using Cloudflare API. It’s probably useful to other folk but as I used to need just v4 addresses I made one separate script for v4 IPs, v6 IPs and proxied, but it wouldn’t take long to combine. Here’s my v4:

      #!/bin/bash
      CLOUDFLARE_API_TOKEN="<api_here>"
      ZONE_ID="<zone_id_here"
      DOMAINS=({subdomains.,www.}domain.tld)
      log="/opt/ddns/log_$(date +%F).txt"
      result=""
      CURL="/usr/bin/curl"
      JQ="/usr/bin/jq"
      IP=$($CURL -s http://ipv4.icanhazip.com/)
      echo $(date +"%FT%T")>>$log
      echo "Performing v4 proxied domain IP address check...">>$log
      
      # Get v4 records
      for DNS_RECORD in ${DOMAINS[@]}; do
      DNS_RECORD_ID=$($CURL -s -X GET "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records?type=A&name=$DNS_RECORD" \
        -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
        -H "Content-Type: application/json" | $JQ -r '{"result"}[] | .[0] | .id')
      
      # Get each record's IP
      current_ip=$($CURL -s -X GET "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records/$DNS_RECORD_ID" \
        -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
        -H "Content-Type: application/json" | $JQ -r '.result.content')
      
      # Check if the IP addresses are different
      if [[ "$IP" == "$current_ip" ]] || [[ "$IP" == "" ]]; then
        continue
      fi
      
      echo "IP address for $DNS_RECORD has changed from $current_ip to $IP. Updating record...">>$log
      result="$result${DNS_RECORD%%.*}, "
      
      # Sets the new IP if different
      response=$($CURL -s -X PUT "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records/$DNS_RECORD_ID" \
        -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
        -H "Content-Type: application/json" \
        --data '{
          "type": "'"A"'",
          "name": "'"$DNS_RECORD"'",
          "content": "'"$IP"'",
          "ttl": 120,
          "proxied": true
        }')
      
      if [[ $response == *"\"success\":true"* ]]; then
      echo "DNS record updated successfully">>$log
      else
      echo "Failed to update DNS record for $DNS_RECORD. Response: $response">>$log
      result="$result\nFailed. See log."
      fi
      
      # Sends information to webhook
      unset DNS_RECORD_ID
      done
      if [ -n "$result" ]; then
        $CURL -X POST -d '{"result": "'"$result"'\n'"$current_ip"' -> '"$IP"'"}' "<home_assistant_local_webhook-delete_this_block_if_unwanted>" -H "Content-Type:application/json"
      fi
      echo $result>>$log
      echo $'Done.\n'>>$log
      /opt/ddns/cloudflare_ddns_v4_direct.sh # This triggers the next script
      
      • Svinhufvud@sopuli.xyz
        link
        fedilink
        English
        arrow-up
        0
        ·
        15 days ago

        A single wildcard CNAME that points to your domains A record is easier to manage I would say. This comes handy when you add a new service to your stack, as you dont have to go and make a new subdomain record.

        You already seem to manage all subdomain updates with that script, so it won’t help you much with dyndns. That is, unless you hit a rate limit when trying to update a very large amount of records at once.

        Keeping separate TLS certificates is a separate topic from having a single wildcard CNAME record. Separate TLS certificates offer a slight security advantage over a wildcard cert, as a single leaked certificate secret wont compromize the rest of your sites.

  • darklamer@feddit.org
    link
    fedilink
    English
    arrow-up
    0
    ·
    16 days ago

    I have heard the term DNS a million times but don’t really understand it.

    Learn about DNS, it’s the glue that holds the internet together, any time you spend on learning more about DNS will quickly pay off. You probably already know that it’s what maps domain names to IP addresses and vice versa, but it can be used for loads of other useful things too.

    (My own two favourite not well known but totally standardized really convenient things to use DNS for is to provide SSH host key fingerprints through DNSSEC and requesting letsencrypt certificates for host names without any webserver.)