Need some guidance. Multiple websites on one IP

My domain is:pharpe.duckns.org

My web server is (include version):home assistant core-2021.3.4 and Ombi 3.0.5223

The operating system my web server runs on is (include version):
Ombi is running in a docker container on centos 7-8.2003.0.
Home Assistant is running on HomeaassistantOS version 5.12

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): not using a control panel

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): not using certbot

I have the Duck DNS and Let's Encrypt plugin installed on Home Assistant. It is setup and working. I am setting up Ombi on another server that has it's own web interface that I would like to configure to use SSL encryption via Let's Encrypt. I have been reading lots of guides and I'm thoroughly confused.

  • Is the Home Assistant plugin going to work or do I need to install a stand alone Let's Encrypt?
  • Does Let's Encrypt need to be running on each server hosting a web application?
  • How do I configure my router to send SSL traffic to multiple internal IPs? Currently setup to forward all 443 traffic to my Home Assistant IP on port 443. How does it determine what 443 traffic goes to which IP?

Thanks for any help

How do you mean? "Going to work" for what? For Ombi? If you mean for Ombi, well, no or "probably not". The Let's Encrypt certificate will be installed on the HomeAssistantOS' system without Ombi having access to it. And while I'm not 100 % certain, I'm fairly sure it's difficult to configure your HomeAssistantOS as a reverse proxy, see below for more info about that.

Not necessarily. There's something called a "reverse proxy" where webserver A can pass through requests for a certain hostname or even path to a separate webserver B, usually on the local network or sometimes just on the same host, but to a different port number for example.

Most home routers can't do that. Perhaps some professional routers have some kind of reverse proxy feature, but I'm not familiair with any home routers with such a thing.

The most versatile server is probably your CentOS server, so I would recommend to set up a webserver configured as a reverse proxy on port 443 on it, which can pass through requests for Ombi and Home Assistant to the appropriate webservers. This reverse proxy webserver would be the only one with a Let's Encrypt certificate, assuming the network between your CentOS and HomeAssistantOS servers is securely enough that it doesn't require TLS encryption between them.
Your Ombi on Docker could be listening on localhost:8080 for example (HTTP only), as it's sharing its system with the reverse proxy webserver. Your HomeAssistant can listen on its default ports. Your reverse proxy would be set up to pass through all requests for Ombi (based on subdomain/hostname/path) to localhost:8080 and all requests for HomeAssistant to internal.ip.of.homeassistantos:80, also based on subdomain or path.

1 Like

Thanks!. This makes sense to me now at a high level. Is there a guide out there that can help me with the details?

If both systems can get their own Let's Encrypt certificate using a DNS-01 challenge, then it might be simpler for you to just change forwarding on your router, to have some other port (like 8443) forward to port 443 on your second device, while the "regular" 443 continues to go to your existing first device. Then you just go to https://example.com/ or https://example.com:8443/ depending on which device you're trying to access. This might not actually be easier (as I'm not familiar with the particular devices you're using), but it's another option you might want to explore.

The other option is to challenge your assumptions a bit, and ask why you need to have them on one IP? If your ISP has caught up with the technology from decades ago and assigned you an IPv6 block, you should be able to just have different IPs on different devices, rather than this NAT-craziness of trying to deal with mapping "internal" and "external" IPs, and each device can just do it own thing with its own name and certificate like the Internet standards originally intended.

1 Like

There is a lot to find about setting up a reverse proxy, with a lot of different webservers. Personally, I have installed nginx on my Raspberry Pi, but this might be a little bit overkill, as it's only functioning as a reverse proxy. I don't have experience with different software, but there are some light weight applications out there which can act as a reverse proxy. For example, see the list on 8 Top Open Source Reverse Proxy Servers for Linux

1 Like

If you want a router/firewall appliance, both pfSense and OPNsense handle this sort of thing nicely (using HAProxy). But I'm likewise unaware of a true consumer-grade router that has a reverse-proxy feature.

1 Like

I have a edgerouter er-4. I'll look into if that can run reverse proxy

I don't think it does, but I haven't checked in a while.

If your router doesn't support it directly, there's an alternative way to do it:

  • Set up suitable reverse proxy software (I like Caddy, but Traefik and HAProxy are also popular for this, or you could instead do it with Nginx or Apache) on a suitable OS in a virtual machine in your network. I understand there's a web control panel for Nginx as a reverse proxy, which could simplify this.
  • On your router, forward ports 80 and 443 to that VM.
  • Configure whatever reverse proxy software you installed above to handle the applications in question. You'd generally also set up the reverse proxy to handle all the certificates and TLS termination.
1 Like

Doesn't necessarily have to be in a virtual machine tho..

1 Like

Fair enough--it could just as well be on a spare rPi you have lying around, another dedicated hardware server, a Docker container, etc. I think the VM is going to give you the greatest software flexibility with the least (i.e., zero) hardware cost, but there are plenty of ways to skin this cat.

1 Like

Or just install it on the CentOS server which is already present without any complicating fuss..

1 Like

Other than needing to adjust the ports that existing services are listening on, perhaps. But sure, it could do it without needing to set up another environment.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.