 Welcome to the homelab show episode 28 own your domain. And this is Tom Lawrence. And Jay LaCroy. Yes, and we decided we need to talk about this before there's a whole list of things to come after this. You know, reverse proxies and kind of fun things and maybe email talk, but you have to own a domain first to get a lot of those working. So we thought this is a good episode to put in front of all those other episodes that we want to get to. We're starting to build a tree of all the different things, but each one of these has a base before it splits off to the little trees of the things you can do with it. That's some of our thought process on this. Yep, we had all the discussion on it and there was a few things that won't spoil anything that we're considering talking about without this discussion. It's like, well, we'll have a lot of backtracking to do. Yep, but that does start with buying a domain. We don't have any recommendation for who to buy the domain from, but we do have a recommendation of who can handle DNS and maybe some of the things you want to host when you're on your domain, and that would be Linode. If you're listening to this podcast right now, you are downloading it from the Linode servers that host the HomeLab show. We've been Linode users, both me and Jay for a while. Jay, much more extensively, how much of your infrastructure's run on Linode? Everything that's internet-facing at this point, like nothing internal to my HomeLab at this point is internet-facing. So VPN is what I use to get into my HomeLab, but everything that's public-facing I throw in Linode, and it's been a great service. Yeah, it's really nice, and it supports, and this will be very relevant later, Linode supports DNS challenge for doing the ACME search. I'm correct on that, right, Jay? Because I'm not using it for that yet. I'm going to. That's what I use, yep, that's what I use, yep. As a matter of fact, if I'm not mistaken, our friend Phil, who you may, if you remember me and Jay being on the Sunday Morning Link Review, more news on that at some later date. We're trying to revive some of that, but anyways, he actually helped write some of the code to activate this. I remember he did some pull requests to fix a few things to get that activating properly. So yes, and the cool thing about doing that when you own a domain is the fact that you don't have to open up any ports to do it. That's where the DNS challenge is for those of you that don't know, it's all done through API. So it's one more good reason to Linode, and if you decide you want to use Linode, we do have an offer code down below in the description. So go ahead and use that and get started with Linode and get your domain and point it over there, get the DNS set up. It's all kinds of fun stuff you can learn. So I guess the first thing about buying domains is gonna be where, and do you have a preference Jay? I like hover. I'm gonna say, it was funny, I didn't ask this before, we didn't even discuss this part of it, because I said we don't have a sponsor for where to buy domains, but I use hover, Jay uses hover, and actually I just learned Jay uses hover, and in a look before here, it was kind of a guess, but I assumed, one of the easier ones out there, they have a lot of different, well I think they have all the common, or at least most popular top levels, so you can really find something on there. Now there's no offer code or recommendation, that's just what we use. One of the reasons I use them though, and probably the same reason Jay uses hover, is because if you've ever used GoDaddy, and I can't express my annoyance with them enough, they are like an upsell machine. They go try to pack on every service, they can to try to bug you about it, that's always been the case with them, they have a lot of little aggravating things they do, and hover is just domain, it's really simple, and that's one of the reasons I like them, and they offer free email forwarding, so so much simplicity in it, and I don't know, someone said they don't do it anymore, they used to have their service where they offer to migrate domains for you automatically, I think they call it their concierge service, or something, you just feel they'll call them, they would move all the domains from one of the other carriers over for you, but they're really simple to use, they did some interface in their focus, they just sell you domains. And you mentioned GoDaddy, I think the only company that might be worse is Network Solutions, like I remember using them with the previous company I worked for, and everything was a chore, I was on GoDaddy before I knew better, like a long time ago, and when I moved all the domains off of that, and onto Hover, that was a great time because I didn't have to deal with it anymore. And I like Hover a lot for all the reasons that you mentioned, they don't do hosting, it's domains, an email, you can't buy a cert from them, they're very targeted on what they're for, they're not trying to get into too many things, which is what I like, I like the customer service as well, I think that's one of the reasons why I like to use them the most is the customer service, now the lack of hosting doesn't bother us, right? We just need a domain and we need a place to buy it from, and for email, I often recommend them for email too, I wanna say it's like $25 a year, plus the cost of a domain for an email package, if you don't wanna run your own server, if you wanna get away from Gmail, there's other solutions out there too, they're obviously not the only one, but I think their email service is great, I often steer my clients in that direction, they seem to like it quite a bit, so between the domain and email, I think they pretty much have it covered. Yeah, that's, and they're very upfront about the pricing, and because I've seen someone in the chat right away say, some of these places are really cheap on their offering, but then the renewals are really high, yeah, because of the pain of moving and the convenience of just having the same registrar and them slowly increasing the price, or not so slowly just slapping you with a high price on there, that can be an aggravation, but that's not the bigger point is where to buy them, why should you buy a domain? And that's the real crux of this issue here. And by the way, you already know you should be hosting it on Linode, if you're not hosting it at home or on your HomeLab servers, use the Linode offer code and host it on Linode, so we got that part sorted out. Yes, we do, and a domain is kind of fun, it gives you this enterprise-seeming quality of your HomeLab even though it's a HomeLab, I mean, make no mistake, some of us, we put more effort into our HomeLab than system administrators put into their business network sometimes, but having a domain is almost like making it official, obviously it's just a name, but at the end of the day, it's great to have, and then if it's something cool, something catchy, it's like, if you wanna VPN into your home network, it could be vpn.yourdomain.com, and that's your domain, so it could get you right in there, it's just easy to remember, you can have subdomains for all of your servers to get to them easily, and you can integrate it with the DNS inside your HomeLab so that way, everything resolves, and there's a little bit of a strategy I think we'll get to later that Tom and I were talking about last night as far as some of the clever workarounds that you can do to kinda make it even better. Yeah, and another, one of the things that's really important is owning your email address. Now, the email wars aren't what they used to be because I had an original at home address, and at home.com used to be one of the big first, well, I think it was one of the first big cable hosting providers, and one of the problems is when they went to belly up, your email went with it, because they got sold off and eventually became, I think, I don't know if it was Comcast or Y upon West bought some of their assets for different internet providers, but it was common in the early days, 20 years ago that you just got an email address from one of those providers, but the problem is if a provider changes, they change their domain, you suddenly have your email changed, and this is one of the really good reasons to own your domain. Even if you're forwarding it on the back end, having a consistent email address on the front end is a great reason to own domain, and another bonus, and I actually know a lot of you that sign up to my forums do this, and hey, thumbs up for doing it, I don't blame you. They come up with custom email addresses at yourdomain.com when you register for different things, such as my forums. So someone will create an email address, thomsforumsat.com, and what they're doing is, they wanna see if Tom sends spam or starts marketing or sells their address, because you would very much know if you only used it in one place, where that place is that sold that domain or sold your information. So it's another kind of bonus is, one, you can have a consistent email address, and two, you can come up with custom email addresses instead of having to use a junk email all the time, because I bet all of us still have a Yahoo email address somewhere that's just collecting all the spam for everything we signed up for, but then you have the trouble of checking it and things like that. Having a consistent domain like that is very helpful in that aspect as well. And it's a lot of fun when you are buying something from a retail store in person, and they're like, do you wanna sign up for our list? And I'll say no, but you'll save 10%, I'm like, okay, fine, what's your email address? Spam at mydomain.com. The look on their faces is priceless, but it is a real address. It's just to my email client, anything that comes into spam at thedomain.com is automatically, because of the rule, put into the spam folder, even if it's technically not spam. So that way, I have that little extra thing to give out and that checks the box. Yep, it's a really nice convenience. We have so many silly email addresses registered for LearnSystems.com. I wish I could tell them, but then people would spam them and it would ruin it, but there's some funny ones that we do for different things. Once you start doing it, it becomes part of how you manage things in logins. As a matter of fact, from a security standpoint, not knowing what email address I used to register for a service, if that service ever gets dumped or something like that, it's one more component like, oh, I think I know this password, but oh, wait, the email address isn't the one I would suspect he would be using for this. So it can add that little bit of obscurity to it. So that's one of the other advantages of having your own domain. Another one about email, and then we'll get off the email subject, is a lot of people will use their ISP email. And at first, it might not seem like that's a big deal, but if you move and then that provider is not available where you move to, I mean, depending on the ISP, you might be able to pay to keep that email, but probably not. So now you're bothered with letting everybody know what your new email address is, but if your email address is independent of your ISP, you could just carry that with you. And similarly, I have a lot of clients that'll call me and I hate this call so much, but I love to help people out, but there's nothing I could do about this when they call me and say, my Yahoo email dashboard is completely different. Please work with me to change it back. And I'm like, well, I can't because Yahoo is Yahoo. And first of all, why are you as a business using a Yahoo email? But anyway, no, I can't just call Yahoo and tell them that they need to switch it back because you don't like the interface. If you don't own an email address, you go the direction that your provider goes and that's it. I don't really have a say in that. Yeah, yeah, definitely. Those are all wonderful reasons for it. Now, the next reason really comes down to being able to, and you may have seen this, if anyone's watched my videos and Jay's videos as well, we use the fully qualified domain name and they can be used not just externally, but internally. So we're gonna, what do you think about that, Jay? That's probably a good place to start. I think it is a great place to start. And I think what I wanna do first and foremost, and I apologize if there's background noise because the law and service just decided that right now is exactly the time to do the lawn. But one thing I wanna get out of the way is this very common misconception, which is very common from people that come from a Windows environment or a Windows work environment, where they think, when we say domain, they think what we're talking about is a domain controller. Yes, you can set up a domain controller in your home lab. There's nothing stopping you from doing that, but using a domain in your home lab, it does not require a domain controller. They are not one and the same thing. We're talking about Active Directory, which is essentially an LDAP server for authentication. And often an administrator will check the box to have it be the domain controller, the DHCP, all of those different things in one box. So when people first get into this, they think of a domain in your home lab as in setting up a domain controller, which again, you can do, but you don't have to do that. So that's kind of the place to start, I think, is that misconception. I don't know if you get that question a lot, but I seem to get that one where people think that you need a domain controller specifically. And of note, despite your ability, and for example, my domain being larnesystems.com, and there are people who may do things like name their Windows domain the same as their website. Don't do that. That will cause you some drama when you're trying to get to your website from inside your network, because it'll always want to redirect to the other server. Just side note, you're not going to die deep in a topic. Just don't give it the same name exactly as your main domain if you are setting up a Windows domain. Yeah, I totally agree, yep. So you buy the domain from Hover or wherever else, and you have the domain. So, okay, now what, right? You have a domain, and obviously if you're hosting something on Linode or some other provider, you could attach that domain to your website, then you have a website of that domain, which is the lowest level of this, but we're talking about HomeLab though. So how exactly do you map a domain to your HomeLab? Now, the first thing I think we have to get out of the way is static IP versus DHCP IP from your ISP, meaning is your ISP, do they offer a static IP service? And I think all of them do, but most of them limit that to the business internet. So that means if I would venture a guest that the majority of our audience is probably not going to have access to a static IP from their ISP. Obviously I have business internet, so I can do that and you do too, because I think we have the same provider. So they charge you more for it, obviously. I don't know if I would say it's worth the extra cost to just say, hey, I'm ACP me and then get a business account because they'll charge you for it. So if you could get a static IP, it's easy because you just make your records point to that IP address. And often if an ISP gives you a static IP, they'll give you several of those. So you could say by Proxmox is this one, PF Sense is that one, you could kind of just assign them that way. But that's probably out of reach for most. I think a lot of people are going to need dynamic DNS. So the idea is you have things internally, you wanna access them from your domain. So how do you do this? Now, one way that you could do this is using dynamic DNS, like I mentioned, and what that'll do is give you a, basically a domain name, but the problem is it's not going to be one that you chose. I mean, they'll give you some options, but it could be like user 457810.something.something.dynamicdns.com or whatever it is, and it's this long thing. It's like, well, how do you remember that? I mean, the whole point of getting a domain is to make it easy to remember. And if you use a dynamic DNS service that kind of negates the point, but one work around here is that you could use a CNAME, which you could point, basically, you could point that to your actual domain that you purchased to your dynamic DNS domain name. And you don't have to remember that anymore. And the beauty of this is that if you change dynamic DNS providers, you can just change the CNAME and you're done. So that's one way that a lot of people doing HomeLab can experience the benefit of a domain without having to get the static IPs. You might not even be able to. So a CNAME might be a way that you can do this and most of these providers have agents that run within reach of your cable modem. And if your IP changes, it'll update the dynamic IP on the dynamic DNS service. So that's one thing that you can do to consider or consider for starting. The nice thing is, and maybe this might be a little bit more of a deep dive at some point, is explaining all the different things for DNS. I've seen people asking about email and one of the things you can do is, even if you're hosting a domain and you point all your DNS at the node, you can have separate mail service, such as G Suite Office 365 or insert name of your favorite mail hosting company that you maybe want to use or go all out and hate yourself a little bit more and host it yourself. But then once you start understanding all the different record types, like a CNAME, the A records and understanding how that works, it actually becomes very, it sounds very complex, but it ends up being relatively simple when you do this. You just match the CNAME to the dynamic DNS and as the dynamic DNS keeps changing, it's no big deal. Your domain always stays the same. Yeah, and so a quick example of this playing out just so everyone's on the same page. So let's just say you have a VPN appliance and you want a VPN into your home network and you want vpn.mydomain.com. So first of all, you buy mydomain.com and you own that now or whatever it happens to be. And then in your registrar, you create an A record for a subdomain. So you create vpn.mydomain.com as a subdomain and then if you have a static IP, you could just obviously make the A record for the VPN subdomain, the static IP and you're done. Or you make that a CNAME to your dynamic DNS name. And then, you know, at that point, you have it pointing to your home network. So then you could refer to your open VPN or whatever it is as vpn.mydomain.com. Now notice that at no point in this description did I talk about a domain controller because like I mentioned, I think this is why it's confusing for a lot of people. They assume based on where they were that you need that. It's a value add. So here all we did was we bought a domain, we set the A record or a CNAME appropriately and now it points to our home network. And at no point did we set up a server to handle this. It's just using an external registrar pointing to the cable modem. And now you actually have something pointing internally to your network. So that's one place to start. And then if you wanna add proxmox.mydomain.com or pve or whatever it is, you just create that one the same way. It's another subdomain. It could point to the same IP. You could point to the same IP hundreds of times. Actually, I don't know what the limit is, but you could just keep referring to it. And then we'll get to how we route the traffic later, but I think it's important to have the starting point of knowing what we wanna accomplish and what it actually looks like. Yeah. And one of the things I've seen someone pop in and this is actually a really common question I guess. What's the best dynamic DNS service? Honestly, I don't know because I've never had to use one in the last 10 years. So we don't, most of the stuff we do with this commercial and even my home, my IP address at home has changed only when I change out my router. When for the most part it's at least the networks I've seen from Comcast, Wide Open West and Spectrum, you don't really get an IP address changed it often. So we don't run into too many problems with it. So it's hard to evaluate. And if someone mentioned Cloudflare, I think offers dynamic DNS, Cloudflare is a pretty well-known name. Try any of them and if it works well and doesn't break, awesome in a kind of availability from there. It's a pretty simple service. I don't know that there's any of them that are particularly good or particularly bad at it. It's just updating the IP address. And if you're using something like PF Sense, it's built in. There's a long list of providers built in, quite a few of them. So take the pick of whatever one looks like the nicest website. I've tried to remember the name of the one that I used. I hope somebody in the chat room knows this one. I used to use this before I had a dynamic or a static IP. And what was cool about this one is that it supported updating multiple services. So that was cool because you didn't have to make that happen yourself. You could add a bunch of things that you want it to update and it'll just proxy or do something to update all of those. I just wish I could remember the name of it. Now some routers that are available in the retail world, I know retail is not always something that we go for in HomeLab. I think some ASUS routers have dynamic DNS built into them. So you could just use that if you have it. And that might just do the trick. Otherwise, maybe if we, oh, DNS-O-Matic. Yep, someone mentioned it in the chat room. That's the one I used to use. I haven't used it in a while, but that was the one I used, DNS-O-Matic. And that's the one that'll update multiple services. That might be a good place to start if the router doesn't have that. So yeah, there you go. There's a recommendation for DNS-O-Matic DNS. Yep, so hopefully that covers that. Now ultimately, one of the things that we want to get to, because a lot of people just don't like clicking through the stupid self-sign certificates. And this is a pain in putting everything in a reverse proxy is a little bit of a process. And the good news is in, I have videos on this, the HA proxy videos, although still there's always a lot of questions. I've got three of them now. And the third one is just a troubleshooting video of common things people overlook. And even me and Jay had a discussion, because there was a couple of things that were a little bit confusing about the way the front end and back end is handled in there. So maybe me and Jay might dive into it again. It is a little bit of a complex topic, but once you take the time to understand it, HA proxy with PF Sense combined with Let's Encrypt. So you do your DNS challenge response, which means you can get a wildcard Let's Encrypt certificate. Wildcarding it means for each domain, such as graylog.lorencsystems.com, such as unify.lorencsystems.com and all these different ones that maybe you've seen me use in my videos, they're all using the same wildcard certificate for the lorencsystem.com. This allows me to create any amount without having to re-register anything. I just create a DNS entry. Matter of fact, one of the things I showed Jay is you can look up some of my public facing DNS and it resolves to local IP addresses that point to the HA proxy internally in our office for setup. There's, you know, I covered that in my video. It's some people get a little bit confused, but once you kind of get the hang of it and understand where all the data needs to go and where it needs to point, you go, oh, this makes sense. And then you can start registering any servers you want in really a few clicks. Once you have the base structure set up and you go, hey, I want to spin up another TrueNAS, give it a name or call it TrueNAS or TrueNAS one, TrueNAS two, whatever you want to call your NAS and then you create a domain for it. And now you don't have to do the self-signed certificate error. It goes through and away you go. Now you have one more device on your list. Now these can be internal or external facing depending on how you configure them and they can be both simultaneously. So there's different options and those are all covered in depth. Like I said, that my HA proxy video is a little bit long. I think it's about an hour, but there's a lot to cover to get that all working and set up. There is, and I think what I'm going to do just to also make this even better is to kind of walk everyone through another layer of this because I'll use NextCloud as an example and I'll use PFSense as an example, although you can just change PFSense to ACES or whatever your firewall slash router happens to be and same with NextCloud. If it's a web server, it doesn't really matter. So let's just, and I'll use the static IP as this example, it could be CNAME. We'll just let you, the listener, insert or remove matching terms appropriately. So you have the domain and you make the IP address, let's just say equal to the static IP of your PFSense. So at this point, if people go to router.yourdomain.com, firewall.yourdomain.com, they're getting to your PFSense or your router at this point. Now I'm not advocating for making PFSense publicly available for everyone to try to hack. I'm just using this as an example but at this point, having a domain and having the IP address attached to the domain, the IP address of your cable modem essentially, that gets external people to your PFSense which of course they're just gonna get dropped because PFSense sees that someone's requesting something and like, I don't know what to do with this. It's an external IP but I have internal IPs here so I'm not gonna do anything with that. So at this point, all you've really succeeded in doing is getting people to your PFSense. Now, the next step is taking that traffic and routing it to the proper internal server. So if it's NextCloud, then what we have to do is make it understandable that if someone on the outside is looking for NextCloud.mydomain.com, they get to your cable modem or your PFSense and PFSense needs to hand that off to something else to route it to the appropriate server. And that's the next step. You could do a proxy like nginx, HA proxy like you just mentioned that inspects the name that was requested and then forwards that individual to the proper server on the inside. I use, or I have used a container with nginx. I don't have anything externally available now but when I did, that's how I did it. I had a Proxmox container that was on there running nginx and it was looking at what was being requested and would just send you through to the proper device on the inside. So when it comes to setting up that proxy side of things that's a video slash episode in and of itself because I would love to tell you just install nginx and put these values in there but there's so many parameters and usually what I do is go to the documentation for whatever I'm running and they'll often have the nginx parameters in there that work best with that product. So that's why it's hard to make a video about this because it really depends on what you're proxying to and you just follow the documentation. But at this point, if you have proxy that's handing off the request internally then you have the completed solution. And then we talk about, like you just mentioned the certificate side of things because now that the traffic is being routed you can actually much easier to get a cert because if you just have the IP address going to your PF sense, you could get a cert for your PF sense right then and there because the traffic is going there. But after that, you need proxy or something like, or even port forwarding to make that happen. Yeah, and it can be a little bit confusing when you look at reverse proxies especially when they all rely on SNI and this is where it gets a little bit confusing. Server name indication that is the SNI header and you'll have the same IP address. And I see people in the comments saying they're having some trouble with HA proxy and this is often where people get confused. You end up having, excuse me, you end up having the same IP address. So you have one static IP address or you get multiple but for simplification and do one, but you can have many domains all hosted on there. The SNI header that gets sent is based on a couple of things. The browser does a DNS lookup provide your DNS server answers correctly then it hits the IP address that IP address it hits it's gonna say, here's the thing I think should be here it's this.yourdomain.com HA proxy goes, do I have an entry for this or really any reverse proxy does this even if it's not on your firewall but the reverse proxy is gonna examine that header and then serve up the content or make the backend connection to the server that corresponds to that SNI header. Getting all that right is why these are a little bit tricky and one of the things I show and I believe I have this in my troubleshooting video is how to use the open SSL testing tools from the command line to actually send the SNI so you can essentially forge the header and make the request and see what the response is because one, do you have that set up right? You think so, great. How about we force a response and look at the or force a SNI header and then get it back. These are some of the troubleshooting that makes it a little bit tricky to set up but once it works and I've seen people say, yeah, once I got it working it's like a light bulb turns on and like this is so easy to set up all these domains on here. Yes, it's all these little mechanics are getting it right but it's really handy then at that point too. This is to go a step further for people that wanna know how this works in the enterprise world and Jay can probably speak a little bit to this. One of the advantages of having these proxies direct traffic is let's say I have this, it's all coming in it hits this IP address but the backend I can actually load balance. I can say send some of the requests to this server send some of the requests to that server or I can modify the configuration really quick to spin up another server and do them. You've done some of that work. Haven't you Jay for reverse, load balancing? Load balancing, yes. I've done that in AWS. I haven't had a home lab reason yet but I think I probably will because it'd be cool. I mean, why else do it, right? But so basically one missing layer I forgot to mention is you have the reverse proxy server whatever it is, how to get the traffic to it. Well, in my case when I was doing that I had a port forward and PF sends port 80 and port 443 were both being forwarded to that container with engine X and then the container would proxy to the each of the services. Now I considered that container to be disposable. It was highly secured when I did use it and I had like, I didn't even use the same SSH keys for this. So it was at that level of abstraction there and the beauty of it is if anything did happen to it I'll just delete it. There's no data on it that I care about. It's just a proxy. It just hands off to other services, that's all. And that being disposable is the best way to do it because if anything happened, I'll delete it and I'll just back it up from an image. I mean, it's just let's encrypt at the end of the day and they automatically renew. So it was really easy to do and having that segregated it gives you some extra security. I wouldn't say much, but it does give you, I don't know but one, one or 5% better security because your app isn't directly exposed to the internet. The proxy is, obviously it's just passed through though. So if there's a vulnerability in the app then it's still a vulnerability nonetheless, but you still have a situation where someone might just own the proxy box and then they just own that one thing. And if it's disposable, delete it, find out why or how they got in and then re-image it or whatever. But yeah, that does give you a level of abstraction and I think that's really important to have. Now, another thing, and I right away see a little more confusion here right in the comments but this is a really good thing to think of as a distinction. So we think of something like NAT. NAT is just a hole in the firewall that's gonna take something from the public IP address and land it internally to whatever you defined you wanted to land on. Proxies work a little bit different because they technically man in the middle of it because they're brokering the connection. So HAProxy handles the SSL termination. So there's HAProxy sitting at your public IP and it handles the SSL termination or if you private IP, same concept, the HAProxy handles SSL termination between the web browser and there. Then another session is created between HAProxy and whatever you told it to point to. Now, that is really important because this is where you can do some fun things if you wanna inject something in there. HAProxy is essentially man in the middle of this connection. It's terminating the TLS. So your TLS connection from a browser doesn't pass through HAProxy. HAProxy is handling the termination and then talking to the subsequent server based on what the rule sets are. The reason that's important to understand is it's where a lot of people get confused of when, well, an easy example unless you tell HAProxy to also forward some other information, HAProxy when it talks to an internal server and a bunch of external people are hitting it, the internal server logs only see HAProxy. You're like, I don't know HAProxy was requesting this and requesting that. It doesn't see that external user from their browser or anything like that. Now there's ways you can get that data to forward over but like the defaults next to yes options in HAProxy to get it configured does not forward that information. But this is also an important distinction for when people wanna do things in, this was actually brought up a couple of videos ago I did with Riley Chase talking a little bit about proxies in front of his Hostify service that he offers because by offering the proxy there he doesn't have to deal with any certificates with all the individual unified servers. It also allows him opportunity if he wants to filter or modify the data and transit for whatever reason it can be done. And if you get some of the more advanced proxies there's even filtering you may wanna do that way if someone tries to request something or tries to do, if you are following the news there's been a recent Apache problem of that was discovered. The proxy can be, it gets a little more into web application firewall but it's at least has some ability to apply some rules to it to say no, no, no don't let that type of weird data come through that's not acceptable before it gets to the backend web server. So because it's actually terminating the TLS and the security connection before it passes off to the other one. And by the way, you can have and I do for example in my Unify I don't bother installing a certificate in my Unify server itself. So the certificate brokering is has to go unchecked between HAProxy and my Unify but on the other side when I connect to unify.launchsystems.com I get a proper valid SSL cert. And that's kind of goes to the like I said where the termination is where the termination is being handled for the proxy. Yeah, I think one simple analogy is to think of this as like having an operator or a receptionist at a company you call and speak to John you talk to the receptionist first and then that person's like, okay then transfers you and you're talking to that person or if you're asking for a different person then the receptionist will say yeah, I don't know who you're talking about. So in that case, they get a 404. It's like, we don't have that here. So if we're asking for next cloud and the proxy knows what that is. Yeah, okay, you go over here that's where next cloud is and then they ask for a book stack or something I don't know. Yeah, we don't have that server they get a 404. But like you said, the SNI is basically looking at the name as being requested and making sure that everything fords properly. And that could be kind of difficult to explain but we'll just kind of keep the SNI part of it very simplistic. I know it's much more complicated than I made it out to be just now but it's like in the phone example you could have your phone number publicly available and everybody in the world can call you or you can have a proxy in front of you like receptionist that's routing traffic accordingly. And that's kind of what it is because you have that you have one hop in between or a man in the middle or person in the middle that's handing things off. And I personally, the way I am now I proxy everything. Like even if it's not an issue where I need to it's just one name, one server there's not even multiple sites on there. I put a proxy in front of it always put a proxy in front of it. I think when you get to a certain point you'll probably start proxying everything. Yeah, it becomes the hardest part is getting the base configuration set up. Once you've got one or two domains working why would you say two? Because two that way you can say oh I see the difference between these two domains. The next 30 or 40 that you add are really, really simple to add because it's just kind of repeating the same thing and changing the IP address and adding a new rule to match whichever the SNI is on there. Now you can go a little bit more advanced because you can, there's ways in HA proxy if you play with the more advanced rules in it even inside a PF sync. So you can do like some of the subdomain and then I'm trying to remember how it would be like the fully qualified domain plus then extra URL to get it to redirect to other things. There's lots of little nuances it's all about getting the base part of it set up. And then when it comes to let's encrypt I mean I think that's the ultimate goal. I mean I hate seeing that red X or that broken padlock icon in the browser even though it's something that's not externally available anyway but I hate that. And I hate seeing that error message come up like this is a self-signed cert. I know, I know it is. I'm the one that self-signed it. So I'm aware of this but the browser is gonna act the same whether it's internal or external. So having a let's encrypt cert is the ultimate goal. Now you have to verify that you own the domain otherwise someone else could just say yeah I own your domain and I'm just gonna point all the certs to me and be a man in the middle and just create some havoc there. So you don't want that but let's encrypt has to verify you own it. How do you do that? So the easiest way to do it if something is internet facing so I'll use Linode as an example if you have a website set up there and you have the domain pointing to the A record or the IP address to that Linode it's super easy because it's publicly available the IP address and the domain are a one-to-one match and if you request a let's encrypt cert then it's gonna send out the request and then it's going to come back and verify that it does come back to the right place and then it approves the cert. So the communication has to go out and then has to come back in in order for that to work and that's easy because it's a one-to-one match it's externally available it's out in the cloud there's an IP address there's a domain matching that IP. Now when you are inside your network that becomes a little bit more challenging because when you have a server internally asking for a let's encrypt cert it's going out your cable modem so regardless of what your server's IP is in inside your network what let's encrypt sees is your public IP coming off your cable modem and then it's gonna send the communication right back to verify this is it gonna come back to the server? No, it's gonna hit your cable modem or PF sense or whatever and PF sense is like, yeah, no, I'm not that I'm PF sense, I'm not next cloud what are you talking about and then it doesn't work because it can't verify that that's the problem the solution is you have the HA proxy engine X whatever in the middle that's routing it to the appropriate place but it can be a little confusing because now you're trying to make sure that depending what the request going out is that it comes back to the same server I think that's where people start to get confused but as long as you have the you first get the HA proxy or engine X working to where you can go to it from the outside and then you get to it even though there's no cert so you know the routing works because you're off your network you could try your phone on 3G or 4G or whatever and off the wifi, try to go to it and if you see the right site, the routing works so once that box is checked then you should be able to get the cert by doing the DNS challenge which will just go out and then come back in but then you mentioned DNS challenges there's specific ones which is a different way of doing this where Let's Encrypt uses an API call so if you have a membership at Linode, AWS there's a bunch of these you could actually hook it into that and they could just communicate directly with that DNS service and the DNS services say yeah, J owns that domain, you're good and then it verifies it and that way it's great because it doesn't really I mean, you don't really have to have as much routing there because it's not expecting a web server on the other end it's just verifying that through API which if you have an account on one of those then I think that's even better. Yeah, that's one of the easiest ways to do it because let's say you are in a situation where you're behind KiraGrade NAT and you just have no interest in opening up things to the world matter of fact, that's how J is sitting right now he has none of the things publicly exposed in those circumstances that's where using Let's Encrypt is great because you can get that wildcard certificate but that wildcard certificate does have to apply to a fully qualified domain that's as we said in the beginning why you have to buy one Let's Encrypt will validate it with the API call you can get the wildcard cert and then you can internally have all of your different things and your browser will respect it internally so it'll be your devices.yourdomain.com whatever you wanna name them you can get rid of all those SSL errors and not have to worry about them your browser will be happy with no little click, advance and go next or proceed with caution type of error messages and all of this is done without any public visibility so you're not adding any type of risk to your network because you're still not opening up your network you're just adding the convenience of having everything in a really clean looking interface because the alternative to and I will mention because someone I'm sure there's no one through in the chat there there is ways you can tell things to trust your own certs and come up with your own naming scheme it's just ways to make that work it's almost I would say in some ways more complicated and adding a bunch of cause you gotta add things to your certificate store to make that work and I'm Right Yeah I don't It's too much and I would actually if you're gonna put the time and effort it's just easier because for each new device you'd have to also do that on your network when you don't do that and you use something that's Encrypt it becomes very simple because any new device on your network if someone you just get a new phone open it up you can go to provided the DNS works any of your phones connected to the internal DNS of your internal network you can go to all the fully qualified domains for your different services and they'll all connect fine without any SSL errors Yep Yeah and I think that's the best way to think about everything another challenge that I think some of these proxy services can help solve but it's kind of like what you want to achieve the challenge is if you have something in the cloud but it's not publicly accessible which you might think like wait what it's in the cloud but it's not publicly accessible the whole definition of the cloud is publicly accessible you can always set up any cloud provider to not allow any traffic other than from your IP or you could use like zero tier or something like that and just not allow the public into the cloud instance at all and only you can get into it but then the problem is you try to do the let's Encrypt challenge and then the communication goes out it can't come back because it's not publicly accessible so then you can start to get into a challenge where you have to remember to temporarily open the firewall which I hate doing just to let that go through and then close it back down hopefully you don't forget to do that it's not really the best way to do it but sometimes you have these challenges and you have to figure this out because it's not like let's Encrypt is going to tell you these are all of our IP addresses if you whitelist these then the challenge will always work I don't think they want you to know what all their IPs are and even if they did and even if they didn't mind they'll probably just change them anyway because what the IPs are today may not be what they are tomorrow for the servers on the let's Encrypt side of things so it's really hard unless there's some kind of reverse DNS mapping or whitelisting to make that work to where you have to have something in the middle to allow that communication to happen but at the worst case you could open it up temporarily get the cert and close it down but you just have to be really good on remembering to close it back down Yes, that's um and a few people asked this question and I have a video and you can extrapolate from this video um to other services but I have a video called PF Sense DNS Overrides and what DNS override means is how you can have different external DNS versus internal DNS uh someone referred to it as split brain I don't think it's the right term for it split DNS is the right name though um that you can do so I do have a video on that for a few people asking in the comments to better understand I have dove into that topic matter of fact if you search I've actually talked how to use dig how to look up different records for DNS um I've done several videos on that topic that you'll find tutorials on my channel have you have you on your channel Jay? I'm trying to think like I have like almost 800 videos now I'm getting to the point where I'm like what have I done again? I make sure I had that video like if I don't I need to add it to my list so I'm probably just not remembering but maybe I did cover it there's a lot to this it's it's very there's a lot of different moving pieces but I think when you take away the moving pieces that aren't relevant to your use case then what you're left with is pretty much one or two pass forward and there's only one or two ways to do it and it's pretty self-explanatory at that point but you have to take away the things that don't really matter and understand your environment like do you have access to a static IP? Probably not but if you do it makes it a lot easier when it comes to VPN there's some added challenge there because I've noticed with different operating systems OpenVPN handles differently with the official client so I've noticed on Windows for example and I think macOS but I don't remember it'll automatically tell the client to forward DNS to your internal DNS so if you're looking for next cloud even if it's not externally available you're connected to your VPN to your home network from somewhere else then you know it knows where next cloud is because it's using your PF sensor your router your firewall whatever it is as your DNS server now other operating systems I think Linux is one it doesn't automatically do that so it'll just like all the name lookups fail even though you are on the VPN there's a way to get around this there's a package you install and a couple lines of config you add to the client config file that I won't go over right now but there are some challenges there that you'll probably run into but a quick Google search will get you the answer there but I mentioned this because it just seems so weird that it's so different based on the operating system even though the client comes from the same place I don't know if they fixed this yet we had a conversation about this last night so depending on your operating system you might have to do a little bit of hand editing there but one of the reasons why I bring this up is to segue into your solution though because you can just like avoid all of what I just said and do absolutely none of that and not even have that problem by using your trick for local DNS in public or local IPs in public DNS I think you explain it better than me so I'll let you do that yeah definitely definitely a fun topic it's DNS it's always DNS it's probably on your end basically if I understand correctly you're putting the internal IPs to your internal servers in the public DNS server yes yes I have that I break it down in my video because it's it's a fun way to solve like you said the VPN problem when you have people remote so you can look up some of them and there's some of the ones are still valid from the video so I can point them using my digital ocean where it's hosted on one of them because I did some that's where the demo was done for those of you wondering even though it was a sponsor I still have stuff there too and you can look that up it's kind of you can split this around quite a bit and it's it's not as cut and dry as you might think like you can only be here all here you can actually put them in multiple places for that where you can put it where if you're inside the network it resolves this way outside network resolves this way but one of the problems we had was when we were playing with phones and Android likes to use its own DNS we said you know I can solve this problem real quick we just made the public DNS point to the private because Android decided I can't really it's a way Google wants to always look up a different DNS server so it's like it's another way of solving that problem there's all kinds of clever workarounds and the CNAME combination with dynamic DNS is just one of many there's all these different clever things that people have come up with to you know route things and to you know set up DNS I think are fun but you know without going too much on a tangent I think those are probably the main two I think are the most useful to our audience and I did see because this comes on the heels of the big Facebook outage it's always DNS until it's BGP so that's true and for those of you who don't know you know depending on your list this is October 6th so it's right after the big Facebook outage I have it on October 4th and a quick explainer is the difference between DNS and BGP DNS tells you where things are and BGP tells you how to get there and both of those things were actually broken for Facebook so I wonder what the the specs or the the analytics are as far as like the human side of this without Facebook being online then people wouldn't have been upset by memes as much and there'd be less stress in the world overall and people would be sharing fewer memes because you can't so I think productivity might have increased kind of anything to see how that impacted things but yeah BGP is it's one of those convenient things but it also can conveniently break other things too yeah yeah I mean I don't know if we're going to cover BGP on The Home Lab Show but it might be a topic that we me and Jay have a mutual friend we can bring in that does manage BGP he helps protect the world against DDoS stuff so he can answer questions about it he's done some clever things so there's yeah but maybe maybe we'll do an episode on it because a lot of people ask what it is but it's not I'll tell you this much it's not likely something you're going to be using in The Home Lab but I will admit you can set it up and I thought about doing a lab demo of it because you can use BGP it's not the most ideal way but it can be a fun learning experience to actually build a network and understand how routing and pairing announcements work I actually played with it a little bit and thought it was kind of novel I just never did a video I know I don't have a video on that specific topic how to design your own internal BGP oddly we've done things like that though and reasons we've played with some of this is because internally here sometimes when we're configuring something we'll plug the public IP addresses in and actually have them routing inside of our own network before we deploy a firewall to a client so we can actually go through the whole setup if we want because we can we built a network that matched the public IP space now that's not going to actually route to the internet fully but it was us able to have the firewall tested and make sure all the different port forwardings and everything worked and we just had to do our own simulated section of the internet here but that's we're now we're getting way off topic of where we started with proxy and domain yeah that's that could be I don't know if that'll translate to an episode or not but it's yeah definitely to build these things here you know here what you guys think of all this yeah definitely something all right well I think we covered everything we had on our list for get domain so get your domain get started it's a great learning process it's it's a great aggravation process right yeah I actually have memories of just like you know when I was learning getting frustrated with it and just getting very upset shouting a few expletives and I'd go out for a jog and and then clear my head and come back oh right of course it didn't work because of whatever it was and it was just like you just get so involved in this you're trying to map it out in your head and it just you just get stressed out just you have to take a break you know just go for a run or do whatever you do for unstressing come back to it and I think it'll make a lot of sense just take your time and I think you know being frustrated is actually a good thing when it comes to learning because that means you're being challenged and that also means you're going to you know come out with a a lesson at the end of it and I think breaking things and fixing things is usually the way we learn anyway yeah it's it's just it's a lot of fun and once you have it now you have the diversity to really start playing with that it's the whole thing is being able to get some of these tools in your hand so I know there's at least a few people that want to try and host your own mail there's always people that want to do that take it from two mail server administrators me and Jay both did that for years and I mean I was a mail server administrator back in the send mail days in 1999 was my first job were commercially I did I actually ran it not commercially before then in the earliest days but yeah once you learn send mail then I learned post-fix then I also learned exchange and I admin these things I actually was kind of happy in some ways when I surrendered to G Suite and got rid of my own mail server I said I'm done I ran my own mail server for a long time and then I decided that mental health is important and then I just I just changed my MX records to a different provider and I was done with it I just had enough yeah eventually you will have enough oh something I you know we didn't touch as well last thing I'll leave you with yes if you want you can set up your own name servers that actually is a little bit more involved and I have done that with hover so you can look up I think ns1.laurancesystems.com is valid those are a little bit different type of record it gives a little off topic but if you're into hosting you can build a primary where you buy a domain create a subdomain for name servers and then there's a trick to getting them and like the scope of this because it's been a while since I've had to do this where you can be registered as authoritative name servers that then can be managed so you can manage all your other domains on it it's actually something we used to do we used to do hosting so I still have all that configured in the back end but yeah that's it is one more thing just answer the question when someone asks can you do that the answer is yes so yeah that yeah explaining that like you said it's hard then you got to talk about glue records and all these other things yeah glue record that was the word I'm looking for yeah the glue record set up so yeah that's a lot that could be its own topic it will dive into a different day but thank you for joining us on the homelab show this was a lot of fun talking about this I hopefully we gave you more things to dive into more things to buy I will give a shout out to those of you that want to dive deeper is look at the learning things they have over at Cloudflare on things like BGP they have some really good graphics and explainers on how that works and they have a lot of write ups on how DNS works so if you want to break down some of the confusion of it you can spend a lot of time in the rabbit hole but I realized that doing a video the other day that wow they have and I linked to their BGP video and one of them for they just have good explainers and solid write ups on it so it's another place you can learn to start diving into what all these records mean and things like that so yeah all right thanks everyone for joining awesome having you here thank you very much see you next time see you later