So I wanted to get rid of a 10$/mo. bill after a parking fine…
Background
The infrastructure of my sites has previously relied on traefik and Cloudflare tunnel for my VPS and home server (called Hafen, German for a port).
The setup looked something like this:
It worked quite well, Cloudflare managed the *.hafen.dakantz.at certificate and allowed me to tunnel almost anything into my home system, while offering protection against all the nasty things. The problem with the wildcard certificate, however, is the addition of a 10$/mo. bill (advanced certificate manager)…
Note: I want that wildcard certificate as I often add or remove services for testing/playing around and do not want to enter a complicated GUI every time, but have a single source of truth: my
docker-composefile using labels.
Pangolin
So I looked into self-hosted systems and pangolin came up as a self-hosted alternative to Cloudflare tunnels.
Using pangolin I could tunnel the traffic through the VPS towards my home system (and theoretically still have some of Cloudflare’s protection if I use static DNS addresses without wildcards).
So it set it up using their guide (install using a docker-conpose.yml, nothing fancy). Setting it up through the script and web interface was a breeze.
I had to, however, integrate my existing system using traefik into the new system (adding to the config/traefik/traefik_config.yml created by the installation script):
1providers:
2 #...
3 docker:
4 endpoint: "unix:///var/run/docker.sock"
5 exposedByDefault: true
6 network: "web"
The last line only enables docker containers in the specific
web-network!
Next, the so-called sites were set up using Docker Compose on the Hafen system. This allowed me to already tunnel arbitrary traffic to the instance running traefik.
Setting up Wildcard routes
The requirement to route wildcard HTTP/S traffic to the site was not satisfied through that, and I had to search through some GitHub issues to find a solution. The solution within the issue proved to be non-satisfactory for HTTPS, so I modified it slightly:
1http:
2 routers:
3 #...
4 hafen-web-router:
5 rule: 'HostRegexp(`.+\.hafen\.dakantz\.at`)'
6 service: hafen-web
7 entryPoints:
8 - web
9 middlewares:
10 - redirect-to-https
11 hafen-websecure-router:
12 rule: 'HostRegexp(`.+\.hafen\.dakantz\.at`) || Host(`hafen.dakantz.at`)'
13 service: hafen-web
14 entryPoints:
15 - websecure
16 tls:
17 certResolver: letsencrypt
18 domains:
19 - main: "hafen.dakantz.at"
20 sans:
21 - "*.hafen.dakantz.at"
22 #...
23 services:
24 hafen-web:
25 loadBalancer:
26 servers:
27 - url: "http://192.168.0.73:8001"
This instructs traefik to route all *.hafen traffic towards my subnet/private IP.
This IP needs to be allowed access through the Pangolin system by providing site access through a client running on the VPS using the Private Ressources.
traefik also needs to be configured to perform a DNS challenge for letsencrypt though, as wildcard certificates cannot be handed out through an HTTP challenge(requires the correct API token configured through the enviroment variables, more on that on this page by ACME):
1certificatesResolvers:
2 letsencrypt:
3 acme:
4 dnsChallenge:
5 provider: cloudflare
6 resolvers:
7 - "1.1.1.1:53"
8 - "8.8.8.8:53"
9 delayBeforeCheck: 5
10 email: "mail@server.xyz"
11 storage: "/letsencrypt/acme.json"
12 caServer: "https://acme-v02.api.letsencrypt.org/directory"
The new infrastrucuture
This leaves me with a new infrastructure that is fully self-hosted, while still offering (some) advantages of the old system using Cloudflare!
This could have also been solved using a singular WireGuard setup between the sites, but this system allows me to also easily control access / add additional sites, systems or any other connectivity shenanigans down the line!