Hello Community,
my NC running in docker at home and available under nextcloud.mydomain.com.
If I am at Home and open nextcloud.mydomain.com in my web browser, it should go directly to the NC’s IP Address in local network, not go to the internet first.
How can I achieve it?
Best regards
Chris
Your router would need to support NAT loopback to achieve that
Alternatively setup the NC server so it’s accessible by the IP-address itself and enter that instead of the URL when connecting from inside your home network.
What is NAT Loopback?
Define a feature in many SOHO routers that permit the access of a service via the public IP address or domain name from inside the local network. This eliminates the need for using separate domain name resolution for hosts inside the network than for the public network for a website.Author: Kevin_Z City: Cambridge Released On: 2021-03-23 Views: 10432 Helpful: 5
(See the source for more details and an example)
Source: https://community.tp-link.com/en/home/stories/detail/1726
Another option would be to setup a DNS server inside your home, like PiHole for example, then have all the devices in your home network setup so their DNS requests are sent to the local DNS server for name resolution and can resolve the FQDN to your local IP-address within your home network.
This doesn’t really change that a name resolution lookup request to a DNS server before being sent to the IP-address of the device within your home network is required though, you’ve just moved the DNS server from outside your home network to inside the home network, the name resolution lookup is still being done to the local DNS server.
The functionality you described in your question is the feature called “NAT Loopback” available in some, but not all, routers.
Unfortunately my router does not have this function.
I tried with pihole but the problem is: I can’t enter an IP address with port (192.168.1.2:9000) in Local DNS setting in pihole. My NC is only accessible with this port. If I just enter the IP address and open nextcloud.mydomain.com in my browser, I am redirected to my host’s dashboard (QNAP dashboard in port 8080).
You need a reverse proxy to resolve the request to the correct ports when you have multiple services available on different ports, port resolution is not a part of domain name resolution. Alternatively enter the ports after the URL in the browser https://[URL]:[PORT]
Question: PiHole - DNS to Different ports
Answer
What you’re looking for is a reverse proxy.Nginx, traefik, caddy are all products that will help you with that. As you’re running docker, look at traefik, I use that and it is quite nice.
Source: PiHole - DNS to Different ports - docker - Pi-hole Userspace
Reply: https://discourse.pi-hole.net/t/pihole-dns-to-different-ports/41104/5
Ok thank you for your explanation. I can access it now from LAN with “nextcloud.mydomain.com:9000”.
Now I will try to create separated Network for NC in Docker ie. 192.168.1.3, so I don’t need to add port number after the domain. I think it should solve the challange.
Thank you!
Do this with pi-hole by setting it as your DNS server. To learn more you’ll need to check pi-hole documentation or their support forum.
PIhole is just a GUI on top of DNSMASQ. Install DNSMASQ directly instead: https://dnsmasq.org/
Easy guide: https://stevessmarthomeguide.com/home-network-dns-dnsmasq/
Very good documentation: https://wiki.archlinux.org/title/dnsmasq
You do NOT need to set all the A record pointers using your HOSTS file. Using the “address” key as shown below, essentially acts in the same way.
If you wants to do this less CLI, install a GUI as well: GitHub - balucio/dnsmasq-webgui: Simple web gui for dnsmasq
Configure zone as follows:
address=/my.domain.ltd/192.168.1.2
address=/my.domain2.ltd/192.168.1.3
server=8.8.8.8
server=8.8.4.4
NB: address is an A record. Server is a DNS forward.
DNS forward: I have set in googles DNS servers above. Because I also runs my own DHCP server (DNSMASQ can be configured for this aswell) I forces a bypass of my ISP DNS settings. Basically you can add any public DNS server here, or add your gateway address for following same as you do today for anything OUTSIDE your network.
HINT: If you wants to access anything DNS blocked by ISP or government, just add address=/blocked.domain.ltd/IP and you completely bypasses DNS blockage. Or your ISP has DNS intercept, and will catch anything that reaches outside your network anyway.
Thank you for your suggestion. I Prefer to use docker instead install it directly to linux, because I use QNAP NAS as my Host, and QNAP has it’s own Linux OS. I also use Pihole to block the ads and Malicious Links.
I understand. However if placing the DNS in a container, you will have to make some network routing and iptables-foo. If the DNS server is on a different network than the clients, you needs to setup DNS relaying and response. And this must be done, unless you go the more dangerous route of bridging your NIC so the Docker container will have a LAN IP.
Oh, I’m really doing it now because port 53 is already used by QNAP and I can’t stop QNAP from using it. So now my DNS has mcvlan and it has an IP subnet like my QNAP.
Can you please explain to me why you think this is dangerous?
It’s better to not use macvlan?
Certainly. Are you running security components on the containers themselves? DO they have their own AV engine, and do you always activate Iptables on the containers? The idea of docker is that you do not need to worry about the infrastructure layer, as that is covered by the docker engine and the virtual network layer on the docker engine host itself. Making a macvlan, you are completely bypassing this entire layer, hence will need to always ensure that your containers are self contained - also by security. And do not forget that the docker engine runs as root. So exposing a container so it bypasses the docker engine network security and proxying layer, is an added attack vector to your host. If assigning LAN addresses is a thing, you should consider running docker inside a LXC container, and then assign it a macvlan, as LXC is security focussed and runs in privilege 10.000 instead of root.