use a sub-domain to access your home server (eg Home Assistant) via nginx proxy manager using CNAME
the need for a sub-domain:
Your home network allows you access to ‘services’ such as an IP camera, the router, Home Assistant, a wi-fi access point, a NAS drive (eg Synology or QNAP) and if you run a ‘server’ perhaps a wordpress blog. My humble ‘home lab’ uses an old PC to run Uptime Kuma (to alert me of something failing); plex media server and frigate (an IP camera app).
When you are away from home you may want to access those services (and certainly a wordpress blog) via a URL. The URL might be mystuff23.duckdns.org but if you own a hosted domain (mydomain.com) you can create subdomains to access any of those services giving you camera.mydomain.com and wordpress.mydomain.com and nas.mydomain.com and frigate.mydomain.com.
what you need to point a sub-domain to your home network
- a domain with a hosting provider that lets you add a CNAME record.
- a dynamic DNS URL – you get this from a device at home which talks to and updates a dynamic DNS service:
- you can use the dynamic DNS service built into routers to connect to one of the web services such as noip or dyndns
- or you can use the duckdns add-on in Home Assistant. I do this to get ‘mysubdomain.duckdns.org’
- or your router may give you a URL for remote access – eg my tplink router offers me ‘myloginID.tplinkcloud.com’
- or if you have a Synology or QNAP these may give you a URL for remote access (I’ve yet to exploit this idea)
- many smart home devices invisibly report your home IP back to a cloud service (I’ve yet to exploit this)
- optional but highly recommended is a server (eg Home Assistant or QNAP or Synology) running nginx proxy manager (see my set up to use nginx).
doesn’t cloudflared do this?
Much as I would like to use CLOUDFLARE + cloudflared Home Assistant add-on, Cloudflare insists that I use my root domain. It doesn’t let me use just a sub-domain on the free plan. That means that I would use Cloudflare nameservers for my email and I’m reluctant to mess up my email lifeline.
it isn’t considered wise to expose your home network to the Internet – however here are ways that you can add safety to a measure of risk:
- You turned off UPnP on your router (do that).
- Your home network is internally secured to prevent the kids or neighbours getting in – for example, a camera and a router require a password to access them.
- The services you’ll expose to the Internet will be accessed via nginx proxy manager which will obfuscate the ports and IP addresses of those services. This is much better than opening a range of ports such as opening port 8123 to give access to a Home Assistant setup.
- You haven’t exposed the wrong services or personal data. Indeed you’d be wise to be selective about exposing your QNAP NAS or your PC for remote access
- Each camera, or device or service will have a login with an obscure username and password. By using nginx you can add another authentication step before a user gets to enter that password.
- You’ll be using https:// for the connection so that data and passwords crossing this connection can’t be sniffed. We’ll do this via a self-signed SSL certificate and Letsencrypt.
- You’re aware that a VPN or a ‘wireguard’ setup might offer an alternative method of security. I’m not covering this here but you can see my setup to use ‘wireguard’.
how to point your sub-domain to your home IP via a dynamic DNS service URL
Set up a dynamic DNS service – the service will give you a URL such as myhome.noiphop.to or myhome.duckdns.org or myhome.tplinkcloud.com. You can often do this on your router, on qnapcloud on synologycloud or on a Raspberry Pi running Home Assistant (my preferred approach- see what I did here).
Login to your hosting provider. Create a sub-domain eg wordpress.mydomain.com. Now look for the option to change the destination of that sub-domain (or ‘adjust DNS’). I use Ionos and here the process involves
- Create a sub-domain.
- Add a DNS record. Add CNAME.
- For the CNAME enter the dynamic DNS URL eg myhome.duckdns.org. The TTL (time to live) can be left at the time suggested. You don’t need any of the other DNS entries for the sub domain. You don’t need A, AAAA or MX records.
Create more subdomains as required – for example homeassistant.mydomain.com and camera.mydomain.com. For each of these you’ll add a CNAME with the same dynamic DNS URL as before eg mydns.duckdns.org / myphoto.duckdns.org / myhome.tplinkcloud.com. No one will see this – they’ll only see your subdomain. CNAME stands for ‘canonical name’ meaning that you’ve substituted the usual URL for a better ‘more authoritative’ URL.
Within some minutes entering the URL eg wordpress.mydomain.com should take you back to your router. In fact it will take you to wherever port 80 or port 443 goes on your home router – quite possibly the router blocks these ports. When you have nginx proxy manager you’ll have opened ports 80 and 443 and pointed them to nginx. If all’s well the URL will go to the nginx default page.
use nginx proxy manager to re-route each sub-domain
At this stage you’ve set up a sub-domain for each service that you need remote access to. Now you’ll use nginx proxy manager as a switchboard to direct those sub-domains to the service (eg camera, NAS) you want to from outside the home network.The process is
- enter the subdomain which has a CNAME pointing to the dynamic DNS URL
- enter the IP address where your service resides. Add a port if needed
- check block common exploits
- in access list create a username and password to block entry (allow = all deny = all for this access list user)
- click SSL and ‘request a new certificate’ for this subdomain. Enter your email address and click ‘save’. It may take a minute to get this.
- repeat for every subdomain