Port 443 SSL bullshit

So I've got a debian home server running a Jellyfin media server and a L.A.M.P stack for hosting my website. I've got domain names for both of them and set up Caddy as a reverse proxy so I can run them on the same machine.

On another Debian home server (a Dell Optiplex I bought from a local business) I want to run a Nextcloud instance.

The issue is that Nextcloud really wants to use port 443 but that's already taken, and I can't use my reverse proxy because it's on a completely different machine.
Any suggestions for how to fix this?

It's All Fucked Shirt $22.14

Unattended Children Pitbull Club Shirt $21.68

It's All Fucked Shirt $22.14

  1. 2 months ago
    Anonymous

    Unironically: Docker. Map whatever port you want on your host to 443 inside the container and it should just werk

    • 2 months ago
      Anonymous

      Does docker work on different machines? I'm hosting Nextcloud on a completely different, physically separate, machine than my website, which is already using port 443. I'm not hosting my website and Nextcloud on the same machine.

      • 2 months ago
        Anonymous

        Anon, if they’re already on different machines, what exactly is the issue? Trusted machines can address by IP directly and shouldn’t have to go through the reverse proxy (obviously a bigger setup open to the public internet shouldn’t do this but you get the idea). Set up some basic HTTP auth and whitelist your IPs and you should be good to go

        • 2 months ago
          Anonymous

          Both my website and Nextcloud want to use port 443 on my router and you can't forward 2 different internal IPs to the same port.

          You should always change default port of services, or you will get instantly hacked.

          It's my understanding that SSL certs have to use port 443. Or am I mistaken.

          • 2 months ago
            Anonymous

            run nginx on 1 machine and reverse proxy to the other based on hostnames
            or be a chad and run nginx on your router

          • 2 months ago
            Anonymous

            I probably can't run nginx on my current router, but I have been toying with the idea of setting up a pfsense router. That'll definitely be something I look into when it do!

          • 2 months ago
            Anonymous

            that sounds like a good way to ddos yourself. i doubt most consumer grade routers have enough cpu and ram to handle more than a few connections concurrently before it locks up.

          • 2 months ago
            Anonymous

            you don't run nginx on a consumer grade arm shitter router anon, pfsense is x86 anyhow

          • 2 months ago
            Anonymous

            https://ip.ip.ip.ip:port will work bro

  2. 2 months ago
    Anonymous

    You should always change default port of services, or you will get instantly hacked.

  3. 2 months ago
    Anonymous

    Easiest would be to run nexcloud in docker and map 8443 on the optiplex to 443 in the container. Then port forward to 8443 in your router

  4. 2 months ago
    Anonymous

    > The issue is that Nextcloud really wants to use port 443 but that's already taken, and I can't use my reverse proxy because it's on a completely different machine.
    Any suggestions for how to fix this?

    Your caddy server can reverse proxy over the network. Run Nexcloud on another port, doesn't matter which, and set the reverse_ proxy stanza in the Caddyfile to point to it using the IP:port of the optiplex nextcloud instance. Make sure nextcloud is listening on your LAN address and not 127.0.0.1.

    • 2 months ago
      Anonymous

      Holy shit bro it worked! I didn't know Caddy could do that Thanks so much! That was much less of a PITA than I was expecting.

  5. 2 months ago
    Anonymous

    >I can't use my reverse proxy because it's on a completely different machine.
    Too stupid to be allowed to live. Consider suicide.

  6. 2 months ago
    Anonymous

    You can do what you want with an ingress router and kubernetes. They allow any number of apps to be exposed using the same port (80 or 443). The only thing is that you need to set a different DNS name for each app and use only that DNS name to go for them as the ingress controller uses that name for routing.
    I'm not certain if you can use an ingress controller without kubernetes, as using kubernetes for this is overkill, but I believe it's possible to do it.
    The other only possibility is to add another machine that does this same routing for you, but I don't know much about Nginx to do that.

    • 2 months ago
      Anonymous

      OP has like 5 machines at best, kubernetes is the definition of overkill here

  7. 2 months ago
    Anonymous

    how do you get away with running a webserver from a residential connection? i hear most ISP's frown on that sort of thing.

    • 2 months ago
      Anonymous

      Idk beats me 乁( 0͡ Ĺ̯ 0͡ ) ㄏ? My website is just some static pages that act as a sort of rèsume, and only a few friends and I use the Jellyfin server. I guess I just don't use enough bandwidth to get on their radar.

    • 2 months ago
      Anonymous

      It's mostly asymmetric connections like cable modem providers that sometimes get pissy about it unless you pay them more money to have a "business" connection which means you trade in your modem for an older slower piece of shit modem running some microsoft crap and aspx management pages. Many / most fiber providers will go as far as to give you FCrDNS for your connection using one of your domains if you wish, assuming you pay a few bucks extra per month for a static IP.

  8. 2 months ago
    Anonymous

    why can't you use the reverse proxy? isn't directing traffic to other machines what they were designed to do?

  9. 2 months ago
    Anonymous

    >Any suggestions for how to fix this?
    Wildcard cert, then use Caddy or HAProxy to send one name to nextcloud and another name to your lamp stack. You can have millions of different sites on 443 using SNI which just about everything supports. LetsEncrypt supports making wildcard certs. Caddy or HAProxy could be running on your router.

Your email address will not be published. Required fields are marked *