Lots of options. Here’s what I do:

1. HAProxy - uses SNI to match an HTTPS request to a service, without decrypting the connection
2. Caddy - manages TLS certificates, decrypts connections, and sends the request to the relevant service
3. Docker - each service runs in a docker container on the host
4. my router has static DNS entries for each of my subdomains, so I can do https://service.mydomain.com, and my traffic never leaves my LAN when I’m at home

I have HAProxy running on my VPS (Hetzner), and it routes traffic over my WireGuard VPN to whatever physical device on my internal network handles that service (i.e. 2). This allows me to add devices to my network as needed, and TLS certs all live on that device.

This is probably overkill for your setup since it sounds like you can talk to your home router from the internet (I can’t because I’m behind CGNAT), so you could drop #1 and just use Caddy, assuming you’re okay with having all traffic handled by a single device. Or you can see if your router supports SNI-based routing to handle what I’m using HAProxy for.

If you don’t need to share your services w/ anyone, you can have everything live inside of a VPN and just access it via that VPN. You can look into Tailscale if you want something dead simple, and I think Cloudflare offers something similar. I started with that, but decided I wanted to share a number of services with family members, and I didn’t want to force each of them to configure my VPN.

If you decide to not got the YunoHost route, I like the way this guide did reverse proxies with Caddy: https://github.com/DoTheEvo/selfhosted-apps-docker.

Yes this is possible. I have a few hosted items with subdomains and I have it set up as follows:

All subdomains point to the same IP. Router port forwards all 80/8080 traffic to server. I use Caddy in Docker to forward the requests based on the subdomain to the appropriate docker container hosting the actual service.

This makes spinning up something new simple. You get a docker container of New Thing going, edit the CaddyFile to point to it too, set up new subdomain in cloudflare. No new open ports needed.

Hope this helps!

You can also run a free cloudflare tunnel. It’s what I us3 so I don’t have to open a port for my nextcloud but still want it to be able to sync to my phone while not on vpn

I’d look at wireguard / tailscale / headscale and hide your services behind a vpn

You seem pretty focused on reverse proxies for some reason, but that isn’t security. An alternative is a VPN into your network. Simple solution that solves all of your asks if you don’t need many people accessing your services.

Check out yunohost.org (and similar projects) If you’re in for a turnkey-solution.

But yes, a reverse proxy that does all the work and handles SSL is a nice solution. I also use that. It’s relatively easy to set up, doesn’t really slow down anything and makes a lot of stuff easier to manage.

I use NGinx, but Caddy or Traefik will do the same. And I don’t use Cloudflare, so I can’t comment on that.

And btw, Jitsi-Meet is going to require some more dedidated ports for the WebRTC, STUN, etc

There’s a good document from the SWAG reverse proxy that explains it all. I reverse proxy everything on my unraid server through swag and have for years.

Yeah, what @anamethatisnt@lemmy.world suggested is definitely the easiest thing and super practical - I got family members on my tailnet for this purpose. I am however now also looking into some kind of tunneled, reverse proxied and authenticated way to expose a few of my services to other friends where I don’t want to have to put them on tailscale or potentially expose them to more than needed via that route.

I haven’t started yet, but I am updating my network set up soon to install a dedicated OPNsense router as the edge for my network. From there, the plan is to have a cloudflare tunnel that accesses some of these services via a caddy reverse proxy, with Authelia for authentication. That’s the part I have studied enough to feel confident I can do. I am a little weaker on the networking aspects of this, which is where I need to study some more - like isolating those services that are exposed in my network, while still giving them access to some other needed resources within it, etc.