I have a few selfhosted services, but I’m slowly adding more. Currently, they’re all in subdomains like linkding.sekoia.example etc. However, that adds DNS records to fetch and means more setup. Is there some reason I shouldn’t put all my services under a single subdomain with paths (using a reverse proxy), like selfhosted.sekoia.example/linkding?
The only problem with using paths is the service might not support it (ie it might generate absolute URLs without the path in, rather than using relative URLs).
Subdomains is probably the cleanest way to go.
Try not to use paths, you’ll have some weird cross-interactions when two pieces of software set the same cookie (session cookies for example), which will make you reauthenticate for every path.
Subdomains are the way to go, especially with wildcard DNS entries and DNS-01 letsencrypt challenges.
Depends on the usage and also service. I’m using subfolders for all my Tasmota switches. Like https://switch.domain.org/garage this makes it easier to maintain because I don’t need to mess around with a new subdomain for ever new device. On the other side, I like unique services on a subfomain: video or audio. I can switch the application behind, but the entry point remains.
Everyone is saying subdomains so I’ll try to give a reason for paths. Using subdomains makes local access a bit harder. With paths you can use httpS://192etc/example, but if you use subdomains, how do you connect internally with https? Https://example.192etc won’t work as you can’t mix an ip address with domain resolution. You’ll have to use http://192etc:port. So no httpS for internal access. I got around this by hosting adguard as a local DNS and added an override so that my domain resolved to the local IP. But this won’t work if you’re connected to a VPN as it’ll capture your DNS requests, if you use paths you could exclude the IP from the VPN.
Edit: not sure what you mean by “more setup”, you should be using a reverse proxy either way.
Edit: not sure what you mean by “more setup”, you should be using a reverse proxy either way.
I’m using cloudflare tunnels (because I don’t have a static IP and I’m behind a NAS, so I would need to port forward and stuff, which is annoying). For me specifically, that means I have to do a bit of admin on the cloudflare dashboard for every subdomain, whereas with paths I can just config the reverse proxy.
because I don’t have a static IP and I’m behind a NAS, so I would need to port forward and stuff, which is annoying
This week I discovered that Porkbun DNS has a nice little API that makes it easy to update your DNS programmatically. I set up Quentin’s DDNS Updater https://github.com/qdm12/ddns-updater
Setup is a little fiddly, as you have to write some JSON by hand, but once you’ve done that, it’s done and done. (Potential upside: You could use another tool to manage or integrate by just emitting a JSON file.) This effectively gets me dynamic DNS updates.
Subdomain; overall cheaper after a certain point to get a wildcard cert, and if you split your services up without a reverse proxy it’s easier to direct names to different servers.
Who still pays for certs?? (I say this as non-snarkily as possible.) I just imagined everyone self-hosting uses Let’s Encrypt.
Let’s encrypt is fine for encryption but not identification. I have some stuff which I prefer that on, specifically around demonstrating services that I host at home in the workplace. Having full verification just reduces the questions I have to deal with. It’s like $90/year for a wildcard.
Wow, okay! I guess that’s a different use case than what I’m typically doing.
If you don’t have any restrictions (limited subdomains, service only works on the server root etc.) then it’s really just a personal preference. I usually try paths first, and switch to subdomains if that doesn’t work.
You can certainly do it with paths, but it’s generally cleaner and easier to do subdomains. Some apps don’t like paths without additional setup and/or reverse proxy configuration because they hard-code redirects to specific paths.
In some cases (if you are hosting services both internal and externally), you’ll want to configure a split brain DNS (a local DNS server that resolves internal host to internal IPs and external DNS resolves to public IPs).
Yes there’s some setup with that, but once you really get into it – you’ll start automating that :) I have a script that reads all of my Traefik http routers via the rest API and updates my unbound DNS server automagically.
