Reverse proxy is done by Nginx Proxy Manager, hosted on Proxmox as well.
2/ name resolution
I believed that this setup would locally resolve my domains (I have NOT edited any /etc/hosts).
But what I see on my logs and by using Cloudflare is that finally my request from GREEN to GREEN to access one of my sub-domain is resolved by Cloudflare DNS instead of being resolved locally.
I find it absurde, and I’m sure there is a simple solution for that.
Do you know what is this solution?
Maybe altering the /etc/hosts of IPFIRE or ADGUARD or NPM??
When having a look on my various sub-servers access logs, if I use the domain name to access from lan (instead of local IP), the IP shown accessing the service is the Cloudflare IP for those proxied by Cloudflare or my external IP for those not under Cloudflare.
That way uou will be able to refer to the pc by either the hostname alone (IPFire will take the domain name as what you have defined) or you can use the FQDN to refer to your server. Both will work.
I think we are missing the point here. Judging by the DHCP config all LAN devices get primary DNS .206 (adguard) and secondary dns .150 (pihole). Even if you put your LAN device names in your ipfire host section they wouldn‘t get queried. This would only work if your ipfire box is primary dns and uses adblock and pihole as its dns source. So DNS queries would go: LAN-> ipfire → adblock → pihole → upstream DNS. Though I would consider that overly complicated honestly.
Great you got it working. However I‘ve a few ideas about your config. The host file you listed has the domain and aliases all other hosts to that. I hope that ‚domain.net‘ is a dummy name for your actual domain. Then you are listing the domain.net as a separate host. I‘m not sure whether that really is your intention!? And last, you have to copy that file to your pihole host file too as you have the pihole listed as secondary dns server. In case your adguard machine goes down, the pihole should serve the same entries then. But then again I‘m still not sure how the pihole is even working in your config. Does it really get dns queries?
All the requests to port 80 and 443 are redirected by IPFire to my Nginx Proxy Manager (hosted on Proxmox) which has IP 192.168.1.240.
On all subdomains listed on NPM, I set a restricted access list allowing only IP ranges in my LAN and VPN.
Also added a Basic_Auth, all being monitored by Fail2ban.
On top of that all request from outside my LAN are proxied by Cloudflare.
Result, anyone would get a 403 page trying to access my domains (they’re all for a private purpose), unless you are connecting using OpenVPN or Wireguard, that I both host.
If you manage to connect through VPN, basic_auth is waiting for you, and for apps not having a basic_auth (such as Nextcloud), login fails will ban you.
I see DNS queries on Adguard as “Rewritten - 192.168.1.240”
Purpose of all this:
having fun to geek and understand how is working that
having a Nextcloud accessible from everywhere, in secured condition
having VPNs available to avoid any restriction when travelling abroad (for exemple VOIP in countries banning it as UAE, Qatar, etc) as I go often.
monitoring Jeedom, Portainer, Gameserver, etc…
and finally, obviously, to keep all the above safe, and accessible only by me.
many thanks again for your commited answer and interest, that helped me to evolve a bit.