The Core Philosophy
Exposing services to the internet securely requires a robust edge layer. The Websters Nexus is entirely consolidated under the home.websters.at domain using modern reverse-proxy architecture.
Edge Proxy: Traefik v3
Traefik sits at the absolute edge of the network. It listens on ports 80 and 443, automatically negotiating dual Let’s Encrypt certificates for the master domain and all subdomains.
Instead of writing massive Nginx configuration files, Traefik uses Docker Labels. When I spin up a new service like Hedgedoc or Immich, I attach specific traefik.enable=true labels to them, and Traefik dynamically maps the routes md.home.websters.at or photos.home.websters.at in real-time.
Alternative considered: Nginx Proxy Manager. While NPM provides a great GUI, it doesn’t offer the zero-downtime, fully dynamic magic of Traefik reading Docker sockets directly.
Single Sign-On: Authelia
Some services shouldn’t be publicly visible. For those, Traefik routes traffic through Authelia.
Authelia enforces Multi-Factor Authentication (MFA) at the edge. If an unauthenticated user hits a restricted subdomain, they are intercepted by Authelia’s login portal. Only after successful auth does Traefik pass the request back to the internal Docker service.
DNS & Network Control: AdGuard Home
To manage DNS records internally and block network-wide tracking or malicious data, I run AdGuard Home. It forces secure encrypted DNS (DoH/DoT) for all internal devices, keeping the local network pristine and resolving internal reverse-proxied domains seamlessly before they even hit the external internet.