HOME
02-262000
93
1853
24109
7
7024
322
4149
86
05
21509
68417
80
2048
319825
46233
05
2014
30986
585101
25403
31219
752
0604
21048
293612
534082
206
2107853
12201972
24487255
30412
98
4024161
888
35045462
41520257
33
56
04
69
41
15
25
65
21
0223
688
28471
21366
8654
31
1984
272
21854
633
51166
41699
6188
15033
21094
32881
26083
2143
406822
81205
91007
38357
110
2041
312
57104
00708
12073
688
21982
20254
55
38447
26921
285
30102
21604
15421
25
3808
582031
62311
85799
87
6895
72112
101088
604122
126523
86801
8447
210486
LV426
220655
272448
29620
339048
31802
9859
672304
581131
338
70104
16182
711632
102955
2061
5804
850233
833441
465
210047
75222
98824
63
858552
696730
307124
58414
209
808044
331025
62118
2700
395852
604206
26
309150
885
210411
817660
121979
20019
462869
25002
308
52074
33
80544
1070
020478
26419
372122
2623
79
90008
8049
251664
900007
704044
982365
25819
385
656214
409
218563
527222
80106
1314577
39001
7162893
12855
57
23966
4
6244009
2352
308
928
2721
8890
402
540
795
23
66880
8675309
821533
249009
51922
600454
9035768
453571
825064
131488
641212
218035
37
6022
82
572104
799324
4404
8807
4481
8915
2104
1681
326
446
8337
526
593
8057
22
23
6722
890
2608
7274
2103
03-111968
04-041969
05-1701D
06-071984
07-081940
08-47148
09-081966
10-31

setting up a local domain

I've been messing around with my local network lately, trying to add services and little tools to make things run smoothly like I posted about previously. One thing that had been annoying me is that the URLs I was using for local services were either getting proxied over the wider internet or they were unwieldy generic names with a port number tacked on.

It was time to set up a locally routable domain.

I've created a mkcert self-signed wildcard certificate for *.mydomain.internal and created a couple of DNS entries on my Headscale VPN control server. These point to a VM I'm using for various internal network things and get handled by a Caddy reverse proxy. The mkcert wildcard is good for two years so, hopefully I'll have something better before then.

How it fits together

The setup is pretty straightforward once you understand the moving parts. When a device on my network tries to reach something like dashboard.mydomain.internal, the request hits my VPN control server's DNS first. It resolves the wildcard entry and points traffic at the internal VM, where Caddy picks it up and routes it to whichever service is actually running on whatever port.

The wildcard certificate

The wildcard certificate is the part that makes this feel clean. Rather than generating a new cert for every subdomain, mkcert let me create one cert that covers everything under *.mydomain.internal. Since mkcert installs its own local CA, any device that trusts that CA will get a valid green padlock — no browser warnings, no certificate exceptions to click through.

The catch is that you need to distribute the CA certificate to every device you want to use. For my machines that was easy enough; phones and tablets are a bit more of a faff depending on the OS. Potentially I could just use a "real" domain and go with Let's Encrypt to make this even more smooth, but I wanted to be sure I could still run the whole setup even without any internet connectivity at all.

Caddy config

On the Caddy side, configuration stays simple too. Adding a new internal service is just a matter of dropping a new reverse proxy block into the Caddyfile pointing at the right host and port, and it automatically picks up the wildcard cert. No reloading nginx, no fiddling with certificate paths.

The two-year problem

The two-year expiry on the cert is the one thing that gives me mild anxiety. My plan is to look at getting proper internal PKI sorted before then — something like Step CA would let me run short-lived certs and automate renewal properly. But for now, a calendar reminder and a manually regenerated cert is good enough.

It's one of those things that feels like a lot of setup upfront but pays off immediately. Local services actually feel like real services now rather than 192.168.1.47:8123 scribbled in a notes app somewhere.