I host it via docker+nginx on my own hardware.

I’m in the same boat (sorta)!

Follow up question, did you have trouble exposing port :80 & :443 to the internet? Also are you also using Swarm or Kubernetes?

I have the docker engine setup on a machine along side Traefik (have tried Nginx in the past) primarily using Docker Compose and it works beautifully on LAN however I can’t seem to figure out why I can’t connect over the internet, I’m forced to WireGuard/VPN into my home network to access my site.

No need to provide troubleshooting advice, just curious on your experience.

Buy the cheapest laptop you can find, with a broken screen it's fine.
Install debian 12 on it
give it a memorable name, like "server"
go to a DNS registrar of your choice, maybe "porkbun" and buy your internet DNS name
for example "MyInternetWebsite.tv", this will cost you 20$/30$ for the rest of your life, or until we finally abolish the DNS system to something less extortionnate
Install webmin and then apache on it
go to your router,
give the laptop a static address in the DNS section
Some router do no have the ability to apply a static dhcp lease to computers on your network, in that case it will be more complicated or you will have to buy a new one, one that preferably supports openwrt.
then go to port forwarding and forward the ports 80 and 443 to the address of the static dhcp lease
now use puttygen to create a private key, copy that public key to your linux laptop's file called /root/.ssh/authorized_keys
go to the webmin interface, which can be accessed with http://server.lan:10000/ from any computer on your PC
and setup dynamic dns, this will make the DNS record for MyInternetWebsite.tv change when the IP of your internet connection changes, which can happen at any time, but usually rarely does. But you have to, or else when it changes again, your website and email will stop working.
Now go to your desktop computer, and download winsshfs, put in your private key and mount the folder /var/www/html/ to a drive letter like "T:"
Now, whatever you put in T: , will be the content of your very own internet web server enjoy

While i appreciate the detailed response here i did make another comment letting OP know i'm in a similiar situation as them, i use Docker Engine & Docker Compose for my self-hosting needs on a 13th Gen Asus Nuc (i7 model) running Proxmox with a Debian 12 VM. My reverse proxy is traefik and i am able to receive SSL certificates on port :80/:443 (also have Fail2Ban setup) however, i can't for the life of me figure out how to expose my containers to the internet.

On my iPhone over LTE/5G trying my domain leads to an "NSURLErrorDomain" and my research of this error doesn't give me much clarity. Edit appears to be a 503 error.

::: spoiler This is a snippet of my docker-compose.yml

services:
  homepage:
    image: ghcr.io/gethomepage/homepage
    hostname: homepage
    container_name: homepage
    networks:
      - main
    environment:
      PUID: 0 # optional, your user id
      PGID: 0 # optional, your group id
      HOMEPAGE_ALLOWED_HOSTS: my.domain,*
    ports:
      - '127.0.0.1:3000:3000'
    volumes:
      - ./config/homepage:/app/config # Make sure your local config directory exists
      - /var/run/docker.sock:/var/run/docker.sock #:ro # optional, for docker integrations
      - /home/user/Pictures:/app/public/icons
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.homepage.rule=Host(`my.domain`)"
      - "traefik.http.routers.homepage.entrypoints=https"
      - "traefik.http.routers.homepage.tls=true"
      - "traefik.http.services.homepage.loadbalancer.server.port=3000"
      - "traefik.http.routers.homepage.middlewares=fail2ban@file"
      # - "traefik.http.routers.homepage.tls.certresolver=cloudflare"
      #- "traefik.http.services.homepage.loadbalancer.server.port=3000"
      #- "traefik.http.middlewares.homepage.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.0/24, 172.18.0.0/16, 208.118.140.130"
      #- "traefik.http.middlewares.homepage.ipwhitelist.ipstrategy.depth=2"
  traefik:
    image: traefik:v3.2
    container_name: traefik
    hostname: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - main
    ports:
      # Listen on port 80, default for HTTP, necessary to redirect to HTTPS
      - target: 80
        published: 55262
        mode: host
      # Listen on port 443, default for HTTPS
      - target: 443
        published: 57442
        mode: host
    environment:
      CF_DNS_API_TOKEN_FILE: /run/secrets/cf_api_token # note using _FILE for docker secrets
      # CF_DNS_API_TOKEN: ${CF_DNS_API_TOKEN} # if using .env
      TRAEFIK_DASHBOARD_CREDENTIALS: ${TRAEFIK_DASHBOARD_CREDENTIALS}
    secrets:
      - cf_api_token
    env_file: .env # use .env
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./config/traefik/traefik.yml:/traefik.yml:ro
      - ./config/traefik/acme.json:/acme.json
      #- ./config/traefik/config.yml:/config.yml:ro
      - ./config/traefik/custom-yml:/custom
      # - ./config/traefik/homebridge.yml:/homebridge.yml:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`traefik.my.domain`)"
      #- "traefik.http.middlewares.traefik-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.0/24, 208.118.140.130, 172.18.0.0/16"
      #- "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_CREDENTIALS}"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`my.domain`)"
      #- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=my.domain"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.my.domain"
      - "traefik.http.routers.traefik-secure.service=api@internal"
      - "traefik.http.routers.traefik.middlewares=fail2ban@file"
:::

Image of my port-forwarding rules (note; the 3000 internal/external port was me "testing")
![](https://sh.itjust.works/pictrs/image/fa56898b-d183-4fca-99ed-db4a2b3aaf2f.png)

___

**Edit:** I should note the [Asus Documentation for Port-forwarding](https://www.asus.com/support/faq/1037906/) mentions this:

> 2. Port Forwarding only works within the internal network/intranet(LAN) but cannot be accessed from Internet(WAN).

>  (1) First, make sure that Port Forwarding function is set up properly. You can try not to fill in the  [ Internal Port ] and [ Source IP ], please refer to the Step 3.

>  (2) Please check that the device you need to port forward on the LAN has opened the port. 
       For example, if you want to set up a HTTP server for a device (PC) on your LAN, make sure you have opened HTTP port 80 on that device.

>  (3) Please note that if the router is using a private WAN IP address (such as connected behind another router/switch/modem with built-in router/Wi-Fi feature), could potentially place the router under a multi-layer NAT network. Port Forwarding will not function properly under such environment.

> Private IPv4 network ranges:

> Class A: 10.0.0.0 – 10.255.255.255

> Class B: 172.16.0.0 – 172.31.255.255

> Class C: 192.168.0.0 – 192.168.255.255

> CGNAT IP network ranges:

> The allocated address block is 100.64.0.0/10, i.e. IP addresses from 100.64.0.0 to 100.127.255.255.

I want to highlight the fact that i may be under a multi-layered NAT, the folks in my household demand the ISP router given that i have PiHole running DNS blocking and my Asus Router routes all outbound connections through a VPN tunnel, besides DDNS obviously which my router also handles, i have to run these routers in bridged-mode so that they share the same WAN IP **but**, if I am able to receive SSL/TLS certificates from LetsEncrypt on port :80/:443 that means port-forwarding is working as intended right? 

the internet peaked in 2000

I keep everything as flat as possible. Just the regular docker (+compose) package running on vanilla Debian. On the networking side, I’m lucky in that I have a government-run fiber provider that doesn’t care that much what I host, so it’s just using the normal ports.

I did previously use C*mcast, and I remember there was an extra step I had to do to get it to redirect port 80 over 443, but I couldn’t tell you what that step was anymore.

I think this is the first time I found a reasonable take on "how to fix the internet". You can't fix the corpo web. Most people just want constant updates and they don't care about ads, bots and AI slop. You can't change their minds.

Saying "fuck it, I will just build my own thing and I don't care if anyone will see it" is the right approach. Couple of times I was thinking about creating some guides (like guide to public EV chargers in Spain) and I just gave up because I realized I'm not going to win the SEO war and no one is going to view it. Why write guides if they are not helping anyone? I'm still not sure if it makes sense to create guides but it may be a good idea to create a simple site, post some photos, share a story. I will probably do it.

Hi,

The internal port will also be the same as the external port 80 and 443.
If the router is running in bridge mode, that would mean that your dhcp, dns and nat is happening on the upstream router.
That means you will have to go to the upstream router to setup the port forwarding.

Also depending on how it works internally with the VPN.
It might try to port forward the ports on the VPN's ip address
Which none of the VPN I tried allowed to port forward port 80 and 443

With a linux or openwrt router this could be as easy as the following

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.199:80
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination 192.168.1.199:443

But the problem with store bought router is that every one of them has a different way of doing the things so it gets confusing really fast.

All of this confusion about port forwarding was engineered to discourage ordinary people from using their internet to host their own files and instead because cloud-dependant techno-serfs.

Another way, would be to go on the forum low end talk and obtain a VPS, and host your apache server there.
That would work, but you would be back to renting someone else's computer (aka cloud bull) but it's still better than paying squarespace about it.

Keep at it, you'll figure it out, it's actually very easy once you know all the complicated bits, I do it all the time.

Beautiful, I bookmarked it.

Thank you for sharing.

Adding my voice to the chorus of "this is how I feel" because, well, it encapsulates exactly how I feel. Author's personnal website is now in my RSS reader under a new category: Slow Web.

If anyone has suggestions for more website to add to that category they're more than welcomed.

Once again, thank you for your insight! It truly does help a lot.

Today I learned the VPN routing is the cause of my issues, I opted to expose my homelab to WAN and tried to connect over LTE/5G and was surprised to see it actually resolve!

I also learned Fail2Ban has failed me in this regard.

Unfortunately this now throws a wrench in my plans In regard to security so now I’m debating on getting another piece of hardware and labelling one as “front end” and the other as “back end” so that the “back end” doesn’t share the same public IP as the “front end”.

This has ignited a spark to rework my homelab!

Realistically, you don't need security, NAT alone is enough since the packets have nowhere to go without port forwarding.

But IF you really want to build front end security here is my plan.

ISP bridge -> WAN port of openwrt capable router with DSA supported switch (that is almost all of them)
Set all ports of the switch to VLAN mirroring mode
bridge WAN and LAN sides
Fail2Ban IP block list in the bridge

LAN PORT 1 toward -> OpenWRT running inside Proxmox LXC (NAT lives here) -> top of rack switch
LAN PORT 2 toward -> Snort IDS
LAN PORT 3 toward -> combined honeypot and traffic analyzer

Port 2&3 detect malicious internet hosts and add them to the block list

(and then multiple other openwrt LXCs running many many VPN ports as alternative gateways, I switch LAN host's internet address by changing their default gateway)

I run no internal VLAN, all one LAN because convenience is more important than security in my case.