initial commit
This commit is contained in:
@@ -0,0 +1,78 @@
|
||||
# DuckDNS Temporary Domain Alias
|
||||
|
||||
Use when a domain is NRD-blocked by corporate firewalls or a new domain needs immediate accessibility. The DuckDNS domain (usually years old) bypasses NRD filters.
|
||||
|
||||
## When needed
|
||||
|
||||
- Domain registered less than 30 days ago → corporate networks block it
|
||||
- Need a quick workaround while the domain ages past the NRD window
|
||||
- Already have a DuckDNS domain set up and pointing to the VPS
|
||||
|
||||
## Steps
|
||||
|
||||
### 1. Update DuckDNS to point to VPS
|
||||
|
||||
```bash
|
||||
# If DuckDNS points to 127.0.0.1 or is stale:
|
||||
curl -s "https://www.duckdns.org/update?domains=<duckdns-name>&token=<token>&ip=<vps-ip>"
|
||||
```
|
||||
|
||||
### 2. Set up auto-updater
|
||||
|
||||
DuckDNS requires periodic updates to keep the IP current. Create a simple cron:
|
||||
|
||||
```bash
|
||||
mkdir -p ~/.hermes/scripts
|
||||
cat > ~/.hermes/scripts/duckdns-update.sh << 'SCRIPT'
|
||||
#!/bin/bash
|
||||
# IMPORTANT: &ip=<vps-ip> must be explicit. Leaving &ip= empty causes DuckDNS to
|
||||
# auto-detect the requesting server's public IP (the HOME server, not the VPS),
|
||||
# which breaks DNS for all services.
|
||||
echo "$(date): $(curl -s 'https://www.duckdns.org/update?domains=<name>&token=<token>&ip=<vps-ip>&verbose=true')" >> ~/duckdns/update.log
|
||||
SCRIPT
|
||||
chmod +x ~/.hermes/scripts/duckdns-update.sh
|
||||
```
|
||||
|
||||
Then schedule via `cronjob` tool: `no_agent=true`, `script=duckdns-update.sh`, `schedule=every 5m`, `deliver=local`.
|
||||
|
||||
### 3. Add VPS nginx server block for the new domain
|
||||
|
||||
For a service that sits behind the home server's nginx SSL (like ShopProQuote on port 443):
|
||||
|
||||
```nginx
|
||||
server {
|
||||
server_name <duckdns-domain>;
|
||||
|
||||
location / {
|
||||
proxy_pass https://<home-tailscale-ip>:<port>;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_set_header Host <duckdns-domain>; # MUST match home nginx server_name
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_ssl_verify off;
|
||||
proxy_read_timeout 86400;
|
||||
proxy_buffering off;
|
||||
}
|
||||
|
||||
listen 80;
|
||||
}
|
||||
```
|
||||
|
||||
Link it: `ln -sf /etc/nginx/sites-available/<name> /etc/nginx/sites-enabled/`
|
||||
|
||||
### 4. Provision SSL
|
||||
|
||||
```bash
|
||||
certbot --nginx -d <duckdns-domain> --non-interactive --agree-tos --email <email>
|
||||
```
|
||||
|
||||
### 5. Critical: Host header must match home nginx server_name
|
||||
|
||||
The home server nginx has a specific `server_name` in its config. If the VPS proxy sends a different `Host` header, the request hits the wrong server block (or the default), which in SPAs causes redirect loops between login and index pages. Always verify the home nginx config's `server_name` and match it exactly in `proxy_set_header Host`.
|
||||
|
||||
## Pitfall: localStorage auth tokens
|
||||
|
||||
PocketBase and Firebase store auth tokens in `localStorage`, which is domain-scoped. Users must re-authenticate on the new domain — their old domain's session won't carry over.
|
||||
Reference in New Issue
Block a user