# DuckDNS Temporary Domain Alias Use when a domain is NRD-blocked by corporate firewalls or a new domain needs immediate accessibility. The DuckDNS domain (usually years old) bypasses NRD filters. ## When needed - Domain registered less than 30 days ago → corporate networks block it - Need a quick workaround while the domain ages past the NRD window - Already have a DuckDNS domain set up and pointing to the VPS ## Steps ### 1. Update DuckDNS to point to VPS ```bash # If DuckDNS points to 127.0.0.1 or is stale: curl -s "https://www.duckdns.org/update?domains=&token=&ip=" ``` ### 2. Set up auto-updater DuckDNS requires periodic updates to keep the IP current. Create a simple cron: ```bash mkdir -p ~/.hermes/scripts cat > ~/.hermes/scripts/duckdns-update.sh << 'SCRIPT' #!/bin/bash # IMPORTANT: &ip= must be explicit. Leaving &ip= empty causes DuckDNS to # auto-detect the requesting server's public IP (the HOME server, not the VPS), # which breaks DNS for all services. echo "$(date): $(curl -s 'https://www.duckdns.org/update?domains=&token=&ip=&verbose=true')" >> ~/duckdns/update.log SCRIPT chmod +x ~/.hermes/scripts/duckdns-update.sh ``` Then schedule via `cronjob` tool: `no_agent=true`, `script=duckdns-update.sh`, `schedule=every 5m`, `deliver=local`. ### 3. Add VPS nginx server block for the new domain For a service that sits behind the home server's nginx SSL (like ShopProQuote on port 443): ```nginx server { server_name ; location / { proxy_pass https://:; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host ; # MUST match home nginx server_name proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_ssl_verify off; proxy_read_timeout 86400; proxy_buffering off; } listen 80; } ``` Link it: `ln -sf /etc/nginx/sites-available/ /etc/nginx/sites-enabled/` ### 4. Provision SSL ```bash certbot --nginx -d --non-interactive --agree-tos --email ``` ### 5. Critical: Host header must match home nginx server_name The home server nginx has a specific `server_name` in its config. If the VPS proxy sends a different `Host` header, the request hits the wrong server block (or the default), which in SPAs causes redirect loops between login and index pages. Always verify the home nginx config's `server_name` and match it exactly in `proxy_set_header Host`. ## Pitfall: localStorage auth tokens PocketBase and Firebase store auth tokens in `localStorage`, which is domain-scoped. Users must re-authenticate on the new domain — their old domain's session won't carry over.