Files
2026-07-12 10:17:17 -04:00

2.9 KiB

DuckDNS Temporary Domain Alias

Use when a domain is NRD-blocked by corporate firewalls or a new domain needs immediate accessibility. The DuckDNS domain (usually years old) bypasses NRD filters.

When needed

  • Domain registered less than 30 days ago → corporate networks block it
  • Need a quick workaround while the domain ages past the NRD window
  • Already have a DuckDNS domain set up and pointing to the VPS

Steps

1. Update DuckDNS to point to VPS

# If DuckDNS points to 127.0.0.1 or is stale:
curl -s "https://www.duckdns.org/update?domains=<duckdns-name>&token=<token>&ip=<vps-ip>"

2. Set up auto-updater

DuckDNS requires periodic updates to keep the IP current. Create a simple cron:

mkdir -p ~/.hermes/scripts
cat > ~/.hermes/scripts/duckdns-update.sh << 'SCRIPT'
#!/bin/bash
# IMPORTANT: &ip=<vps-ip> must be explicit. Leaving &ip= empty causes DuckDNS to
# auto-detect the requesting server's public IP (the HOME server, not the VPS),
# which breaks DNS for all services.
echo "$(date): $(curl -s 'https://www.duckdns.org/update?domains=<name>&token=<token>&ip=<vps-ip>&verbose=true')" >> ~/duckdns/update.log
SCRIPT
chmod +x ~/.hermes/scripts/duckdns-update.sh

Then schedule via cronjob tool: no_agent=true, script=duckdns-update.sh, schedule=every 5m, deliver=local.

3. Add VPS nginx server block for the new domain

For a service that sits behind the home server's nginx SSL (like ShopProQuote on port 443):

server {
    server_name <duckdns-domain>;

    location / {
        proxy_pass https://<home-tailscale-ip>:<port>;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host <duckdns-domain>;       # MUST match home nginx server_name
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_ssl_verify off;
        proxy_read_timeout 86400;
        proxy_buffering off;
    }

    listen 80;
}

Link it: ln -sf /etc/nginx/sites-available/<name> /etc/nginx/sites-enabled/

4. Provision SSL

certbot --nginx -d <duckdns-domain> --non-interactive --agree-tos --email <email>

5. Critical: Host header must match home nginx server_name

The home server nginx has a specific server_name in its config. If the VPS proxy sends a different Host header, the request hits the wrong server block (or the default), which in SPAs causes redirect loops between login and index pages. Always verify the home nginx config's server_name and match it exactly in proxy_set_header Host.

Pitfall: localStorage auth tokens

PocketBase and Firebase store auth tokens in localStorage, which is domain-scoped. Users must re-authenticate on the new domain — their old domain's session won't carry over.