Setup home network with multiple SSL devices on one IP

Is it possible in some way to use multiple SSL devices (Raspberry PI and Synology) behind a router with only one incoming IP? My wish is to use it with subdomains. I can point both subdomains to the incoming IP, but how do I split them behind the router? Could it help with a local DNS server? I know that the Synology can act as a DNS server but would that help me?

The devices both uses SSL certificates from Let's Encrypt.

Big thanks in advance!


Solution 1:

Is it possible in some way to use multiple SSL devices (Raspberry PI and Synology) behind a router with only one incoming IP?

Yes. What you are talking about requires setting up a reverse proxy. Basically, you need to make e.g. subdomain s1.abc.com and subdomain s2.abc.com point to a web server (reverse proxy) such as Apache or Nginx on your network and then have that web server forward incoming requests to the appropriate devices:

Reverse Proxy Diagram

I can point both subdomains to the incoming IP but how do I split them behind the router?

The reverse proxy will need virtual hosts (for Apache) or server blocks (Nginx) for both subdomains. Any appropriate HTTPS or proxy directives will generally live under these entries.

I know that the Synology can act as a DNS server but would that help me?

DNS is not a solution in this case, so no, not for "splitting" incoming requests (though having a DNS server could be helpful generally outside of this).

Both devices uses SSL certificates from Let's Encrypt.

The easiest thing to do would be to transfer these certificates to the reverse proxy and use HTTP on your internal network. HTTPS forwarding internally is possible but potentially more of a headache and less necessary for simple home use.

Notes

  • I would suggest initially setting up your reverse proxy as HTTP-only for testing, then add the certificates afterwards.

  • Let's Encrypt now offers wildcard domain certificates (since approximately January 2018). This could be useful if you have a number of subdomains and wish to minimize the number of certificates you need to keep track of. Note that wildcard domains require verification through DNS TXT records (this might be where the Synology could come in handy, at least under certain circumstances).