Err404 - notes:file_server_training

dns

anonymous@undisclosed.example.com (Anonymous) — Tue, 13 Jan 2026 08:19:58 +0000

an authoritative dns server (SOA dns) will be used to declare that the server is authoritative for certain domain names.
which will make it easy to define lots of sub-domains without having to change the registrar settings.

I chose to use nsd, but I could have used knot
it's preferable to install the domain name server in a virtual machine rather than in the hypervisor to make backups easier.

and in my case I chose to install the authoritative dns server in the same machine that does reverse proxy SNI

nsd

install the nsd package available in Debian
aptitude install nsd

we'll have to edit a few files, then edit an additional file for each dns zone

nsd.conf

/etc/nsd/nsd.conf:

# NSD configuration file for Debian.
#
# See the nsd.conf(5) man page.
#
# See /usr/share/doc/nsd/examples/nsd.conf for a commented
# reference config file.
 
server:
        # log only to syslog.
        log-only-syslog: yes
 
ip-address: 2a02:8428:753:5002:97dc:9048:0:53
ip-address: 192.168.1.7
 
# use this number of cpu cores
server-count: 1
 
# We recommend leaving this empty, otherwise use "/var/db/nsd/nsd.db"
database: ""
 
#  the default file used for the nsd-control addzone and delzone commands
# zonelistfile: "/var/db/nsd/zone.list"
# The unprivileged user that will run NSD, can also be set to "" if
# user privilige protection is not needed
username: nsd
 
# Default file where all the log messages go
#logfile: "/var/log/nsd.log"
 
# Use this pid file instead of the platform specific default
pidfile: "/var/run/nsd.pid"
 
# don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries
hide-version: yes
hide-identity: yes
 
 
# Enable if privilege "jail" is needed for unprivileged user. Note
# that other file paths may break when using chroot
# chroot: "/etc/nsd/"
# The default zone transfer file
# xfrdfile: "/var/db/nsd/xfrd.state"
# The default working directory before accessing zone files
# zonesdir: "/etc/nsd"
 
 
 
# The following line includes additional configuration files from the
# /etc/nsd/nsd.conf.d directory.
 
include: "/etc/nsd/nsd.conf.d/*.conf"

we add a zone file, in my case I have a zone for err404.numericore.com and sub-domains like visio.err404.numericore.com and another zone for ikce.numericore.com

zones.conf

/etc/nsd/nsd.conf.d/zones.conf:

zone:
    name: ikce.numericore.com
    zonefile: /etc/nsd/nsd.conf.d/ikce.numericore.com.zone
 
zone:
    name: err404.numericore.com
    zonefile: /etc/nsd/nsd.conf.d/err404.numericore.com.zone

err404.numericore.com.zone

Beware, there's a trap that has stuck me for quite a long time:
in the line @ IN SOA ns.err404.numericore.com. err404.numericore.com. (the field err404.numericore.com. is actually an email address

on the other hand, be careful not to forget the period after domain names

I use public ip:

in ipv4 I'll use the box's public ip and redirect port 53 to the machine hosting my dns service
in ipv6 I'll directly indicate the public ipv6 of the machine hosting my dns service

the line containing Serial is simply a serial number that must be strictly increasing each time the file is updated, so we'll often use a current date and increment
/etc/nsd/nsd.conf.d/err404.numericore.com.zone:

$ORIGIN err404.numericore.com.
$TTL 7200
 
@       IN      SOA    ns.err404.numericore.com. err404.numericore.com. (
                                                2021042514 ; Serial
                                                7200       ; Refresh
                                                1800       ; Retry
                                                1209600    ; Expire
                                                86400 )    ; Minimum
 
; NAMESERVERS
 
@                   IN                NS                   ns.err404.numericore.com.
 
ns                  IN                A                    77.129.238.159
ns                  IN                AAAA                 2a02:8428:753:5002:97dc:9048:0:53
 
 
; A RECORDS
@                                   A          77.129.238.159
@                                   AAAA       2a02:8428:753:5002:fcb3:ff:fe8a:3b80
visio                               A          77.129.238.159
visio                               AAAA       2a02:8428:753:5002:fcb3:ff:fe8a:3b80

$ORIGIN err404.numericore.com. will be used as variable for the rest of the file
@ will be replaced by the variable $ORIGIN
so we will define ip for err404.numericore.com and visio.err404.numericore.com.

the box

and finally, on the box, redirect ports 53 to the ip of the machine hosting the authoritative dns server –authoritative–.

rpsni

anonymous@undisclosed.example.com (Anonymous) — Tue, 13 Jan 2026 22:53:34 +0000

You only need a reverse proxy if you don't have ipv6.
and as not everyone has ipv6 yet (there are even people who will disable ipv6 on their machine…) we'll set up a reverse proxy:

simply install a Haproxy server, either in the hypervisor or in a virtual machine.

it's preferable to install the reverse proxy in a virtual machine or container rather than in the hypervisor, to make backups easier.

and in my case I chose to install the reverse proxy in the same machine that does authoritative domain name server

in my case, virtual machines and containers have ipv6, so domain names go directly to these machines, no need for a reverse proxy sni for ipv6.
the problem is that I only have one public ipv4 (my ISP's box) and I'm obliged to share this single public ipv4 for all my virtual machines or containers.
it's to enable this cohabitation that I install a reverse proxy sni.

with ipv6, it's simple: all the machines have direct access to the Internet and can be reached directly from the Internet, they're independent and don't have port-sharing problems, so no address translation problems.

Reverse proxy sni

Install the haproxy package available in Debian apt install haproxy.

Only one file to edit:

/etc/haproy/haproxy.cfg:

global
        log /dev/log    local0 info
        log /dev/log    local1 info
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon
 
 
        # Default SSL material locations
       ca-base /etc/ssl/certs
       crt-base /etc/ssl/private
 
        # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
 
defaults
        log     global
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http
 
 
############################
 
frontend http_in
        mode http
        option httplog
        bind [::]:80 v6only
        bind *:80
        option forwardfor
        http-request add-header X-Forwarded-For %[src]
        http-request set-header X-Forwarded-Proto https if { ssl_fc }
 
        acl host_err404 hdr(host) -i err404.numericore.com
        acl host_err404 hdr(host) -i visio.err404.numericore.com
 
        acl host_ikce hdr(host) -i ikce.numericore.com
 
 
        use_backend http_err404 if host_err404
        use_backend http_ikce if host_ikce
 
 
backend http_err404
        mode http
        option forwardfor
        balance roundrobin
        server server1 ct-err404:80
 
backend http_ikce
        mode http
        option forwardfor
        balance roundrobin
        server server1 ct-ikce:80
 
 
#######################
frontend tcp_https
        mode tcp
        option tcplog
        bind [::]:443 v6only
        bind *:443
        acl tls req.ssl_hello_type 1
        tcp-request inspect-delay 5s
        tcp-request content accept if tls
 
 
        acl host_err404 req.ssl_sni -i err404.numericore.com
        acl host_err404 req.ssl_sni -i visio.err404.numericore.com
 
        acl host_ikce req.ssl_sni -i ikce.numericore.com
 
 
        use_backend tcp_err404 if host_err404
        use_backend tcp_ikce if host_ikce
 
 
backend tcp_err404
  mode tcp
  option ssl-hello-chk
  balance roundrobin
  server err404 ct-err404:443 send-proxy check
 
backend tcp_ikce
  mode tcp
  option ssl-hello-chk
  balance roundrobin
  server ikce ct-ikce:443 send-proxy check
 
############### 
frontend port1935
  mode tcp
  option tcplog
  bind [::]:1935 v6only
  bind *:1935
  acl err404_1935 req.ssl_sni -i err404.numericore.com
 
 
  use_backend err404_1935 if err404_1935
 
 
backend err404_1935
  mode tcp
  balance roundrobin
  server err404 ct-err404:1935 send-proxy

bind [::]:80 v6only bind *:80 to listen in ipv4 AND ipv6
I added an example for 1935 port
ct-err404 and ct-ikce are my conteneurs's names, resolved by my own resolver, you can write your ip directly if you want.

Machines (virtual, containers, or other)

You will also need to modify the nginx files on the machines concerned (in my case, these are the machines ikce.numericore.com and err404.numericore.com)

In err404.numericore.com:

Simply add `proxy_protocol` in the `server` segment and only for port 443

Do not touch ipv6 since in my case the machines have public ipv6.

Here is an excerpt from the `/etc/nginx/conf.d/err404.numericore.com.conf` file:

server {
    listen 443 ssl http2 proxy_protocol;
    listen [::]:443 ssl http2;                            
    server_name err404.numericore.com;

When you modify the nginx configuration file, Yunohost will not be happy and will refuse to update them because they have been modified.

You must do the same for the other virtual machines (ikce.numericore.com in my case).

To obtain the real IP addresses of clients in IPv4 (and not just the reverse proxy IP address):
Here is an excerpt from the `/etc/nginx.conf` file:

http {
    real_ip_header proxy_protocol;
    real_ip_recursive on;
    set_real_ip_from 192.168.1.20;

Replace 192.168.1.20 with the IP address of your reverse proxy SNI.

The box

On the box, you need to redirect ports 80 and 443 to the IP address of the machine hosting the reverse proxy SNI.

start

anonymous@undisclosed.example.com (Anonymous) — Sun, 03 May 2026 20:13:50 +0000

Files server

The purpose of this training is to facilitate the setup, management, and maintenance of a self-hosted personal website and related services.
Required equipment

Hardware requirements

A USB key to copy Proxmox ve install https://enterprise.proxmox.com/iso/ (if the Proxmox way is chosen)
A computer connected to the Internet that will be dedicated to hosting services, otherwise use a hosting service

Optional services

authoritative domain name server

In my case, I chose to have an authoritative domain name server, but this is not mandatory.

SNI reverse proxy

The SNI reverse proxy is only necessary if you want to have several virtual machines (or containers) sharing the same public IPv4 address.

As can be seen in the diagram, IPv6 is easier to configure than when you only have one public IPv4 address.

Installations

I recommend installing a hypervisor (Proxmox) to host the virtual machines or containers for the website and associated services. It is possible to use a hypervisor other than Proxmox, such as virt-manager, VirtualBox, etc.
In any case, it is preferable to configure the network in bridge mode to avoid having to manage NAT redirection.
Proxmox uses bridges by default, which suits our needs.

Proxmox

Copy the Proxmox ISO to the USB key and boot the computer from it.
Follow the installation steps: xfs, root:30GB.
Proxmox configuration.
Add the user userhttps://your_server_proxmox:8006/# v1:0:18:4:::::::14
Give them admin rights: https://your_server_proxmox:8006/#v1:0:18:4:::::::6
Edit /etc/ssh/sshd_config: permitrootlogin no

Yunohost

Yunohost can be installed in two ways in Proxmox: as a virtual machine or as a container. This will depend on your process isolation requirements.

I recommend installing Yunohost as a container, but if you want to install it as a virtual machine, instructions are available here: Yunohost as a virtual machine

Yunohost installation (in container)

Yunohost is installed in an existing container:

Yunohost is based on Debian, so I install a Debian container:

(documentation: https://pve.proxmox.com/wiki/Linux_Container#pct_container_images)
(documentation: https://doc.yunohost.org/en/admin/get_started/install_on/on_top_of_debian)

Here are some commands to run as root in the Proxmox terminal to add the container images:

pveam update

(updates the list of available container images)

pveam available --section system | grep debian

(displays the list of Debian containers only)

pveam download local debian-12-standard_12.7-1_amd64.tar.zst

(downloads the latest available Debian image)

When the download is complete, you can create a container from this image. 20 GB of disk space should be sufficient.
Start the container…
Once in the container as root, retrieve the yunohost installation script and execute it:

cd /root
apt update
wget install.yunohost.org -O install.yunohost.sh
chmod +x install.yunohost.sh
/root/install.yunohost.sh

Once the basic installation is complete, simply go to the web browser to continue. Or type ‘yunohost tools postinstall’ in the command line.

Get a domain name

either with yunohost
or from a registrar

Once the domain name is registered, you just need to generate the certificate on the Yunohost/admin side.

Authoritative domain name server (optional)

if you want to have subdomains and manage them yourself (which will avoid having to go through the registrar for each change).
you must then declare your main domain name as SOA, i.e. set up and declare an authoritative domain name server.
For example, with nsd (which I chose) or knot (which I have not yet tested).

Adding an application

Choose from:

dokuwiki nextcloud calibre galene jirafeau lufi ... etc.

It is possible to have several containers (or virtual machines), each with its own Yunohost, rather than having all the applications in the same Yunohost virtual machine.
This will mainly depend on the use, and if you choose to have several machines (virtual or not), you will need to set up a SNI reverse proxy (because you will probably only have one public IPv4 address and will need to share it between the machines; with IPv6, this kind of problem does not arise).

IPv4 only: Opening ports (and NAT redirects)

Identify the ports to be opened.
Open them on the Internet box side and specify the redirect.
If you have set up an SNI proxy server, you will need to redirect ports 80 and 443 to the SNI proxy server.

Keep in mind that NAT issues do not exist in ipv6 (unless you have CGNAT, but in that case I recommend changing your Internet service provider).
In ipv6, the machine is directly connected to the Internet, with all ports exposed on the public IP (which starts with 2).

Backups (very important)

Yunohost is capable of backing up applications, but it does not back up itself. That's why I use Yunohost in a virtual machine (or container) and have Proxmox perform the backup.
However, a backup should not remain on the same hard drive as its source and should be stored in a different geographical location.

In our case, using a second hard drive would already be a good solution.

Read the logs (important)

Problems encountered during self-hosting

Some ISPs do not route properly to the IP ranges of other ISPs.
The public IP may change without notice, in which case you will need to update the DNS entries and regenerate the certificates.
It may also happen that the box does not deliver a public IPv6 address but only a locally unique IPv6 address. In this case, you will need to force a public IPv6 address.
Some ISPs do not give IPv6 addresses to their customers, or only in certain areas.
In general, you only have one public IPv4 address, so if you want to host multiple services that require the same ports, you will need to set up a SNI reverse proxy.