Files

Kelin 7c8f128eaf Update architecture diagram to show public internet routing and HTTP vs HTTPS traffic

Changes:
- Added public internet layer showing HTTPS traffic flow
- Clarified that internal network uses HTTP (no SSL/TLS)
- Added traffic flow summary section
- Updated 'How It Works' section to explicitly mention HTTPS externally, HTTP internally
- Added 'Key Points' section explaining no double encryption

The diagram now clearly shows:
1. 🌐 Public Internet → HTTPS (ports 80/443)
2. Core Server (SSL termination)
3. Internal Network → HTTP (no encryption needed)
4. Additional Servers (direct port access)

2026-02-08 15:19:48 -05:00

6.7 KiB

Raw Blame History

Multi-Server Deployment with On-Demand Services

Overview

This guide explains the current multi-server architecture where:

Core Server: Handles external traffic (ports 80/443); runs DuckDNS, Traefik (multi-provider), Authelia
Additional Servers: Run Sablier (lazy loading) with direct port exposure; no local Traefik
Manual Routing: Core Traefik routes to IP:PORT combinations via YAML configuration files
Independent Management: Each server manages its own containers with lazy loading

Note

: This document describes the current simplified architecture. Additional servers are "headless" - they expose ports directly without local reverse proxy.

Architecture Diagram

┌─────────────────────────────────────────────────────────────────┐
│                    🌐 PUBLIC INTERNET                            │
│  HTTPS Traffic (Ports 80/443 forwarded from router)             │
└─────────────────────┬───────────────────────────────────────────┘
                      │
                      ▼ HTTPS (SSL/TLS)
┌─────────────────────────────────────────────────────────────────┐
│                         CORE SERVER                              │
│  ┌────────────┐  ┌──────────┐  ┌──────────┐  ┌──────────────┐ │
│  │  DuckDNS   │  │ Traefik  │  │ Authelia │  │ Core Services │ │
│  │ (SSL DNS)  │  │ (multi-  │  │  (SSO)   │  │   (local)     │ │
│  │            │  │ provider)│  │          │  │               │ │
│  └────────────┘  └────┬─────┘  └──────────┘  └──────────────┘ │
│                       │                                          │
│          ┌──────────────┼──────────────┐                        │
│          │  Routes:     │              │                        │
│          │  • Local     │  (labels)    │                        │
│          │  • Remote    │  (YAML files)│                        │
└──────────┼──────────────┼──────────────┼────────────────────────┘
           │              │              │
           │ HTTP (internal network)     │
           │ No SSL/TLS encryption       │
           ▼              ▼              ▼
    ┌─────────────────────────────────────────┐
    │       ADDITIONAL SERVER (e.g., Pi)      │
    │  ┌──────────┐  ┌───────┐  ┌──────────┐ │
    │  │ Sablier  │  │ Media │  │ Exposed  │ │
    │  │ (lazy    │  │ Apps  │  │ Ports    │ │
    │  │ loading) │  │       │  │ 5001,    │ │
    │  └──────────┘  └───────┘  │ 8085...  │ │
    └────────────────────────────┼──────────┘
                                 │
                    Direct port access
                    (no local reverse proxy)

Traffic Flow Summary

Internet → Core: HTTPS (ports 80/443 forwarded from router)
Core → Additional: HTTP (internal network, no encryption needed)
Additional → Core: HTTP (direct response to core Traefik)

Deployment Process

Step 1: Deploy Core Server

On the core server, run ez-homelab.sh

Use Option 1 to Install Prerequisites
Then Option 2 to Deploy Core Server

This deploys: DuckDNS, Traefik(core), Authelia, Dashboards & Infrastructure

From Dockge you can start/stop any of the stacks or containers.

Port Forwarding:

Forward ports 80 & 443 from your router
Only this server requires port forwarding

Step 2: Deploy Additional Server

On the additional server, run ez-homelab.sh

Use Option 1 to Install Prerequisites
Then Option 3 to Deploy Additional Server

This deploys: Sablier (lazy loading), Dashboards & Infrastructure

From Dockge you can start/stop any of the stacks or containers.

No Port Forwarding Required:

Services are accessed through core server

How It Works

Traffic Flow

User accesses https://sonarr.yourdomain.duckdns.org (HTTPS from internet)
Core Traefik receives HTTPS request:
- Checks Authelia for authentication (SSO)
- Routes to additional server: http://192.168.1.100:8989 (HTTP internally)
Additional server receives direct HTTP request:
- Service container receives request on exposed port
- If stopped, Sablier starts the container
- Shows loading page while container starts
Service responds directly back to core Traefik via HTTP, then HTTPS to user

Key Points

External Traffic: Always HTTPS (SSL/TLS encrypted)
Internal Traffic: Always HTTP (no encryption needed on local network)
No Double Encryption: Core Traefik terminates SSL, forwards plain HTTP internally

Service Registration

When you deploy an additional server:

Services are deployed with exposed ports (no Traefik labels)
Core server creates YAML route files pointing to IP:PORT
Core Traefik loads routes automatically
Services become accessible at https://servicename.hostname.yourdomain.duckdns.org

Key Benefits

Simplified Architecture: No local Traefik on additional servers
Direct Port Access: Services expose ports directly (no reverse proxy overhead)
Centralized Access: All services accessed through one domain
Unified SSO: Authelia on core server protects all services
Local Lazy Loading: Sablier manages containers on each server independently

Performance Considerations

Latency: Direct routing (core → service) minimizes hops
Resource Usage: Additional servers run only Sablier (~50MB) - no Traefik needed
Scalability: Can add unlimited additional servers without complexity
Network: Internal 1Gbps+ recommended between servers
Deployment Speed: Additional servers deploy in ~2 minutes (vs 5-10 with local Traefik)

6.7 KiB Raw Blame History