this post was submitted on 02 Jul 2026
113 points (95.2% liked)
Selfhosted
60366 readers
702 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil.
-
No spam.
-
Posts are to be related to self-hosting.
-
Don't duplicate the full text of your blog or readme if you're providing a link.
-
Submission headline should match the article title.
-
No trolling.
-
Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 3 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I recommend you make A and AAAA records for the top level domain you own, and then set the needed subdomains (or a single wildcard) as CNAME entries.
example.com points to your IP addresses, and the subdomains point then to your top level name.
This avoids you having to point a new IP at multiple places (be it manually or by dyndns) when/if your public IP changes.
Then you can set up a reverse proxy (caddy for example, it comes with automatic TLS), bind ports 80 and 443 to it, and route the traffic based on the domain name a client is trying to connect to.
So jellyfin.example.com would lead to your reverse proxy which would forward it somewhere internally, say 192.168.1.10:8096 for example.
This way you can use one top level domain for multiple services, and not have to specify ports when connecting externally
I kept all my certificates separate - have I been wasting time with 15 subdomains each with their own cert and A record? I have wondered. And then set in my reverse proxy a single domain.tld cert for each entry? TIA.
I wrote bash scripts to run via cron to keep my IPs updated, using Cloudflare API. It's probably useful to other folk but as I used to need just v4 addresses I made one separate script for v4 IPs, v6 IPs and proxied, but it wouldn't take long to combine. Here's my v4:
A single wildcard CNAME that points to your domains A record is easier to manage I would say. This comes handy when you add a new service to your stack, as you dont have to go and make a new subdomain record.
You already seem to manage all subdomain updates with that script, so it won't help you much with dyndns. That is, unless you hit a rate limit when trying to update a very large amount of records at once.
Keeping separate TLS certificates is a separate topic from having a single wildcard CNAME record. Separate TLS certificates offer a slight security advantage over a wildcard cert, as a single leaked certificate secret wont compromize the rest of your sites.