Service many domains from one (secure) place

A guide to moving services to multiple s(ub)domains behind a single IP

So carrying on from yesterdays work getting https redirection working, today I decided I wanted to move all my 'home' services onto a new domain, so I can use to house this hot mess of a blog. In the old world I had a plain html landing page, and it had a sea of links connecting you to the relevant ports forwarded off my home router wherever the service actually lives. This meant the journey was

human -> router -> html  -> pick-and-click ->
human -> router:port -> nat-ted to the remote host

It's not pretty, so I decided I should instead run a bunch of subdomains, like for Home Assistant, and route them via nginx reverse proxy to the correct endpoints, no matter where they were. I already have the wildcard cert from earlier, which should allow me to do ssl offload at the front and this would also bury the port-in-the-url nonsense where you didn't need to see it :)

So I set up the new domain, and alias'ed all the subdomains to it. I then just need to get nginx to respond to them all. I started with HASS, using first the usual 301 to push the connection over to https, simple enough.

Then I proxied it to a local IP and port, this worked perfectly which was moderately surprising. Here's the server stanza:

server {

    # Enable HTTP/2
    listen 443 ssl http2;

    server_name hass.<domain>.com;

    ssl_certificate      /opt/nginx/certs/live/<dir>/fullchain.pem;
    ssl_certificate_key  /opt/nginx/certs/live/<dir>/privkey.pem;

    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_pass http://<internal-ip>:8123;

I'm passing real ip headers because the back end is non-ssl (don't @ me), and this can be used for traffic analysis.

This host running nginx (in docker) also runs other containers I want to connect to from the outside world. I changed the config to proxy to http://localhost:<port> which didn't work. Today I learned that nginx out of the box doesn't like proxying to localhost but will talk to just peachy. I did not yet learn why, but I'm guessing it's a resolution problem somewhere.

I then did this 6 times in total, and I also did not learn how to do this more automagically. I'm sure there must be a way, so I'll take a look at that when I'm next itchy for something to do