Deploying a platform
Posted by twistedproton@reddit | sysadmin | View on Reddit | 8 comments
I’ve been lurking here for a few years, and this is my first question.
We’ve built a platform for a healthcare company consisting of a mobile app, an admin dashboard, and an API. The API and dashboard will be deployed under subdomains like:
api.company.com
admin.company.com
The challenge is that the company has provisioned the VPS inside their internal network (i.e. it has a private IP like 192.168.x.x). I know I can access it via VPN, and we’re using Dokploy to manage deployments.
My question is: how would you install and run Dokploy in this setup while still routing traffic from the public internet to the internal server?
I assume their sysadmins already have a solution, but I’d like to understand how I would approach this myself.
During development, we hosted everything on a Hetzner VPS, so it was straightforward. Dokploy requires port 3000 for initial setup, which can be disabled after assigning a custom domain.
This leads to a few additional questions
How would we handle SSL certificates, given that the server cannot communicate externally with Let’s Encrypt?
We also need to send emails from the applicatio how can we route outgoing mail traffic without turning the internal VPS into a mail server?
One approach Ive considered is using a load balancer with a public IP to route traffic to the internal server, but I’d appreciate a deeper discussion on possible architectures and best practices. where are the footguns and gotchas
tejaswiniaddanki@reddit
This is a pretty common setup when everything sits inside a private network.
Usually you’d put something public in front of it — like a reverse proxy or load balancer with a public IP — and route traffic from there into your internal VPS over private networking or VPN.
For SSL, since the internal server can’t reach Let’s Encrypt directly, you can terminate SSL at the public layer (proxy/load balancer) and forward traffic internally over HTTP, or handle cert generation externally and sync it.
For outgoing emails, it’s better not to turn your VPS into a mail server — using something like an external SMTP provider (SendGrid, SES, etc.) works much cleaner.
The main “gotchas” I’ve seen are around networking rules, port exposure, and making sure background services still work correctly behind the proxy.
If you’re already using Dokploy, getting that initial access via the public layer and then locking it down after setup usually works fine.
Happy to take a closer look if you want to walk through your setup.
EndpointWrangler@reddit
The cleanest approach is a reverse proxy (nginx or Caddy) on a public-facing server that forwards traffic to the internal VPS over VPN, handles your SSL termination with Let's Encrypt on the public side, keeps the internal server private, and for email just use SendGrid or AWS SES via API rather than touching SMTP routing at all.
cyr0nk0r@reddit
If you only need to expose 80 and 443 a cloudflare tunnel is a great solution.
Adam_Kearn@reddit
You can still do let’s encrypt via DNS by adding a TXT record that’s publicly facing.
You could setup an nginx proxy and allow this ONLY on your firewall using port 443
This will then point to the other services running on different ports locally.
Then it’s only one thing that’s port forwarded and a single place to manage SSL certs.
I would recommend using tools like win-acme or certbot to make the SSL renewal automatic on schedule task
disclosure5@reddit
There's a lot of moving parts here and ideally you'll hire someone who knows how to do all that.
In the absence of that option, honestly just tell them it's an app designed to go on the internet and not inside a network. If you've built a "mobile app" and you're asking these questions you're not in a position to be dealing with VPNs on people's personal devices (it's a healthcare company, there's zero chance this won't happen). And if you need to ask about internal CAs, you're unlikely to have a good time.
twistedproton@reddit (OP)
They have people who will help us go through this. I'm glad they have experienced people around. I'll update what they come up with. We won't be installing vpns on people's devices, that would be awful from a CX perspective. What is CA in this context? I read it as certificate authority
SevaraB@reddit
The point is if you’re deploying a mobile app to their internal network. If you have to VPN into their network to deploy it, the users with the mobile devices will have to VPN in to reach it after it’s deployed. Healthcare professionals are known for having some of the lowest patience for technical roadblocks like “wasting time” on VPN connections.
This whole thing is a recipe for horrible customer UX and eventual non-renewal unless you can talk the customer into letting you deploy on hardened public cloud infrastructure with appropriate security controls.
Turbulent-Boat-1835@reddit
Even if the server is on a internal network you can still expose it to the internet for Let's encrypt certificates, if that's not an option they can setup let's encrypt via DNS challenge.
They probably already have an internal SMTP server you can use for sending emails, I would ask them about that.
They also probably have an established way of exposing webapps from their internal/dmz network to the public. If they don't then cloudflare waf + tunnels is probably the easiest way to expose it to be public, that way you get automatic certificates aswell.