Access to applications

Most of container applications have subdomains that can be used from internet and home network. This enhances usability as you don't need to remember IPs and ports. Also Cloudflare's SSH browser rendering has own subdomains.

Central part of solution is HAproxy that forwards traffic to different container applications. Traffic related to Cloudflare's SSH browser rendering doesn't go to HAproxy.

If user is in public internet or using Cloudflare Warp-client....

1. authoritative DNS for kotimme.cc-domain is Cloudflare DNS
2. DNS directs traffic to Cloudflare tunnel ("CNAME IN .cfargotunnel.com")
3. tunnel leads to Cloudflared-application running in Docker container
4. Cloudflared-application directs traffic to HAproxy that is running in same Docker network.
5. HAproxy resolves correct backend based on it's configurations.

If user is in home network...

1. authoritative DNS for kotimme.cc-domain is Technitium DNS
2. Technitium DNS has conditional forwarder zone which specifies A records for all subdomains except Cloudflare's SSH browser rendering subdomains.
3. Technitium DNS forwards traffic straight to HAproxy. SSH domain requests are forwarded to Cloudflare DNS
4. HAproxy resolves correct backend based on it's configurations.

External sources

• https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/routing-to-tunnel/dns/
• https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/