Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Connecting Remotely - Clearnet

Contents

Use Case

This connection method permits hosting a service interface on the public Internet.

Adding a Public Domain

With few exceptions, you should add a domain to your service interface so that you and others can access it seamlessly, just like any other website or API.

  1. On the service interface page in the "Public Domains" section, click "Add".

  2. Enter the fully qualified domain name. For example, if you control domain.com, you could enter domain.com or public.domain.com or nextcloud.public.domain.com, etc.

  3. Select a gateway to use for this domain. For help selecting a gateway, see Gateways

  4. Select a Certificate Authority to use for this domain.

    Warning

    If you select your server's Root CA, only devices that have downloaded and trusted your server's Root CA will be able to access the domain without issue.

    If you want other devices to reach this domain without issue, you should select Let's Encrypt from the dropdown. To add Let's Encrypt to your list of available Certificate Authorities, follow the instructions.

  5. Click "Save".

  6. If StartOS does not detect a satisfactory DNS record, you will be asked to create one. Continue to the section below.

  7. A new https://<your-public-domain> address will appear in the "Addresses" table.

Configuring DNS

  1. Access your domain's DNS settings, usually in the registrar where you originally leased the domain.

  2. In StartOS, find your domain, click "View DNS" from the menu, and create one of the displayed records. Depending on the number of subdomains in your domain, you may see multiple options. For example, if your domain is nextcloud.public.domain.com, you will see options for nextcloud.public.domain.com, *.public.domain.com, and *.domain.com. In most cases, we recommend choosing the record with the least number of segments. In this case, *.domain.com. Then, next time you use any subdomain of domain.com, you will not need to create another DNS record.

  3. Click "Test" to ensure the record was successfully detected by StartOS.

    Warning

    It might take a few minutes for your domain changes to take effect. You can test it using https://dnschecker.org.

Port Forwarding

Note

Port forwarding is only necessary for private gateways, such as your router or StartTunnel. If you are running StartOS on a VPS, no port forwarding is needed.

To expose your PUBLIC_IP:port or domain address to the Internet, you must create a port forwarding rule in its corresponding gateway. The rule that needs to be created is conveniently displayed in the tooltip for each address.

Caution

  1. ACME providers will not sign certificates for IP addresses. Therefore, the PUBLIC_IP:port address is signed by your server's Root CA. This means only devices that have downloaded and trusted your server's Root CA will be able to access the IP address without issue.
  2. Because of the need to trust your Root CA, and also because it is accepted practice to host websites and APIs on domains (.com, .net, etc) and not IP addresses, most people will NOT use this PUBLIC_IP:port address and therefore DO NOT need to create a port forwarding rule for it.

Tip

Most websites and APIs on the Internet are hosted on port 443. Port 443 is so common, in fact, that apps and browsers infer its presence. The absence of a port means the port is 443. With rare exceptions, domains on StartOS also use port 443, and that is why your domains usually do not display a port. The port forwarding rule needed for these standard domains is always the same, which means you only have to do it once!

How you create a port forwarding rule depends on the type of gateway.