Just because the destination IP address is not a LAN address? That’s not misconfiguration, that’s a legitimate use of NAT reflection/loopback. If that’s how it determines who is streaming remotely then just run it behind nginx that forgets to set the correct headers.

Edit: Apparently Plex centrally relays all the traffic? Self-hosted my 🍑, it’s not self-hosted if you need to rely on their server.

I explained why. Misconfiguration and caching.

You would also need to clear your device’s DNS cache.

Not two A records. From what I understand, OP has an A record pointing to their public IP address (which Nginx is listening on behind a NAT). Then, on the local network, OP uses their own DNS server to ignore that entry and instead always serve the local IP when a host on the LAN queries it.

Aside from OP’s devices potentially using a different DNS server (I was only able to solve it for my stock Android by dropping outgoing DNS in my firewall), this solution is a nightmare for roaming devices like mobile phones. Such a device might cache the DNS answer while on LAN or WAN respectively and then try to continue using that address when the device moves to the other network segment.

These are the most likely scenario in my opinion - OP’s devices are ignoring the hacky DNS rewrite (either due to using a different DNS server or due to caching) and try to access the server via the public IP. This is supported by the connection timeout, which is exactly what you would see when your gateway doesn’t do loopback.

Never point your DNS at two different IP addresses like this. It will only cause you pain and unexpected behaviour.

What you are experiencing is solved by so-called “NAT reflection” or “NAT loopback”. It’s a setting that - in the optimal case - you should just be able to activate on the appropriate interface on your gateway.

If you do not have that setting or do not have access to the edge router, but only some intermediate router, you can do a nasty hack. You can point static routes to your public IP address to point at your local IP address instead. In that case, you also need to tell your server to accept packets with your public IP address as the destination.

deleted by creator

You’re right, my bad.

OP’s security concern is valid. Different CAs may differ in the challenges used to verify you to be the domain owner. Using something that you could crack may lead to an attacker’s public key being certified instead.

This could for example be the case with HTTPS verification (place a file with a specific content accessible through your URL) if the website has lacking input sanitization and/or creates files with the user’s input at an unfortunate location that collides with the challenge.

This attack vector might be far-fetched, but there can certainly be differences between different signing authorities.

Do you still need help with docker?

How close to vim’s functionality is evil mode? I’ve been toying with the idea of learning Emacs but I rely on Vim’s langmap and that is rarely implemented in Vim emulations / bindings.

You can learn Emacs in one day. Every day.

Even if you use arrows, you still have to reposition your hand.

It’s always the DNS!

Setting up synapse is particularly painful.

There are free services that let you send and receive on your own domain. I use zoho. I can send emails with SMTP, but unfortunately, you cannot read them other than by using their web interface in the free tier.

Oh yeah you’re right!

The generative fill has been around for way longer than the AI craze.

There are obsidian plugins that export into static pages.

As others said, the initial setup may consume some time, but once it’s running, it just works. I dockerize almost everything and have automatic backups set up.

neofetch proudly displaying 5 months of uptime