Subpaths are things of the past (kinda) ! SSL wildcards are going to be a life saver in your homelab !
I have a self-signed rootCA + intermediateCA which are signing all my certificates for my services. But wait... It can get easier just put a wildcard domain for your homelab (*.home.lab) and access all your services in your lan with a DNS provider (pihole will be your friend!).
Here is an very simplified example:
-
Create a rootCA (certificate authority) and put that on every device (Pc, laptop, android, iphone, tv, box...)
-
Sign a server certificate with that rootCA for the following wildcard domaine: *.home.lab and put that behind a reverse proxy.
-
Add pihole as DNS resolver for your local domain name (*.home.lab) or if you like you can manually add the routes on all devices... But that"s also a thing of the past !
-
Let your proxy handle your services
Access all your services with the following url in your lan
This works flawlessly without the need to pay for any domain name, everything is local and managed by yourself. However, it's not that easy as stated above... OpenSSL and TLS certificates are a beast to tame and lots of reading ^^ so does Ngnix or any other reverse proxy !
But as soon as you get the hang of it... You can add a new services in seconds :) (specially with docker containers !)
Sorry I didn't respond earlier :S !
I'm not entirely sure if I get what you mean here. If you have a central DNS resolver like pihole In your LAN it can resolve to whatever is there. I have a pihole which resolve to itself (can access it as pihole.home.lab) and resolves to my server's reverse proxy, which handles all the port shenanigan and services hosted on my server. I think I can try to make a diagram to show how it works in my LAN right now, not sure if this can be helpful by any mean, but this would allow me to have a more visual feedback of my own LAN setup :P. However, I do use Traefik as my reverse proxy for my docker containers, so I won't apply to nginx and I'm not sure if this is possible (It probably is, but nginx is a mystery for me xD)
Your proxy should handle all the port things. Your proxy listens to all :80 :443 Incoming traffic and "routes" to the corresponding service and it's ports.
While I do have my self-learned self-hosted knowledge, I'm not an IT guy, so I may be mistaken here and there. However, I can give you a diagram on How it works on my setup right now and also gift you a nice ebook to help you setup your mini-CA for your lan :)