Trying to understand Access Lists (over DynDNS)

[KlaBra16F1]

Hi folks!

I'm using NPM to run some webservices that I can't host on my public webserver (no docker available).
So I have one Kroki-Server for my gitlab and a Whiteboard-Server for my nextcloud all with LetsEncrypt SSL and reachable over DynDNS with port-forwarding from my router to my NAS.

Something like this:

flowchart LR
    Router
    subgraph NAS
        direction TB
        NAS-Ports
        subgraph docker
            direction TB
            NPM
            Kroki
            wb[Whiteboard-Server]
            NPM <-.Port 8000.-> Kroki
            NPM <-.Port 8081.-> wb
        end
    end
    Router <-.Port-Forward<br>Port 80<br>Port 443.-> NAS-Ports
    NPM <-.Port 80<br>Port 443.-> NAS-Ports

Loading

So far so good but...

But I would like make these services only available to those domains they are working for and not to the whole internet.

Using the access list only works, when I allow my DynDNS IP but then the services are open to anybody. Restricting access list to only the IP of my nextcloud or gitlab servers make them unavaiable to anybody. Combining Whitelist rules isn't possible and most of the nginx server configs that I tried so far (in the advances tab) only gave me red offline dots or had not the intended effect yet.

I'd really appreciate every hint in the right direction. Ideally a solution that is working with domains rather than IP adresses