this post was submitted on 20 Dec 2024
39 points (93.3% liked)

Selfhosted

40696 readers
455 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 
  • Use cloudflare to get an api token
  • Set an a record for a wildcart cert *.domain.com pointing towards your servers local IP such as 192.168.0.1, turn off cloudflare proxy
  • Go into NPM and setup the SSL cert using dns challenge and your api token
  • setup a proxy host user your subdomain.domain.com pointing towards your docker container
  • key step!!!! make sure you do not have conflicting ports 80 and 443 on your machine. On unraid the device management ports are set to this, but for NPM to do local proxies, it needs access to these ports.
top 13 comments
sorted by: hot top controversial new old
[–] ArbiterXero@lemmy.world 13 points 2 days ago (1 children)

Or you can do the dns challenge for letsencrypt

[–] ComradeMiao@lemmy.dbzer0.com -2 points 2 days ago (1 children)

I am using letsencrypt on NPM. You mean only locally?

[–] theit8514@lemmy.world 6 points 2 days ago

The DNS-01 challenge can be used to generate a wildcard by creating the requested dns record in your public dns zone, then you can use that cert for internal servers/dns. With certain dns providers it can even be automated.

https://eff-certbot.readthedocs.io/en/stable/using.html#third-party-plugins

[–] 2xsaiko@discuss.tchncs.de 9 points 2 days ago* (last edited 2 days ago)

This seems super overcomplicated. What I would do is put all the subdomains on the public DNS, let HTTP(S) through the firewall for the respective hosts, deny everything from outside of your local network on the http server that isn’t under the HTTP challenge path and then run the HTTP challenge as you would for a public site.

Then you can get certs, everyone outside trying to access will get 403, and inside the network you can access as normal.

Of course you’ll have to trust your http server’s ACL for that, but I’m just going to assume servers like nginx (which I use) have a reliable implementation.

[–] emax_gomax@lemmy.world 4 points 2 days ago (1 children)

I would recommend just using caddy. It removes the complicated part of ssl management. For a local network it'll setup a local self signed certificate authority and you can just install those certificates to any devices on your LAN that you want to have access. For a public setup it'll use letsencrypt. You will still need to setup dns if you want wildcard routing.

[–] vividspecter@lemm.ee 1 points 1 day ago (1 children)

If you want to use DNS challenge with Caddy it's kind of annoying though (need to download/compile a separate version with the DNS plugin you need).

Which is probably a good idea if you don't plan to expose the services publicly but want a real certificate to avoid self-signed cert warnings.

[–] emax_gomax@lemmy.world 1 points 1 day ago

I've never had this issue but I run basically everything through docker and presumably it bundles this by default.

[–] solrize@lemmy.world 5 points 2 days ago (1 children)

Proxy host out on the public internet? Usually I just use a local private CA for this, and install the CA root in my browser.

[–] ComradeMiao@lemmy.dbzer0.com 1 points 2 days ago (1 children)

Cloudflare is only providing the letsencrypt cert.

Could you explain/link your method? :)

[–] solrize@lemmy.world 5 points 2 days ago

I don't bother with a proxy host or with LetsEncrypt, though I guess you could use LetsEncrypt perfectly well. Back when I was doing this, LetsEncrypt didn't exist and you had to actually pay for public certificates, so using locally generated free ones saved money. It also had a minor(?) security advantage in that if the private server key somehow leaked, it wouldn't let people impersonate our internet domain.

For the private CA I simply used the crappy CA.pl script that comes with OpenSSL or did at the time. There are much better ways to do it, especially at any kind of scale, but CA.pl sufficed dealing with a few development machines.

[–] Tinkerer@lemmy.ca 3 points 2 days ago (1 children)

I'm running cloudflare and NPM, I did a DNS challenge to get my wildcard cert, then put in access lists so for my internal hosts only private IP address subnet can access them. I have my OPNsense firewall also redirect any of those internal hosts request back to my NPM host. I have everything internal with a valid https cert.

[–] ComradeMiao@lemmy.dbzer0.com 1 points 2 days ago (1 children)

Sounds like the same thing except for access list. I was unsuccessful those working oreviously

[–] Tinkerer@lemmy.ca 1 points 2 days ago

Ah yeah I'm trying to move to podman for NPM and the access lists don't work for some reason. On docker though it works very well