this post was submitted on 10 Jan 2025
82 points (95.6% liked)

Selfhosted

41084 readers
265 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
82
How do you handle SSL certs and internet access in your setup? (lemmy.world)
submitted 4 days ago* (last edited 4 days ago) by [email protected] to c/[email protected]
99 comments fedilink hide all child comments
 

tldr: I'd like to set up a reverse proxy with a domain and an SSL cert so my partner and I can access a few selfhosted services on the internet but I'm not sure what the best/safest way to do it is. Asking my partner to use tailsclae or wireguard is asking too much unfortunately. I was curious to know what you all recommend.

I have some services running on my LAN that I currently access via tailscale. Some of these services would see some benefit from being accessible on the internet (ex. Immich sharing via a link, switching over from Plex to Jellyfin without requiring my family to learn how to use a VPN, homeassistant voice stuff, etc.) but I'm kind of unsure what the best approach is. Hosting services on the internet has risk and I'd like to reduce that risk as much as possible.

  1. I know a reverse proxy would be beneficial here so I can put all the services on one box and access them via subdomains but where should I host that proxy? On my LAN using a dynamic DNS service? In the cloud? If in the cloud, should I avoid a plan where you share cpu resources with other users and get a dedicated box?

  2. Should I purchase a memorable domain or a domain with a random string of characters so no one could reasonably guess it? Does it matter?

  3. What's the best way to geo-restrict access? Fail2ban? Realistically, the only people that I might give access to live within a couple hundred miles of me.

  4. Any other tips or info you care to share would be greatly appreciated.

  5. Feel free to talk me out of it as well.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 21 points 4 days ago (3 children)

Caddy with cloudflare support in a docker container.

[–] [email protected] 7 points 4 days ago

This the solution.

Caddy is simple.

[–] [email protected] 1 points 3 days ago (1 children)

Does Caddy have an OWASP plugin like nginx?

[–] [email protected] 2 points 3 days ago

I don't use it, but it looks like yes.

https://github.com/corazawaf/coraza-caddy

[–] [email protected] 1 points 4 days ago (3 children)

I currently have a nginx docker container and certbot docker container that I have working but don't have in production. No extra features, just a barebones reverse proxy with an ssl cert. Knowing that, I read through Caddy's homepage but since I've never put an internet facing service into production, it's not obvious to me what features I need or what I'm missing out on. Do you mind sharing what the quality of life improvements you benefit from with Caddy are?

[–] [email protected] 6 points 4 days ago (1 children)

Honestly, if you know nginx just stick with it. There's nothing to be gained by learning a new proxy.

Use Mozilla's SSL generator if you want to harden nginx (or any proxy you choose)- https://ssl-config.mozilla.org/

[–] [email protected] 3 points 4 days ago

I didn't know about that tool. Thanks for sharing

[–] [email protected] 2 points 3 days ago

What caddy does are automatic certs. You set up your web-portal and make a wildcard subdoman that points to your portal. Then you just enter two lines in the config and your new app is up. Lets say you want to put your hone assistant there. You could add hass.portal.domain.tld {reverse_proxy internal.ip:8123 } and it works. Possible with other setups too, but its no hassle

[–] [email protected] 2 points 4 days ago

I never went too far down the nginx route, so I can't really compare the two. I ended up with caddy because I self-host vaultwarden and it really doesn't like running over http (for obvious reasons) and caddy was the instruction set I found and understood first.

I don't make a lot of what I host available to the wider internet, for the ones that I do, I recently migrated to using a Cloudflare tunnel to deal with the internet at large, but still have it come through caddy once it hits my server to get ssl. For everything else I have a headscale server in Oracle's free tier that all my internal services connect to.