this post was submitted on 07 Jun 2023
5 points (100.0% liked)

homelab

6580 readers
1 users here now

founded 4 years ago
MODERATORS
 

Hey all,

Hope this is the right place to be asking (Reddit refugee), but do any of you setup certs for inward facing services? For example, I run "Whoogle" on my proxmox server, which I then access from several other devices when performing searches.

The connection between my machines and that proxmox VM are not encrypted, however only my VLAN (for personal devices) is able to access it.

Is it good practice to create a certificate for those types of servers that can only be accessed within your own network, or overkill?

top 8 comments
sorted by: hot top controversial new old
[–] Krafting@lemmy.world 1 points 1 year ago (1 children)

In home environement, it's not often that someone will try to snoop on the traffic, however, the risk 0 never exists, personnally, I've set up SSL using NGINX Proxy Manager and self-signed certificates signed with my own CA, I use a script to generate new certs if needed, so it's not too hard to do (It all uses openssl)

The only "issue" would be to put the CA on all your devices if you don't want the security warning.

[–] internet_user@lemmy.ml 1 points 1 year ago (1 children)

Gotcha. NGINX is just for serving externally usually, right? I've heard about it, but never used it. Have you heard of certbot before? I may look into it, for practice if nothing else.

[–] Krafting@lemmy.world 1 points 1 year ago (1 children)

No, it can be used internally too, it's a reverse proxy, I didn't know anything about this until I tried it! it also allow you to your website without ports behing (for exemple video.lab.home instead of video.lab.home:8096 for jellyfin)

Also, certbots, if i'm not mistaken, is only used for public facing domains, for domains like .local and .home and anything that you use to resolve domains internally will not work.

Except maybe if you use a real domain to point to your internal local IP, which I find too weird but it works ahah

[–] internet_user@lemmy.ml 1 points 1 year ago (1 children)

Oooo, I'm going to have to check out NGINX then! I was thinking of adding a custom DNS entry in PiHole so that I could talk to Jellyfin directly with a URL, but I would still need the ports since DNS doesn't care about/ handle port information. Thank you!

[–] Krafting@lemmy.world 2 points 1 year ago* (last edited 1 year ago)

Yes, you'll learn a lot, like I did few months ago! Have fun :)

Edit: The software is "NGINX Proxy Manager", to have an All in one solution. if you just use NGINX it might be more complicated!

[–] Lem453@lemmy.ca 1 points 1 year ago

You've got the right idea. You need to have a reverse proxy (like traefik) and a local DNS server (either pihole or something built into a router like unbound which is built into opnsense).

Once you have a sense of how to use the reverse proxy and the DNS server, you can watch this video as a great tutorial.

Basically you need to use a wildcard domain for anything that is not accessible over the internet.

https://youtu.be/liV3c9m_OX8

I got this setup and it works very well.

[–] Stimmed@reddthat.com 1 points 1 year ago

It is always good practice to set up certificates everywhere. I do it for all of my internal services. Each person has a different level of care for how important privacy and security are and some people have abnormal threat profiles.

With that being said, options are usually to run self signed certificates, roll your own certificate authority for your network, or get valid certificates from a service like letsencrypt.

[–] Wingy@lemmy.ml 1 points 1 year ago

I point my DNS at local IPs then use Let’s Encrypt with DNS validation.

load more comments
view more: next ›