Comment

Comment on How do I use HTTPS on a private LAN without self-signed certs?

douglasg14b@lemmy.world ⁨1⁩ ⁨week⁩ ago

I just:

Have my router setup with DNS for domains I want to direct locally, and point them to:
Have a reverse proxy that has auto- certbot behavior (caddy) connected to the cloud flair API
Navigation I do within my local network to these domains gives me real certificates.

source

Sort:hotnew top

LovableSidekick@lemmy.world ⁨1⁩ ⁨week⁩ ago
When somebody says they “just” reverse the polarity of the navigational deflector array and channel power directly from the warp core.

source
- douglasg14b@lemmy.world ⁨1⁩ ⁨week⁩ ago
  In this case I run pfSense instead of my ISP provided router. This allows me to have my own DNS resolver, which I can then resolve various domains to internal addresses.
  
  All devices on my network point to my router for DNS allowing them to resolve internal addresses from all of these.
  
  source
  - LovableSidekick@lemmy.world ⁨1⁩ ⁨week⁩ ago
    Thanks, I’ll lookup pfSense. But straightforward host mapping has worked for me in the past with this router and others. It worked great on my old Cisco DSL router 25 years ago. So simple and straightforward, it should just freaking work. sigh
    
    source
Celestus@lemm.ee ⁨1⁩ ⁨week⁩ ago
FYI, all the certs you generate are public record, so it might be a good idea to use a wildcard route in Caddy. That will make it only generates one cert, so no one can find your internal domain names. Especially if your Caddy instance is accessible from the Internet, and you’re expecting external connections not to be able to access domains with only internal DNS records

source
- douglasg14b@lemmy.world ⁨1⁩ ⁨week⁩ ago
  That’s a good call out.
  
  There are a few things I do right now:
  
  All of my public DNS entries for the certs point at cloudflare, not my IP.
  
  My internal Network DNS resolver will resolve those domains to an internal address
  
  I drop all connections to those domains in cloudflare with rules
  
  In caddy, I drop all connections that come from a non-internal IP range for all internal services
  
  I use tailscale to avoid having to have routes from the Internet into my internal services for when I’m not at home.
  
  For externally accessible routes, I have entirely separate configurations that proxy access to them. And external DNS still points to cloudflare, which has very restrictive rules on allowable connections.
  
  source