You alao could do the DNS challenge instead.
That way you wouldnt even need to publish port 80.
Comment on Selfhosting Sunday - What's up to date, selfhosters?
thzihdd@feddit.org 5 weeks ago
I use Traefik as reverse proxy for local only services with let’s encrypt certificates. Just needed to a) register the subdomains and b) expose port 80 for the challenges without anything being served on that port.
Wireguard into my network and local DNS via Pihole to ensure proper local IPs. Works like a charm.
Appoxo@lemmy.dbzer0.com 5 weeks ago
tofu@lemmy.nocturnal.garden 5 weeks ago
I need to check what exactly I need to expose. I had 80 and 443 exposed but limited the access to local IPs in nginx like this:
allow 192.168.x.0/24; # Allow FritzBox subnet allow 10.0.0.0/24; # Allow OpnSense subnet deny all; # Deny all other IPs
I still have some services I want to expose so generally I’ll keep the ports open.
Lem453@lemmy.ca 4 weeks ago
Keeping 80 open is useful so that traefik can redirect all traffic to 443 (https)