Comment on How do you get a certificate for an internal domain?
brownmustardminion@lemmy.ml 1 week ago
This is fine unless you have a slightly higher threat model.
Me personally, I dislike the idea that if someone (VPS provider or LE) were to snoop inside my VPS, they would have all of my unencrypted data where TLS ends and wireguard picks it up.
I don’t do anything illegal, but I do have photos, personal files, and deeply personal journals/notes for which I enjoy the comfort of mind when kept private and secure.
My recommendation is always to have your TLS equipped reverse proxy on your own hardware. Then use a VPS as a SSL passthrough proxy that forwards requests to the locally hosted reverse proxy. You can connect the two via wireguard.
This has a few benefits. It keeps encryption end to end. It also allows you to connect to your server via your domain name even in you LAN. You can hijack your domain at the router level DNS menu to reroute to your local reverse proxy. And it keeps the TLS connection.
thelittleblackbird@lemmy.world 6 days ago
Question, how do you deal with the certificates if you have an external vps doing passthroy?
Because that certificate will not match the domain name of the vps and then everything will fail or at least trigger a lot of alerts.
I really fail to see how an internal backend in a different subnet can send the right certificate
brownmustardminion@lemmy.ml 6 days ago
There’s no certificate at the VPS level. It forwards everything to and from the self hosted reverse proxy.
Now that you mention it though, there may be a slight complication with pinning the reverse proxy to the domain API for cert renewals. I’ll have to check how I have mine configured but I may have given my reverse proxy a IPv6 and configured that for cert renewals.
That would mean some down time as you update the IP if your ISP rotates it.
thelittleblackbird@lemmy.world 6 days ago
Still it is not clear to me how the interbank reverse proxy may get a valid certificate when the domain name is pointing to the vps. Do you copy later manually to the internal proxy?
And if so, how do you overcome the invalid certificate warning when you are accessing your services locally?
kossa@feddit.org 6 days ago
Idk if I understood the problem correctly, but you can renew with DNS challenge, if the real server is not reachable directly.