Submitted 4 months ago by Dust0741@lemmy.world to selfhosted@lemmy.world
I want my self hosted things to use https. For example, I have Jellyfin installed via docker, and I want it to use https instead of http.
I don’t care about necessarily doing this the “right” way, as I won’t be making Jellyfin or any other service public, and will only be using it on my local network.
What is the easiest way to do this? Assume everything I host is in docker. Also a link to a tutorial would be great.
Thanks!
I usw nginxproymanager for that. It has an integrated function to create and update letsencrypt certificates. Creating a New host takes like 1 minute.
+1 to NPM. Works really easily for certs and auto renewal.
Maybe not the best acronym, with Node Package Manager around
With caddy you can easily set up a local issued certificate for https. It would shine a nice warming on your browser unless you install the CA certificate on the computer you use to visit the site though.
Or use caddy with a dns challenge. No need to open any ports and just use it completely locally without any annoying warning.
Nginx Proxy Manager is awesome for managing certificates. I have all of my services running behind it.
I also use this and can recommend it
I do this too, have acls setup for my main LAN ips and all my internal hosts setup in opnsense in hosts override so they get redirected to NPM. Not sure if this is the correct way but it gives me all valid certificates. You could also do domain override and redirect just that domain to your NPM.
The easiest way is to pay for a public domain, use a subdomain of that which does not have an A record on the wide internet, and then use certbot to get Let’s Encrypt certificates for them and auto-renew.
It’s pretty easy to do, I set it up using this guide: www.youtube.com/watch?v=qlcVx-k-02E
Used this guide too, it was the one that finally made things “click” for me.,
I used it for a while until I outgrew it and managed to setup Traefik.
I used the same guide and it works great.
I do this. I use Cloudflare as my DNS and Caddy as my server. With the Cloudflare plugin Caddy gets TLS certs even for 10/8 addresses.
I just add my CA to my devices and use self signed certificates for stuff on my LAN. I don’t want to go through all the trouble of using lets encrypt for something that’s not accessible from the internet.
Just be aware of the risks involved with running your own CA.
You’re adding a root certificate to your systems that will effectively accept any certificate issued with your CA’s key. If your PK gets stolen somehow and you don’t notice it, someone might be issuing certificates that are valid for those machines. Also real CA’s also have ways to revoke certificates that are checked by browsers (OCSP and CRLs), they may employ other techniques such as cross signing and chains of trust. All those make it so a compromised certificate is revoked and not trusted by anyone after the fact.
For what’s worth, LetsEncrypt with DNS-01 challenge is way easier to deploy and maintain in your internal hosts than adding a CA and dealing with all the devices that might not like custom CAs. Also more secure.
This is the most permanent solution. You can generate valid and trusted certs for as long as you want. Let’s Encrypt is great, but you also have to configure the automation to keep renewing the certs every 30 days.
I’ve been doing it this way for many years, before LetsEncrypt was around. Maybe some day I will switch so I can become dependent on another third party (though I do use LetsEncrypt for public-facing services).
Yes, telling your computer to trust a certificate chain that you are responsible for securing may significantly increase your attack surface. It’s easy to forget about that root cert (I actually push mine via GPO).
If you mean signed by your CA then this is me too, albeit with an intermediate CA in the middle (honestly pointless in my case, but old habits etc).
I don’t host anything externally and trusting the CA certs internally is easy as Ionly need to do it on a handful of devices. This + reverse proxy keeps things tidy and uncomplicated.
There’s a few ways, but for example you can use a service like cloudflared which comes with its own certs (and then set up WAF rules to only allow your IP), or you could set something up using let’s encrypt via reverse proxy (for example, using Opnsense and the let’s encrypt plugin which actually validates domains that aren’t otherwise exposed to the internet, there by giving you full blown validated SSL).
If you don’t care about validation errors then you can use nginx reverse proxies (locally, not exposing any ports externally) and apply self-signed certs through the proxy regardless of whether or not the software allows SSL config.
I roll out Step CA to my workstation with an Ansible role. All other clients on the lab trust this CA and are allowed to request certificates for themselves through ACME, like LetsEncrypt.
All my services on all clients on the network are exposed through traefik, which also handles the ACME process.
When it comes to Jellyfin, this is entirely counter-productive. Your media server needs to be accessible to be useful. Jellyfin should be run with host networking to enable DLNA, which will never pass through TLS. Additionally, not all clients support custom CAs. Chromecast or the OS on a TV are prime candidates to break once you move your Jellyfin entirely behind a proxy with custom CA certificates. You can waste a lot of time on this and achieve very little. If you only use the web UI for Jellyfin, then you might not care, but I prefer to keep this service out of the fancy HTTPS setup.
Just be aware of the risks involved with running your own CA.
Fuck that. People like to act like running an SMTP server or a CA is some major shit, while everyone is fucking up on these subjects every single day.
Nginx Proxy Manager is probably perfect for you.
Pick a domain (like mylab.home or something), set up your home network to resolve that domains IP as your docker hosts IP.
NPM will do self-signed certs. So, you will get a “warning, Https is insecure” kinda page when you visit it. You could import NPMs root cert into your OS/browser so it trusts it (or set up an “don’t warn for this domain” or something).
If you don’t want per-client config to trust it, then you need to buy a domain, use a DNS that supports letsencrypt DNS-challenge, and grab certs that way (means you don’t need a publicly accessible well-known route exposed)
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
| Fewer Letters | More Letters |
|---|---|
| DNS | Domain Name Service/System |
| HTTP | Hypertext Transfer Protocol, the Web |
| HTTPS | HTTP over SSL |
| IP | Internet Protocol |
| SSL | Secure Sockets Layer, for transparent encryption |
| nginx | Popular HTTP server |
[Thread #856 for this sub, first seen 7th Jul 2024, 03:25] [FAQ] [Full list] [Contact] [Source code]
https://lemmy.world/comment/10089750
This is how I did it.
hperrin@lemmy.world 4 months ago
The easiest way to do it is to do it the right way with LetsEncrypt. The hardest way to do it is the wrong way, where you create your own CA, import it as a root CA into all of the machines you’ll be accessing your servers from, then create and sign your own certs using your CA to use in your servers.
khorak@lemmy.dbzer0.com 4 months ago
This, letsencrypt with dns challenge, desec.io to manage the dns records github.com/go-acme/lego or traefik to manage the certificates and do the dns challenges for you.
TCB13@lemmy.world 4 months ago
Yes, LetsEncrypt with DNS-01 challenge is the easiest way to go. Be it a single wildcard for all hosts or not.
Running a CA is cool however, just be aware of the risks involved with running your own CA.
You’re adding a root certificate to your systems that will effectively accept any certificate issued with your CA’s key. If your PK gets stolen somehow and you don’t notice it, someone might be issuing certificates that are valid for those machines. Also real CA’s also have ways to revoke certificates that are checked by browsers (OCSP and CRLs), they may employ other techniques such as cross signing and chains of trust. All those make it so a compromised certificate is revoked and not trusted by anyone after the fact.
Findmysec@infosec.pub 4 months ago
All they say that if the private key is stolen then you’re screwed. Think about it, if an attacker can:
You have a much bigger problem my friend
scrubbles@poptalk.scrubbles.tech 4 months ago
Tried that once. It was not a fun route to go down. If let’s encrypt ever dies it anything fine, I’ll look into it again. Until then, let’s encrypt all the way
Findmysec@infosec.pub 4 months ago
why is creating one’s own CA the wrong way? I don’t want to have to pay cloudflare or porkbun to run HTTPS at home
hperrin@lemmy.world 4 months ago
Because you have to manage it on your network and all your own machines, and it doesn’t provide any value if your server is hacked. It actually makes you less safe if your server is hacked, because then you can consider every machine that has that CA as compromised. There’s no reason to use HTTPS if you’re running your own CA. Just use HTTP or use a socks proxy through ssh.
philpo@feddit.de 4 months ago
Yeah. Exactly how I do it. .casa domain to distinguish it from my other domains, DNS challenge and I am good.
Proxmox and OPN Sense work with it themselves, for everything else I use NPM on Proxmox. Couldn’t be more happy with that solution.