Self hosting and HSTS preload domains

Submitted ⁨⁨2⁩ ⁨weeks⁩ ago⁩ by ⁨wraith@lemmy.ca⁩ to ⁨selfhosted@lemmy.world⁩

I have a domain that requires HSTS preload. I want to self host a few things, like nextcloud, pihole, and vaultwarden. How much of an issue is HSTS preload going to be if I do that? Will I need to set up wildcard certs for everything? Or will it just work™️ because it’s internal or traffic is through a VPN?

I can’t find much about this so any help would be appreciated!

source

Comments

Sort:hotnew top

Xanza@lemm.ee ⁨2⁩ ⁨weeks⁩ ago
I self-host on a .dev domain. It’s extremely simple with Caddy.

source
- wildbus8979@sh.itjust.works ⁨2⁩ ⁨weeks⁩ ago
  Yeah I use Lego, works great
  
  source
BakedCatboy@lemmy.ml ⁨2⁩ ⁨weeks⁩ ago
I use a .dev and it just works with letsencrypt. I don’t do anything special with wildcards, I just let traefik request a cert for every subdomain I use and it works. I believe letsencrypt must ignore HSTS for validation because I use the tls challenge which works on port 443, so I don’t think port 80 is required, but I still forwarded it so I can serve an http->https redirect since stuff like curl and probably other tools might not know about HSTS.

source
just_another_person@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
Required? That’s quite a commitment. Is this a Cloudflare thing?

All it really means is that you have to advertise some metadata about your max-age and (sub)domains associated with whatever the domain is. If you’re only planning to serve over HTTPS, and you have a bulletproof refresh workflow for your certs, it’s not going to be a huge issue. Clients need to respect HSTS first, so if your clients don’t check, it’ll still function.

If you’re just using internal or VPN traffic, there’s literally no point in using it EXCEPT to satisfy client requirements.

Can you expound a bit more on this requirement btw? Now I’m curious.

source
- wraith@lemmy.ca ⁨2⁩ ⁨weeks⁩ ago
  Google requires HSTS preload for all of their domains. Charleston Road Registry (their subsidiary), enforces this by adding the TLD to the HSTS preload list.
  
  Here is the Wikipedia link to the TLD. It’s at the bottom.
  
  source
  - just_another_person@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
    Yeah, but you’re saying this is going to be used internal to you only, right? No public facing exposure?
    
    source
    -> View More Comments
- Xanza@lemm.ee ⁨2⁩ ⁨weeks⁩ ago
  
  Required? That’s quite a commitment. Is this a Cloudflare thing?
  
  There are specific TLD which are required at the DNS level to be served over HTTPS. .dev is an example. The browser will physically not load a .dev domain over anything but HTTPS.
  
  source
  - just_another_person@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
    Yeah, I got that, but this is an internal system OP is discussing. DNS forwarder and VPN. Solved.
    
    source
- wildbus8979@sh.itjust.works ⁨2⁩ ⁨weeks⁩ ago
  Google owns a could of TLDs (.app, .dev, etc) and they preloaded all of them 😒
  
  source
  - just_another_person@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
    [deleted]
    source
    -> View More Comments
wildbus8979@sh.itjust.works ⁨2⁩ ⁨weeks⁩ ago
Give those domains their own let’s encrypt certificate?

source
- wraith@lemmy.ca ⁨2⁩ ⁨weeks⁩ ago
  Google is the registry. They require all of the domains they control to have HSTS preload enabled.
  
  source
  - wildbus8979@sh.itjust.works ⁨2⁩ ⁨weeks⁩ ago
    Then yeah, what’s the issue with giving your subdomains a certificate?
    
    source
    -> View More Comments