this post was submitted on 14 Jun 2023
19 points (100.0% liked)

Selfhosted

40767 readers
569 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

So, I have a few services (Jellyfin, Home Assistant, etc) that I am running, and have been acessing via their IP's and port numbers.

Recently, I started using NGINX so that I could setup entries in my Pi Hole, and access my services via some made up hostname (jellyfin.home, homeassistant.home, etc).

This is working great, but I also own a few domains, and thought of adding an SSL cert to them as well, which I have seen several tutorials on and it seems straight forward.

My questions:

  • Will there be any issues running SSL certs if all of my internal service are inward facing, with no WAN access? My understanding is that when I try to go to jellyfin.mydomainname.com, it will do the DNS lookup, which will point to a local address for NGINX on my network, which the requesting device will then point to and get the IP of the actual server.

  • Are there risks of anything being exposed externally if I use an actual CA for my cert? My main goal is to keep my home setup off of the internet.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 4 points 2 years ago (3 children)

Shouldn't be any risk if it's all local.

For an internal domain you'll need to set up your own internal CA to sign certs for your fqdns. The risk comes from any mishandling of that new CA since you'll need to install it as a trusted root on all of your devices and if someone gets a hold of it nothing would stop them from creating a MITM attack for let's say yourbank.com

If you have the CA's key under lock then you should be good.

[–] [email protected] 6 points 2 years ago (1 children)

Don’t use internal domain, use standard domain + split DNS instead. Much simpler to handle certificates for internal services with ACME protocol.

[–] [email protected] 2 points 2 years ago

Yes, use a split horizont setup.

[–] [email protected] 2 points 2 years ago (1 children)

Gotcha. Yeah I read about doing a self-hosted CA, but then I have to add the cert to every device that needs access to the service, which I don't think the family would be thrilled about. I was going to use the cert generator in NGINX and use the key from my actual domain. This way I don't need to add the certs manually.

My only worry is exposing something accidentally, but if my firewall rules prevent any outside access from my services (Jellyfin, Nginx, Homelab, etc) and the only thing with internet is the device accessing it (a laptop or TV), then I think I should be ok..

[–] [email protected] 1 points 2 years ago

If you have a domain you own that's the way to go, I went by your .home naming assuming that's what you're using. Since .home can't be registered similar to .local, LetsEncrypt wouldn't be an option.

I have a split DNS setup on my end so a service like jellyfin would resolve only internally since I want to limit it, but others would be both public and internal.

[–] [email protected] 1 points 2 years ago

For an internal domain you’ll need to set up your own internal CA

No real need to run your own CA. As long as you have an actual domain name, you can use Let's Encrypt with DNS challenges to get certificates for internal servers.