Self-Hosted Main

502 readers

1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

For Example

Service: Dropbox - Alternative: Nextcloud
Service: Google Reader - Alternative: Tiny Tiny RSS
Service: Blogger - Alternative: WordPress

We welcome posts that include suggestions for good self-hosted alternatives to popular online services, how they are better, or how they give back control of your data. Also include hints and tips for less technical readers.

Useful Lists

Awesome-Selfhosted List of Software
Awesome-Sysadmin List of Software

founded 1 year ago

MODERATORS

[email protected]

Help hosting Vaultwarden local only (alien.top)

submitted 10 months ago by [email protected] to c/[email protected]

19 comments fedilink hide all child comments

Hello, I've been looking at many guides but I'm having trouble understanding how to selfhost VaultWarden locally. Could someone help me understand how I could achieve this considering,

I don't have a domain
- It would be nice to do something like vaultwarden.local or vaultwarden.homelab.local instead of typing in the homelab's pc static ip and the port vaultwarden is on
I don't want to expose anything outside of my local network
- Security reasons
- I am now well versed in networking so I don't want to risk leaving an entry point for unwanted users or hackers

I also learned that I would need to sign certificates to be able to access it on some browsers and the additional security. I learned that Traefik offers self-signed certificates, but every video I have seen starts talking about needing a domain and cloudflare tunneling and I get lost.

It would be nice if I could get help or advice from the r/selfhosted community because I am new to all of this but want to learn and host more applications and services locally. Thank you.

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 1 points 10 months ago (5 children)

For a proper trusted certificate you’re best to have a domain. That doesn’t mean you need to expose anything to the internet. If you have Traefik or HAproxy they can auto issue certificates from LetsEncrypt with the right config. Just don’t allow external access to those front ends. I have the same sort of thing setup with pfsense and the site is internal only via HAproxy to the docker container. Works great.

[–] [email protected] 1 points 10 months ago (3 children)

That doesn’t mean you need to expose anything to the internet

Really? How do you do this? Do you just not forward any of the ports on your router? If that's the case then I'll go ahead and purchase a domain and get started.

[–] [email protected] 1 points 10 months ago

Let's Encrypt uses what is called "ACME protocol" for proof of owner when generating certificates.

There are various challenges they use to prove ownership of the domain. The default one just places a special file on your web server that Let's Encrypt then reads.

However there are a number of different types of challenges.

If you don't want to expose anything to the internet then a common one to use is 'DNS Challenge'.

With DNS challenge the certbot uses your DNS server/provider's API to update DNS records as a response to the challenge. Let's Encrypt reads the special TXT response and verifies that you own the domain.

So to use this you need two things:

A DNS domain
A DNS domain provider that has a API that certbot can use.

AWS Route53 is a good one to use. But I have used Digital Ocean's free DNS Service, Bind servers, Njalla, and other things. Most commonly used DNS providers are supported one way or the other.

You can also get fancy and designate sub domains or other domains to respond to the challenges. So if your DNS is locked down you can still add a record to point to a different one on a different server.

The big win for going with DNS Challenge is that you can do wildcard certificates.

So say you are setting up a reverse proxy that will serve vault.home.example.com, fileshare.home.example.com, torrent.home.example.com, and a bunch of others... all you need to do is configure your reverse proxy with a single *.home.example.com cert and it'll handle anything you throw at it.

You can't do that with the normal http challenge. Which makes doing the DNS challenge worth it, IMO, even if you do have a public-facing web server.

load more comments (2 replies)

load more comments (3 replies)