from Charger8232@lemmy.ml to selfhosted@lemmy.world on 28 Jan 17:34
https://lemmy.ml/post/25314008
Yesterday I decided to start “officially” selfhosting. With almost no experience with Docker, I struggled for eight hours straight, but I finally have it working.
Currently, the two tools I am selfhosting with Docker Compose are LibreTranslate and spotDL. I’m only accessing them over the local network using a direct IP:PORT, so there’s no domain name. I don’t want to use a custom DNS, since it is fingerprintable online, so I want to keep it the same as my VPN.
With that said, I want to add encryption to the connections. I was able to generate my own self signed certificates with this command:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./certs/key.key -out ./certs/cert.crt
spotDL was easy to setup with these self signed certs, since it has command flags for –enable-tls, –key-file, and –cert-file. LibreTranslate has an environment variable for - LT_SSL=true, however it gives the following error:
libretranslate | (URLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)')),)
That led me to this issue which is 2 and a half years old. LibreTranslate doesn’t have a way to specify certificates that I know of.
I tried using Nginx Proxy Manager to create a reverse proxy, but I couldn’t quite figure it out. (I also didn’t understand Docker Compose at the time. I had a few hours to go before I did) NPM also seems to want Let’s Encrypt certificates which can’t be given without a DNS record. I tried manually providing certificates in the config file, but I don’t quite understand NPM enough to be able to set it up properly on my own.
My requirements are:
- No changing the DNS from my VPN’s default
- No port forwarding, everything should be accessed by the local network only
- No email required (ability to use a fake email without risk is fine)
- Only free and open source software
- Modern security standards where available
I also would like help adding the self signed certificates as a permanent exception in Brave browser, if possible.
threaded - newest
www.youtube.com/watch?v=BKCj6A4CHV4
Not necessarily docker but gives a good vibe for self signed certs. Also i don’t see why u need encryption if ur only accessing ur data over local network (I presume via a vpn) its unnecessary unless ur worried about someone snooping packets on ur lan.
Personally I have my services available to the internet with a letsencrypt cert for a domain served via nginx that served my services at relevent routes. SSL isn’t really nessasary unless ur transporting across an untrusted network (such as the internet instead of over a VPN).
Seconding this, I really can’t see the point of encryption on local only connections. Are you ready worried about someone hacking your WiFi?
Anyway, if you do want to do a reverse proxy, I’ll make my usual recommendation of Caddy instead. It handles certificates for you, using Let’s Encrypt, so there’s no need to add exceptions in your browser. And reverse proxying with Caddy is literally a one line config.
Browsers are starting to get pissy about http and once you have it done once it’s like a half dozen lines to add caddy to whatever docker project you’re spinning up.
Encryption in transit even internally is a good practice. That said, op is making life hard by refusing to use DNS.
If you’ve got certs generated, you should be able to upload them to nginx proxy manager. anthonyconstant.co.uk/…/local-ssl-certificate-usi…
If you know your VPN’s DNS server, you can change your local DNS so that it redirects your specified domains/subdomains to the appropriate, local IP address and all other requests would then use your VPN’s DNS.
If you don’t know your VPN provider’s DNS server information, you may be able to still do something similar to the above depending on your setup. Otherwise, you could run your own DNS resolver or use a different DNS provider. I guess doing so could potentially be used to further fingerprint you, but the concern about “DNS fingerprinting” is moreso DNS leaks where your DNS queries are accessible to unintended parties due to improper configuration.
I believe the only other option would be to change your hosts file on each device you want to use to connect to your services, which is probably not the best approach and may be challenging/impossible for certain devices.
Also, unless you setup the self signed certs to be trusted on a network/domain level (or again on each individual device), you will likely get a warning/error about the self signed certs when accessing your services. You may need to work through this process each time the certs renew.
I recommend buying a domain if you do not already have one and finding a service that provides wildcard certification challenges. This would allow you to setup a valid, trusted certificate that you could reuse for all of your services. The only thing that you would need to provide is an email address (can be any email address) and your domain name (in addition to other information that may be required to setup an account at the cert provider, but you may already have an account there as it could be the domain name registrar or other services like VPS providers, Cloudflare, etc.). Since it is a wildcard cert, each subdomain does not need to be set publicly and if you only use the domain within your network, the domain does not need to be publicly associated with any IP address.
If you do go forward with that approach, you could use the wildcard cert directly within NginxProxyManager or other reverse proxies. They will also automatically update/maintain the cert for you.
If you take another stab at it, look for NPMPlus, its a better maintained fork. But yah, without a real domain, let’s encrypt will be a pain to get to fly.
TL;DR: Op needs to sort out reverse proxy with SSL/TLS.
Nginx is the way to go. Just figure that out and you are all set.
No, nginx proxy manager is not the only way, you can also use nginx directly on bare metal as it is intended to.
Maybe this link could help you wiki.gardiol.org/doku.php?id=selfhost%3Anginx