A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
Resources:
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
For point number 2, security through obscurity is not security.
Besides, all issued certificates are logged publicly. You can search them here https://crt.sh
Nginx Proxy Manager is easy to set up and will do LE acme certs, has a nice GUI to manage it.
If it's just access to your stuff for people you trust, use tailscale or wireguard (or some other VPN of your choice) instead of opening ports to the wild internet.
Much less risk
if you know/use docker, the solution that has been the most straightforward for me is SWAG. the setup process is fairly easy when combined with registering your domain with Porkbun, as they allow free API access needed for obtaining top-level (example.com) as well as wildcard (*.example.com) SSL certificates.
along with that, exposing a new service is fairly easy with the plethora of already included nginx configs for services like Nextcloud, Syncthing, etc.
I use traefik with a wildcard domain pointing to a Tailscale IP for services I don't want to be public. For the services I want to be publicly available I use cloudflare tunnels.
Why is it too much asking your partner to use wireguard? I installed wireguard for my wife on her iPhone, she can access everything in our home network like she was at home, and she doesn't even know that she is using VPN.
A few reasons
Telling my partner to visit a website seems easy, they visit websites every day, but they don't use a VPN everyday and they don't care to.
you're talking to a community of admins that force their family to "use the thing". they can't understand why anyone can't debug tech issues because they have surrounded themselves with people who can.
I get it, my wife isn't technical at all. she gets online about once a week to check email. I couldn't even begin to explain to her how to debug her connection problems past turn it off and on again.
so, to simplify things, she doesn't connect to the home network outside of the home network. but I was able to teach her how to download movies/shows from Plex to her phone and I was able to explain why ads show up on her apps when she's out of the house.
it's not perfect, but it's the best I can give her with her understanding of the technology. knowing the limitations of your user base is just as important as developing the tools they will use and how they will access them.
I get where the original commenter is coming from. A VPN is easy to use, why not have my partner just use the VPN? But like, try adding something to your routine that you don't care about or aren't interested in. It's an uphill battle and not every hill is worth dying on.
All that to say, I appreciate your comment.
Why do so many people do this incorrectly. Unless you are actually serving a public then you don't need to open anything other than a WireGuard tunnel. My phone automatically connects to WireGuard as soon as I disconnect from my home WiFi so I have access to every single one of my services and only have to expose one port and service.
If you are going through setting up caddy or nginx proxy manager or anything else and you're not serving a public.... you're dumb.
What are you using to auto connect to VPN when you disconnect from your home wifi?
WG Tunnel does that natively, you can whitelist some wifis and auto connect on other and optionally on mobile data
The Wireguard iOS app has an “on-demand” toggle that automatically connects when certain conditions are met (on cellular, on wifi, exclude certain networks, etc)
Tasker on android, bit faffy and shouldn't at all be necisary
Tailscale is very popular among people I know who have similar problems. Supposedly it's pretty transparent and easy to use.
If you want to do it yourself, setting up dyndns and a wireguard node on your network (with the wireguard udp port forwarded to it) is probably the easiest path. The official wireguard vpn app is pretty good at least for android and mac, and for a linux client you can just set up the wireguard thing directly. There are pretty good tutorials for this iirc.
Some dns name pointing to your home IP might in theory be an indication to potential hackers that there's something there, but just having an alive IP on the internet will already get you malicious scans. Wireguard doesn't respond unless the incoming packet is properly signed so it doesn't show up in a regular scan.
Geo-restriction might just give a false sense of security. Fail2ban is probably overkill for a single udp port. Better to invest in having automatic security upgrades on and making your internal network more zero trust
I came here to upvote the post that mentions haproxy, but I can't see it, so I'm resorting to writing one!
Haproxy is super fast, highly configurable, and if you don't have the config nailed down just right won't start so you know you've messed something up right away :-)
It will handle encryption too, so you don't need to bother changing the config on your internal server, just tweak your firewall rules to let whatever box you have haproxy running on (you have a DMZ, right?) see the server, and you are good to go.
Google and stackexchange are your friends for config snippets. And I find the actual documentation is good too.
Configure it with certificates from let's encrypt and you are off to the races.
Caddy with cloudflare support in a docker container.
Does Caddy have an OWASP plugin like nginx?
How do you handle SSL certs and internet access in your setup?
I have NPM running as “gateway” between my LAN and the Internet and let handle it all of my vertificates using the built-in Let’s Encrypt features. None of my hosted applications know anything about certificates in their Docker containers.
As for your questions:
or a domain with a random string of characters so no one could reasonably guess it? Does it matter?
That does not work. As soon as you get SSL certificates, expect the domain name to be public knowledge, especially with Let's Encrypt and all other certificate authorities with transparency logs. As a general rule, don't rely on something to be hidden from others as a security measure.
It is possible to get wildcard certificates from LetsEnrcypt which doesn't give anyone information on which subdomains are valid as your reverse proxy would handle that. Still arguably security through obscurity, but it does make it substantially harder for anyone who can't intercept traffic between the client and server.