tldr: I’d like to set up a reverse proxy with a domain and an SSL cert so my partner and I can access a few selfhosted services on the internet but I’m not sure what the best/safest way to do it is. Asking my partner to use tailsclae or wireguard is asking too much unfortunately. I was curious to know what you all recommend.

I have some services running on my LAN that I currently access via tailscale. Some of these services would see some benefit from being accessible on the internet (ex. Immich sharing via a link, switching over from Plex to Jellyfin without requiring my family to learn how to use a VPN, homeassistant voice stuff, etc.) but I’m kind of unsure what the best approach is. Hosting services on the internet has risk and I’d like to reduce that risk as much as possible.

  1. I know a reverse proxy would be beneficial here so I can put all the services on one box and access them via subdomains but where should I host that proxy? On my LAN using a dynamic DNS service? In the cloud? If in the cloud, should I avoid a plan where you share cpu resources with other users and get a dedicated box?

  2. Should I purchase a memorable domain or a domain with a random string of characters so no one could reasonably guess it? Does it matter?

  3. What’s the best way to geo-restrict access? Fail2ban? Realistically, the only people that I might give access to live within a couple hundred miles of me.

  4. Any other tips or info you care to share would be greatly appreciated.

  5. Feel free to talk me out of it as well.

  • a_fancy_kiwi@lemmy.worldOP
    link
    fedilink
    English
    arrow-up
    2
    arrow-down
    1
    ·
    edit-2
    21 hours ago

    wildcard let’s encrypt cert

    I know what “wildcard” and “let’s encrypt cert” are separately but not together. What’s going on with that?

    How do you have your tailscale stuff working with ssl? And why did you set up ssl if you were accessing via tailscale anyway? I’m not grilling you here, just interested.

    I know enough about security to know that I don’t know enough to secure against much anything

    I feel that. I keep meaning to set up something like nagios for monitoring and just haven’t gotten around to it yet.

    • teuto@lemmy.teuto.icu
      link
      fedilink
      English
      arrow-up
      4
      ·
      18 hours ago

      So when I ask Let’s Encrypt for a cert, I ask for *.int.teuto.icu instead of specifically jellyfin.int.teuto.icu, that way I can use the same cert for any internally running service. Mostly I use SSL on everything to make browsers complain less. There isn’t much security benefit on a local network. I suppose it makes harder to spoof on an external network, but I don’t think that’s a serious threat for a home net. I used to use home.lan for all of my services, but that has the drawback of redirecting to a search by default on most browsers. I have my tailscale exit node running on my router and it just works with SSL like anything else.

      • a_fancy_kiwi@lemmy.worldOP
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        1 hour ago

        Ok so I currently have a cert set up to work with:

        domain.com

        www.domain.com (some browsers seemingly didn’t like it if I didn’t have www)

        subdomain.domain.com

        Are you saying I could just configure it like this:

        domain.com

        *.domain.com

        The idea of not having to keep updating the cert with new subdomains (and potentially break something in the process) is really appealing

        • starshipwinepineapple
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          8 hours ago

          Yes. If you’re using lets encrypt then note that they do not support wildcard certs with the HTTP-01 challenge type. You will need to use the DNS-01 challenge type. To utilize it you would need a domain registrar that supports api dns updates like cloudflare and then you can use the acme.sh package. Here is an example guide i found.

          Note that you could still request multiple explicit subdomains in the same issue/renew commands so it’s not a huge deal either way but the wildcard will be more seamless in the future if you don’t know what other services you might want to selfhost.