this post was submitted on 15 Jun 2023
6 points (100.0% liked)
Self Hosted - Self-hosting your services.
11419 readers
1 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules
- No harassment
- crossposts from c/Open Source & c/docker & related may be allowed, depending on context
- Video Promoting is allowed if is within the topic.
- No spamming.
- Stay friendly.
- Follow the lemmy.ml instance rules.
- Tag your post. (Read under)
Important
Beginning of January 1st 2024 this rule WILL be enforced. Posts that are not tagged will be warned and if not fixed within 24h then removed!
- Lemmy doesn't have tags yet, so mark it with [Question], [Help], [Project], [Other], [Promoting] or other you may think is appropriate.
Cross-posting
- [email protected] is allowed!
- [email protected] is allowed!
- [email protected] is allowed!
- [email protected] is allowed if topic has to do with selfhosting.
- [email protected] is allowed!
If you see a rule-breaker please DM the mods!
founded 3 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Thanks a lot! This is kind of the configuration that I have converged to, with nginx and WireGuard. The last thing I need to set up correctly is for the SSL handshake to occur between the client and my home server, and not between the client and the internet-facing VPS, such that the information remains encrypted and unreadable to the VPS. The two strategies that I have seen can do this is SNI routing with nginx or to use stunnel. I still have not been able to set up either!
In that case, you're better off just using the VPS machine as port forwarding port 443 to your home machine's wireguard IP address and handle the SSL/TLS termination on the home machine.
This way all HTTPS traffic will be passing trough the VPS and being decrypted on your home machine, and encrypted data will be sent from your home machine back to the client. Anyone gets in or sniffs traffic will see encrypted traffic. Plus it's already sent over encrypted VPN network. To really see what's happening, they need to get into the machine and technically could use the wireguard private keys to decrypt the traffic, but they will still see the encrypted HTTPS traffic. So you're good, technically.
This is what I would like to do! I was trying to handle the SSL termination 'automatically' by simply forwarding the connections to 443 of my machine's wireguard IP using nginx, but I did not manage to get it to work. That's when I found that I need to use something like 'stunnel' to handle the SSL termination. But I think that you may be suggesting an even simpler method of using port-forwarding instead of the reverse proxy. I am not sure how to achieve that, I will look into it using these terms.
You did kinda push me in that direction to try the same thing. Once I have bit more time, I'll try it out and send an example. Unless you beat me to it 😂