this post was submitted on 26 Jun 2024
296 points (93.8% liked)

Selfhosted

40394 readers
740 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

Centralization is bad for everyone everywhere.

That bring said... I just moved my homeserver to another city... and I plugged in the power, then I plugged in the ethernet, and that was the whole shebang.

Tunnels made it very easy. No port forwarding no dns configuration no firewall fiddling no nothing.

Why do they have to make it so so easy...

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 2 points 5 months ago (2 children)

Yes, I do loose the origin IP and I'm a little bugged by it. It also means that ALL traffic incoming on a specific port of that VPS can only go to exactly ONE private wireguard peer. You could avoid both of these issues by having the reverse proxy on the VPS (which is why cloudflare works the way it does), but I prefer my https endpoint to be on my own trusted hardware. That's totally my personal preference though.

I trust my VPS provider to not be interested enough in my data to setup special surveillance tooling for each and every possible software combination their customers might have. Cloudflare on the other hand only has their own software stack to monitor and all customers must adhere to it. It's by design much easier for them to do statistics or snooping.

[–] [email protected] 2 points 5 months ago* (last edited 5 months ago) (1 children)

It also means that ALL traffic incoming on a specific port of that VPS can only go to exactly ONE private wireguard peer. You could avoid both of these issues by having the reverse proxy on the VPS (which is why cloudflare works the way it does), but I prefer my https endpoint to be on my own trusted hardware.

For TLS-based protocols like HTTPS you can run a reverse proxy on the VPS that only looks at the SNI (server name indication) which does not require the private key to be present on the VPS. That way you can run all your HTTPS endpoints on the same port without issue even if the backend server depends on the host name.

This StackOverflow thread shows how to set that up for a few different reverse proxies.

[–] [email protected] 1 points 5 months ago

Nice, thank you!

[–] [email protected] 2 points 5 months ago* (last edited 5 months ago) (1 children)

You can do reverse proxy on the VPS and use SNI routing (because the requested domain is in clear text over HTTPS), then use Proxy Protocol to attach the real source IP to the TCP packets.
This way, you don't have to terminate HTTPS on the VPS, and you can load balance between a couple wireguard peers so you have redundancy (or direct them to different reverse proxies or whatever).
On your home servers, you will need an additional frontend(s) that accepts Proxy Protocol from the VPS (as Proxy Protocol packets aren't standard HTTP/S packets, so standard HTTPS reverse proxies will drop them as unknown/broken/etc).
This way, your home reverse proxy knows the original IP and can attach it to the decrypted http requests as x-forward-for. Or you can do ACLs based on original client IP. Or whatever.

I haven't found a way to get a firewall that pays attention to Proxy Protocol TCP headers, but I haven't found that to really be an issue. I don't really have a use case

[–] [email protected] 1 points 5 months ago

Oh neat! That looks like a perfect fit for me! I saved your post and will come back to it once the biyearly "just f*ing fo it again" motivation hits me once more :D