this post was submitted on 18 Aug 2023
21 points (95.7% liked)

Selfhosted

40006 readers
533 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Hi. I have been into self-hosting for about 2 years, now. My current setup is that I have a home server and a VPS. My ISP does not let me forward any ports (I am behind CGNAT, I think), so, I have connected my home server to a VPS via a WireGuard tunnel and am using Nginx Proxy Manager (NPM) to proxy the services hosted on my homeserver to the public.

Now, the traffic that goes from my home server to the VPS and from VPS to the public are encrypted, but theoretically, the VPS provider can look at the data passing through, since this is technically TLS termination. Although, I trust my VPS provider more than I trust my ISP, I am thinking about setting up TLS passthrough, for additional privacy. But I have a few questions and I would be greatful if anyone can help me.

  1. Do I need to put the SSL certificates on my homeserver, or can they remain on the VPS if I have to set up TLS Passthrough?
  2. Is port forwarding required to set up TLS passthough?
  3. Does NPM support TLS passthrough, or should I shift to HAProxy?

If there are any issues with my current setup, or the assumptions I am making, please guide me.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 3 points 1 year ago (2 children)

Thank you for your response. Just one more question... If I am not forwarding any ports, will I be able to generate and renew certificates on my home server? As far as I know, the domain needs to point to the IP which is generating the certificates, right?

[–] [email protected] 7 points 1 year ago

If you’re using Lets Encrypt, look at doing DNS validation instead of HTTP. Bit easier and you don’t need to worry about that side.

Either way, if you’re passing through all of ports 80 and 443 to your home server thru the WireGuard tunnel to the proxy, HTTP validation should still work fine.

[–] [email protected] 3 points 1 year ago

Adding onto what TheMrDrProf said: basically LetsEncrypt just wants to know you actually control the domain you’re using to get the certificate. With HTTP challenges, your domain has to resolve to a working HTTP server. With DNS challenges, you need API access to your DNS provider so that Certbot can set a temporary record that proves ownership.

If you’re using NPM to manage your certs, then as TheMrDrProf said as long as the HTTP request from LetsEncrypt can make it to your NPM through the VPS proxy, you should be able to pass the challenge and get a certificate. The IP address of the domain doesn’t really matter as long as the request makes it all the way to the challenge HTTP server, which in this case is NPM.

In NPM, you should see “Use a DNS challenge” option. If you use that and your DNS Provider is supported (if not, I recommend Cloudflare), then your VPS proxy does not even need to be working in order to renew certificates. This has a few advantages such as being able to shut off unencrypted traffic on port 80 completely.