On 08.10.2023 03:00, Courtney wrote:
> Hello everyone,
>
> I'm seeking an ideal way to make secure https connections to a handful
> of
> web servers in my house. Currently I have a Nextcloud server and a
> gitea
> server, but only the Nextcloud server is being port forwarded on
> 80/443.
> I want to make my gitea server publicly visible as well as a couple
> other
> projects. My thought is to have relayd running on my router and match
> Host headers and forward it to my servers based on the Host. This will
> also
> conveniently let me handle renewing Let's Encrypt certs in one place.
> I already do this right now with a VPS, but I have a wireguard tunnel
> to my
> house in this case to access the backend, which is encrypting the
> traffic
> from my relayd server to my backend web server.
>
> With my Nextcloud and gitea server, if I terminate SSL at my router,
> the
> connection between my router and Nextcloud/gitea web servers would be
> unencrypted. Even though it is in my own house, I don't really like
> that
> idea. It seems to be overkill too to do peer to peer wireguard between
> my Nextcloud/gitea servers in my house. I was wondering if this would
> actually be proper or if there are any other ideas you all might have.
> Ultimately, I want to serve a handful of services on 80/443 that are
> easily accessible internally and externally, and I don't want to have
> unencrypted traffic between relayd and my server for the services that
> are passing sessions and such.
>
> Thank you,
>
> Courtney
I have a similar situation at home. I use TLS to encrypt the traffic
between relayd(8) and the actual web servers. On the web servers I use
self-signed certificates which are valid for several decades. When it
comes to administrative access on the web servers I use my router as
ProxyJump and/or configure local tunnel(s) in ssh(1).
Cheers,
Bruno
No comments:
Post a Comment