I set up Nginx Proxy Manager just for general local security, but I’m behind CGNAT so I use ZeroTier (which I’m happy with). I have a Pi with NPM and Adguard plugged into my router, and a bunch of other Docker containers and other self-hosted programs on my main machine. I set up my domain with cloudflare, so mydomain.com points to my local npm address, 192.168.x.x, used the wildcard letsencrypt ssl so i can access my stuff from jellyfin.mydomain.com, adguard.mydomain.com, etc, then set up NPM to point each subdomain to it’s correct service, so 192.168.x.x:8096 => jellyfin.mydomain.com. I also setup adguard with wildcard DNS rewrites.

However, I used wireshark to check if all was well, but the traffic between my main machine and my pi is unencrypted. This makes sense in retrospect, but kind defeats the point of what I was going for, since I have not-so tech savvy family members, and having the password for stuff like guacamole just floating around the LAN in plain text is kind of off-putting. I figured I’ll just centralise the more important services on the pi since it doesn’t have the http issue, or maybe expose the docker socket of my main machine with tls enabled? If there’s another way of doing things, or if I’ve missed something, I’d be grateful for any advice, but I’d rather not have to deal with self-signed certificates.

2 points

Everything in my LAN is TLS-protected. Primarily because of convenience (no ‘unsafe’ warnings), unification (all I do everywhere is TLS). Also for learning purposes (I like challenges). Security is on the last place here (but is still important to me).

Probably your main threat is not people, but malware. Especially since they are not tech-savy. Remember how $35M of crypto assets were recently stolen: in the beginning it was a LastPass engineer who did not update his Plex instance.

permalink
report
reply
1 point

It’s worth it. At some point you might enconter a service that requires SSL to work even on LAN. I treat them like pipes. The fewer pipes i need to pipe traffic through, the easier it is.

I use split DNS to access services locally, over the internet and via VPN. Everything is behind a Traefik proxy that uses wildcard certs. It enforces SSL for everything and I have just one pipe to think about.

permalink
report
reply
1 point

maybe this a dumb point, but you can hide it behind reverse proxy all you want but you will also need to FW off the actual service from the rest of the network, as otherwise it’s still accessible via 192.168.x.x

permalink
report
reply
1 point

I do something similar:

Incoming traffic -–[https traffic]—> reverse proxy -–[https traffic]—> real services (emby, etc).

The traffic from my browser to the reverse proxy is encrypted with TLS certs from letsencrypt. Whenever possible (it usually is), I configure the real services to expose HTTPS endpoints even if they are just with self-signed certs. That way the proxy-to-service traffic is also encrypted.

permalink
report
reply
1 point

You’ve got tech illiterate family and for some reason you’re concerned that they’re going to snoop packets on your LAN and find passwords…?

permalink
report
reply
2 points

But uncle joe might have some spyware on his laptop which does it…

permalink
report
parent
reply
1 point

No lmfao, my concern that they’d be using a compromised device on the LAN, not snooping packets themselves.

permalink
report
parent
reply
1 point

That’s a fair call. VLANs would help if you have the option to create a guest network within your environment. If you did want to set up encrypted traffic within the network, you’re starting to bridge into zero trust. Which is a great technology to get to know in today’s cyber security landscape.

permalink
report
parent
reply
1 point

There are nicer ways to say that…

permalink
report
parent
reply
1 point

The phone call is from the inside!

permalink
report
parent
reply

Self-Hosted Main

!main@selfhosted.forum

Create post

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.

For Example

  • Service: Dropbox - Alternative: Nextcloud
  • Service: Google Reader - Alternative: Tiny Tiny RSS
  • Service: Blogger - Alternative: WordPress

We welcome posts that include suggestions for good self-hosted alternatives to popular online services, how they are better, or how they give back control of your data. Also include hints and tips for less technical readers.

Useful Lists

Community stats

  • 1

    Monthly active users

  • 1.8K

    Posts

  • 11K

    Comments

Community moderators