I know for many of us every day is selfhosting day, but I liked the alliteration. Or do you have fixed dates for maintenance and tinkering?

Let us know what you set up lately, what kind of problems you currently think about or are running into, what new device you added to your homelab or what interesting service or article you found.

This post is proudly sent from my very own Lemmy instance that runs at my homeserver since about ten days. So far, it’s been a very nice endeavor.

  • bananoidandroid@feddit.nu
    link
    fedilink
    English
    arrow-up
    3
    ·
    18 hours ago

    I’ve set up a reverse proxy to try out hosting a few APIs but i’m curious about best practice and haven’t found any good way to do it. Anyway, i have them running dotnet 9 on debian, and hosting them on http ports and then reverse proxying to apache that serves them externally with certbot on 443 to some real hostnames. I would really want to host them on https internally as well, but is there a neat way to “cert” them without an internal CA-service? My experience with self-signed certs are mostly that they always force me to trust the server cert in my connection strings, which is also unsafe so i just don’t bother. Is it worth working on and which is the best approach here?

    • rumba@lemmy.zip
      link
      fedilink
      English
      arrow-up
      3
      ·
      17 hours ago

      Non SSL behind your ingress proxy is acceptable professionally in most circumstances, assuming your network is properly segmented it’s not really a big deal.

      Self-signing and adding the CA is a bit of a pain in the ass and adds another unnecessary layer for failure in a home network.

      If it really grinds your gears you could issue yourself a real wild card cert from lets encrypt then at DNS names with that wild card on your local DNS server with internal IPs, but to auto renew it you’re going to have to do some pretty decent DNS work.

      To be honest I’ve scrapped most of my reverse proxies for a nice tailscale network. Less moving parts, encrypted end-to-end.

      • bananoidandroid@feddit.nu
        link
        fedilink
        English
        arrow-up
        2
        ·
        17 hours ago

        Thanks! I initially considered going the wildcard route until i saw the workload involved for my host! There does seem to exist autorenewal programs for the largest hosts out there but i’m trying to support my local businesses so it’s unfortunately out of of my scope at the moment, but i’ll checkout your suggestion and see what tailscale has to offer!