this post was submitted on 18 Aug 2023
22 points (95.8% liked)

Selfhosted

40442 readers
867 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

Hi. I have been into self-hosting for about 2 years, now. My current setup is that I have a home server and a VPS. My ISP does not let me forward any ports (I am behind CGNAT, I think), so, I have connected my home server to a VPS via a WireGuard tunnel and am using Nginx Proxy Manager (NPM) to proxy the services hosted on my homeserver to the public.

Now, the traffic that goes from my home server to the VPS and from VPS to the public are encrypted, but theoretically, the VPS provider can look at the data passing through, since this is technically TLS termination. Although, I trust my VPS provider more than I trust my ISP, I am thinking about setting up TLS passthrough, for additional privacy. But I have a few questions and I would be greatful if anyone can help me.

  1. Do I need to put the SSL certificates on my homeserver, or can they remain on the VPS if I have to set up TLS Passthrough?
  2. Is port forwarding required to set up TLS passthough?
  3. Does NPM support TLS passthrough, or should I shift to HAProxy?

If there are any issues with my current setup, or the assumptions I am making, please guide me.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 7 points 1 year ago

If you’re using Lets Encrypt, look at doing DNS validation instead of HTTP. Bit easier and you don’t need to worry about that side.

Either way, if you’re passing through all of ports 80 and 443 to your home server thru the WireGuard tunnel to the proxy, HTTP validation should still work fine.