On 08.10.2023 03:00, Courtney wrote:
Hello everyone,
I'm seeking an ideal way to make secure https connections to a handful
of
web servers in my house. Currently I have a Nextcloud server and a
gitea
server, but only the Nextcloud server is being port forwarded on
80/443.
I want to make my gitea server publicly visible as well as a couple
other
projects. My thought is to have relayd running on my router and match
Host headers and forward it to my servers based on the Host. This will
also
conveniently let me handle renewing Let's Encrypt certs in one place.
I already do this right now with a VPS, but I have a wireguard tunnel
to my
house in this case to access the backend, which is encrypting the
traffic
from my relayd server to my backend web server.
With my Nextcloud and gitea server, if I terminate SSL at my router,
the
connection between my router and Nextcloud/gitea web servers would be
unencrypted. Even though it is in my own house, I don't really like
that
idea. It seems to be overkill too to do peer to peer wireguard between
my Nextcloud/gitea servers in my house. I was wondering if this would
actually be proper or if there are any other ideas you all might have.
Ultimately, I want to serve a handful of services on 80/443 that are
easily accessible internally and externally, and I don't want to have
unencrypted traffic between relayd and my server for the services that
are passing sessions and such.
Thank you,
Courtney
I have a similar situation at home. I use TLS to encrypt the traffic
between relayd(8) and the actual web servers. On the web servers I use
self-signed certificates which are valid for several decades. When it
comes to administrative access on the web servers I use my router as
ProxyJump and/or configure local tunnel(s) in ssh(1).
Cheers,
Bruno
