Selfhosted

40042 readers

920 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago

MODERATORS

[email protected]

Questions about TLS Passthrough. (discuss.tchncs.de)

submitted 1 year ago by [email protected] to c/[email protected]

4 comments fedilink hide all child comments

Hi. I have been into self-hosting for about 2 years, now. My current setup is that I have a home server and a VPS. My ISP does not let me forward any ports (I am behind CGNAT, I think), so, I have connected my home server to a VPS via a WireGuard tunnel and am using Nginx Proxy Manager (NPM) to proxy the services hosted on my homeserver to the public.

Now, the traffic that goes from my home server to the VPS and from VPS to the public are encrypted, but theoretically, the VPS provider can look at the data passing through, since this is technically TLS termination. Although, I trust my VPS provider more than I trust my ISP, I am thinking about setting up TLS passthrough, for additional privacy. But I have a few questions and I would be greatful if anyone can help me.

Do I need to put the SSL certificates on my homeserver, or can they remain on the VPS if I have to set up TLS Passthrough?
Is port forwarding required to set up TLS passthough?
Does NPM support TLS passthrough, or should I shift to HAProxy?

If there are any issues with my current setup, or the assumptions I am making, please guide me.

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 9 points 1 year ago (3 children)

The certificate and private key need to be on your home server since that’s where the TLS is decrypted.
You should be able to tunnel TLS traffic through WireGuard, so no port forwarding is needed.
You’d probably want to move Nginx Proxy Manager to your home server as an ingress gateway (and you can keep all the config + TLS certificates). Then on your VPS, you would no longer need the complexity and something like HAProxy, vanilla Nginx, or Traefik would suffice. Seems like NPM has an open issue to add support for TLS passthrough, but in my opinion it’s simpler to just have your VPS forward all traffic to one port on your home server.

For added security, you can make sure the proxy on the VPS only routes traffic for the correct domain using SNI. That way if someone hits your IP randomly, it only goes to your home server if the correct domain name was requested as well.

What you’re doing makes sense to me. Good luck!

[–] [email protected] 3 points 1 year ago (2 children)

Thank you for your response. Just one more question... If I am not forwarding any ports, will I be able to generate and renew certificates on my home server? As far as I know, the domain needs to point to the IP which is generating the certificates, right?

[–] [email protected] 7 points 1 year ago

If you’re using Lets Encrypt, look at doing DNS validation instead of HTTP. Bit easier and you don’t need to worry about that side.

Either way, if you’re passing through all of ports 80 and 443 to your home server thru the WireGuard tunnel to the proxy, HTTP validation should still work fine.

load more comments (1 replies)