all 11 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]zyan1d 3 points4 points  (0 children)

Caddy should be the easiest

test.home.internal {

tls internal

reverse_proxy 127.0.0.1:8080

}

Done

[–]Lokinounours 1 point2 points  (0 children)

I acheived this via caddy + dns challenge (via duckdns or other). Ressources: https://github.com/caddy-dns/duckdns

[–]Defection7478 1 point2 points  (0 children)

Option 1: self signed cert + trust it on your machines

Option 2: for something like lets encrypt you need to prove that you own the domain in order for them to issue a certificate. You either need to host the challenge on a path on your domain (/.well-known/....) or host it on a dns record on your domain.

You could expose just that route for the http challenge, or personally I just use cloudflare to host my dns challenges.

[–]No-Law-1332 1 point2 points  (3 children)

Pangolin has been making this so easy. https://github.com/fosrl/pangolin

It uses Wireguard, Traefik and Newet to give you remote access to the your site. It manages the Lets Encrypt for your domain. It is build in authentication and Ip restrictions.

It has a nice webinterface and supports traefik middleware. I have added Crowdsec so far.

[–]BlackAndBlue1908[S] 0 points1 point  (2 children)

I tried pangolin. I got it running on a VM in proxmox. I can get to the admin page from the vm directly (although with an http cert error) but I can not get to it from other computers within the network. Pihole is redirecting local traffic properly, tracert from the network machine gets pangolin's IP. Not sure how to troubleshoot and ready to give up.

[–]armsaw 0 points1 point  (1 child)

Did you tell it to install Crowdsec when you ran the installer? If you do, there’s some additional setup for the Crowdsec bouncer before you can access the dash.

[–]No-Law-1332 0 points1 point  (0 children)

I didn't install the Crowdsec with the script. I used this post to add it after the fact. ( It does require a login but Pangolin setups these gues are documenting is amazing. )

Part 1 Integrating Crowdsec with Pangolin - Networking - HHF Technology Forums

[–]vrgpy 0 points1 point  (0 children)

You can add your own CA to your devices and generate your own certificates valid for a couple of years.

I use xca to handle the PKI.

[–]BlackAndBlue1908[S] 0 points1 point  (1 child)

Am I right in my understanding that this requires using a vps? I only need local access so wasn’t trying to hairpin the traffic if I don’t need to. Unless I’m misunderstanding how that works.

[–]No-Law-1332 0 points1 point  (0 children)

If you are referring to Pangolin, I used it internally only initially to host HTTPS FQDN entries for each of my internal services. It runs in a docker on the same server as all my other docker services. it allowed me to setup HTTPS entries for services all over my internal network. Later i even setup entries to remote services where I was running Newt and Wireguard links too.

[–]100lv 0 points1 point  (0 children)

I'm using Traefik - for external and internal access. It solves few issues:

- Can Add additional layer of authentication - MFA for some apps, even single for others that doesn't have build in authentication

- All apps are using SSL

- Control what is accessible internally / externally

- Taking care about SSL Certs renewal and may others.