view the rest of the comments
Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
It's possible to host a dns server for your domain inside your tailnet, and offer dns responses like: yourwebserver.yourdomain.com = tailnetIP
Then using certbot let's encrypt with DNS challenge and api for your public dns provider, you can get a trusted certificate and automatically bind it.
Your tailnet users if they use your internal dns server will resolve your hosted service on your private tailnet ip and the bound certificate name will match the host name and everyone is happy.
There's more than one way though, but that's how I'd do it. If you don't own a domain then you'll need to host your own private certificate authority and install the root authority certificate on each machine if you want them to trust the certificate chain.
If your family can click the "advanced >continue anyway" button then you don't need to do anything but use a locally generated cert.
Note my bias as I work for Big VPN (Tailscale), but I don't think that teaching people to ignore security warnings is a good thing to do. The CA system is kind of a scam in general, but I think that at least in its current implementation it's better for us to encourage people are aware of those errors and what they mean.
As the sacred texts say: self-signed certificates beget the use of
curl -k
beget the use of self-signed certificates.Yeah I also don’t want my folks to have to “ignore” the warnings either. So will defo have the https set up before giving them access.
Not possible without a domain, even just "something.xyz".
The way it works is this:
Now, to get that experience you need to meet those conditions. The machine trying to browse to your website needs to trust the certificate that's presented. So you have a few ways as I previously described.
Note there's no reverse proxy here. But it's also not a toggle on a Web server.
So you don't need a reverse proxy. Reverse proxies allow some cool things but here's two things they solve that you may need solving:
But in this case you don't really need to if you have lots of ips since you're not offering publicly you're offering over tailscale and both Web servers can be accessed directly.
Thanks for the detailed answer, I was able to solve my problem just with what /u/mara said suggested above :)