There’s no certificate at the VPS level. It forwards everything to and from the self hosted reverse proxy.
Now that you mention it though, there may be a slight complication with pinning the reverse proxy to the domain API for cert renewals. I’ll have to check how I have mine configured but I may have given my reverse proxy a IPv6 and configured that for cert renewals.
That would mean some down time as you update the IP if your ISP rotates it.
This is fine unless you have a slightly higher threat model.
Me personally, I dislike the idea that if someone (VPS provider or LE) were to snoop inside my VPS, they would have all of my unencrypted data where TLS ends and wireguard picks it up.
I don’t do anything illegal, but I do have photos, personal files, and deeply personal journals/notes for which I enjoy the comfort of mind when kept private and secure.
My recommendation is always to have your TLS equipped reverse proxy on your own hardware. Then use a VPS as a SSL passthrough proxy that forwards requests to the locally hosted reverse proxy. You can connect the two via wireguard.
This has a few benefits. It keeps encryption end to end. It also allows you to connect to your server via your domain name even in you LAN. You can hijack your domain at the router level DNS menu to reroute to your local reverse proxy. And it keeps the TLS connection.
This is fine if the post is something insanely low effort.
But I do worry if this ends up being too aggressive.
One of the things that made reddit so awful is how over moderated it was.
I don’t really take issue with dozens of posts by newbies asking the same basic question over and over. I used to be one and am occasionally back there again if I start a new hobby. Hopefully newcomers don’t get pushed off by overly sensitive moderation.
It would be helpful if you could provide a hypothetical example of what is considered a “low effort” post.
Your first suggestion is a clever one.
I can imagine writing a small script on the host machine to listen for subdomains, forward them to pfsense to update the aliases, and possibly set them to expire after a few days for security reasons.
Surely something like this exists. How to find it…?
There’s a few apps I need to split out. Top priority is the signiant app which according to their documentation requires various AWS subdomains as well as their own. Specific subdomains are not specified and are implied to change regularly/on demand.
In an ideal world I would do my split tunneling on the device itself, but I don’t trust Windows and thus I run my VPN at the router level.
This isn’t a problem for most things, but I need to utilize my full bandwidth to transfer large files to clients in a timely manner, and a VPN becomes a massive bottleneck.
Pfsense lets you alias by domain name (I believe it regularly resolves down to an IP and uses that for filtering), but again, you need to supply the exact subdomain.
Just wondering if there’s an alternative solution to this issue. If it’s external to pfsense that’s not the end of the world.
Worst case scenario, I would set up a dedicated Linux box or maybe even a VM which could share access to the file transfer NAS and split tunnel the entire box around the VPN. Definitely less convenient.
This looks promising. I’m going to investigate further. Thanks!
Yeah the power usage is fairly high. But if you have solar it’s not a huge deal.
I like it for it’s various redundancies and the built-in RAID rebuild system has really saved my ass on multiple occasions.
If you do get a poweredge, don’t buy used HDDs. 75% of the used drives I bought failed within a year.
Yes, it will count towards your bandwidth.
I typically don’t get anywhere close to this though.
The few times I did were due to initiating large backups between devices, upwards of 2TB. But I’ve since moved my backup system to a mesh network and haven’t hit bandwidth overages since.
I recommend it every time this question pops up and I’m surprised more people aren’t privy to it:
Rent a VPS as your public gateway. Connect the VPS to your server with a simple wireguard tunnel.
The only thing on the VPS should be a reverse proxy with SSL/TLS pass through.
Send the traffic at the VPS reverse proxy to a reverse proxy on the main server. Configure this proxy to use letsencrypt certs.
The benefit and importance of the SSL pass through reverse proxy, is that it allows all data in transit to remain encrypted until it reaches your physical server. Traditionally, most would suggest the one and only reverse proxy exist on the VPS but all traffic would then be decrypted on the VPS. This could obviously compromise your traffic if the VPS provider snoops or your VPS is compromised.
Cloudflare tunnels decrypt on their hardware as well, which is why I always recommend avoiding their services.
Backblaze deleted my project drive for a multimillion dollar project I was archiving through their desktop sync. It’s largely my fault for not noticing the drive had failed when considering their upfront policy about them deleting your backups after a month of inactivity. Luckily it didn’t have too big of an impact because the most important files were backed up elsewhere. I do wish their desktop app had better warnings about imminent deletions though.
This is encouraging. Thank you.
I use nginx for static websites and TLS passthrough servers.
I use traefik as a reverse proxy for sites with many services and SSO.
Nginx is definitely easier to configure for simple things. But I prefer traefik for more complex setups.
I had similar concerns in the past. I decided to move all of my VPS hosted services to a physical server that I control. I then use a VPS as a portal, set to simply forward traffic without unencrypting the HTTPS. Look up SSL pass through.
Compressed air can spin the fans fast enough to cause damage unfortunately.
Did you use compressed air to clean out the fans?
It’s possible to fry circuitry if you artificially rotate the fans too fast, as this generates an electric field more powerful than the fans and their attached components are rated for.
Probably rare to cause damage with modern computers but an old PC might be more susceptible to this type of damage.
Am I understanding correctly that if users had 2FA, the vulnerability would be prevented from gaining access?
picard_facepalm.png. can you tell I just Tab through terminal?
Fixed it. Thanks
I was in your position recently and decided to install PVE from scratch and restore VMs from backup.
I had a fairly complex PVE config so it took some additional work to get everything up and running. But it was absolutely worth it.
I use Minica and it’s insanely simple to use. Terminal based though.
https://github.com/jsha/minica