Hi. I have been into self-hosting for about 2 years, now. My current setup is that I have a home server and a VPS. My ISP does not let me forward any ports (I am behind CGNAT, I think), so, I have connected my home server to a VPS via a WireGuard tunnel and am using Nginx Proxy Manager (NPM) to proxy the services hosted on my...
The certificate and private key need to be on your home server since that’s where the TLS is decrypted.
You should be able to tunnel TLS traffic through WireGuard, so no port forwarding is needed.
You’d probably want to move Nginx Proxy Manager to your home server as an ingress gateway (and you can keep all the config + TLS certificates). Then on your VPS, you would no longer need the complexity and something like HAProxy, vanilla Nginx, or Traefik would suffice. Seems like NPM has an open issue to add support for TLS passthrough, but in my opinion it’s simpler to just have your VPS forward all traffic to one port on your home server.
For added security, you can make sure the proxy on the VPS only routes traffic for the correct domain using SNI. That way if someone hits your IP randomly, it only goes to your home server if the correct domain name was requested as well.
Adding onto what TheMrDrProf said: basically LetsEncrypt just wants to know you actually control the domain you’re using to get the certificate. With HTTP challenges, your domain has to resolve to a working HTTP server. With DNS challenges, you need API access to your DNS provider so that Certbot can set a temporary record that proves ownership.
If you’re using NPM to manage your certs, then as TheMrDrProf said as long as the HTTP request from LetsEncrypt can make it to your NPM through the VPS proxy, you should be able to pass the challenge and get a certificate. The IP address of the domain doesn’t really matter as long as the request makes it all the way to the challenge HTTP server, which in this case is NPM.
In NPM, you should see “Use a DNS challenge” option. If you use that and your DNS Provider is supported (if not, I recommend Cloudflare), then your VPS proxy does not even need to be working in order to renew certificates. This has a few advantages such as being able to shut off unencrypted traffic on port 80 completely.
Rename “blacklist” to “blocklist” in the spirit of inclusivity
Focus on reliability and accuracy rather than political bias
My guess is the purpose of rule #2 is to prevent opinion pieces and misinformation from being published as “news”. If the goal is to limit opinion articles presented as “news”, then perhaps the rule should instead clarify A) whether opinion pieces are allowed (and how that is defined) and B) if they are allowed whether they should be marked as such.
If the goal of rule #2 is to achieve some sort of “political neutrality”, I would challenge whether that should be a goal. This community has an inherent political bias that manifests in which articles people share and how they upvote or downvote. I don’t think that removing sources on the basis of political affiliation per se minimizes harm, and I strongly prefer a focus on removing posts that contain verifiable inaccuracies. Of course, it will ultimately be up to the moderation team to decide what actually constitutes misinformation (and there is bias there too), but I hope that shifting the focus toward that goal explicitly will mean that they will more carefully consider their own biases when exercising the moderation power.
I think it would be nice to have a rule that reminds people to post for a global audience. This community tends toward news that is only relevant to people in the United States. I believe that having active moderation effort to encourage more non-US-centric content would be good for the community.
I’ve ended up with a number of machines on my network, and a need to name them all in a somewhat logical way. For several years I had them named after the planets, which worked well until the PCs for myself, my girlfriend, servers and Raspberry Pi’s quickly summed up to more than the eight planets. I’ve broadened it...
I use different types, cultivars, or alternative names for potatoes. Device names over the years have included: russet, yukon gold, ranger, marispiper, vivaldi, ratte, snowden, spud, and tater.
An app that’s like Uber or Lyft, but it only calls your friends who have cars and would be willing/able to give you a ride. It shows you how far they are (if they share location with the app) and how long it would take to get you to your destination. Based on the trip distance and current prices, it could also suggest how much you would owe if you wanted to cover their gas.
I have an inside joke with a friend who lives nearby that if she ever needs a ride she should download an app that’s like Uber but it only calls me. I think if I actually made it, she would actually put it in her rideshare folder and use it instead of forgetting to message me! So yeah if you made it and it was open source I might actually use it haha
Questions about TLS Passthrough.
Hi. I have been into self-hosting for about 2 years, now. My current setup is that I have a home server and a VPS. My ISP does not let me forward any ports (I am behind CGNAT, I think), so, I have connected my home server to a VPS via a WireGuard tunnel and am using Nginx Proxy Manager (NPM) to proxy the services hosted on my...
Feedback needed for new rules V2!
Thank you for all the feedback you provided, using your feedback, we’ve come to these new rules:...
Welp that answers a lot of why all .ml are down (i.imgur.com)
very.bignutty.xyz/notes/9hf13it1ced3b2za
What is your machine naming scheme?
I’ve ended up with a number of machines on my network, and a need to name them all in a somewhat logical way. For several years I had them named after the planets, which worked well until the PCs for myself, my girlfriend, servers and Raspberry Pi’s quickly summed up to more than the eight planets. I’ve broadened it...
What’s your dumbest app idea
I need too build one for school, I figure this would be a way to brainstorm