chow Posted November 5, 2023 Share Posted November 5, 2023 Hi all -- new to Unraid, but coming from Ubuntu. I'd like to be able to resolve https requests from anywhere on my local LAN. I do not mind if it requires that I edit HOSTS files on the relevant PCs. I am currently self- hosting: Vaultwarden, Audio Book Shelf, Paperless-NGX, Photo Prism, Syncthing and Portainer. On the current hosting solution (Ubuntu 20.04, local CA and certs for each subdomain: vaultwarden.home-pc (no TLD, etc.) Right now it all works, albeit it is a bit fragile, but it works. It's running on Nginx, fwiw. And I am not sure how to remake the .crt file I am currently using as part of that local CA. So I figure, start over if I can, do it right and hope there are folks out there that have done this. I was hoping to self-host on the UNRAID box at this point and they do have all the docker images I'd require. I am curious though, is there a how-to on getting to the same result as I currently have? I.e. I enter https://vaultwarden.home-pc and get a valid SSL check against installed certs? I've been reading up on DNS challenges and was hoping someone here has solved this to give me a bit of a headstart. I have NO INTENTION of ever exposing the Unraid server to the outside world but would like, when on LAN to resolve to: <subdomain>.home-pc (or some equivalent). I am happy to buy a domain if it will make this easier, but again, want 0 traffic from the outside world knowing about my UNRAID install (if I can). Quote Link to comment
MAM59 Posted November 6, 2023 Share Posted November 6, 2023 This will be hard to do. Not, because it cannot be done, but it is quite useless. The problem is that for a "valid certificate" you need an authority to sign it and is trusted by every machine in the LAN. As I said, you CAN do it, but you need to set up this CA (certification authority) and have to manually copy its certificate to every single device (which may be hard on some "closed" boxes like routers or so). Also, you will have to live with a bunch of permanent warnings (for instance from Android Phones that hate "foreign" certificates). And also, some devices may refuse to work completely. So, it will be a long and hard fight. Even with a legal domain it won't work without external traffic. The CA for the domain are "outside" and every box need to check for validity. The main question is: WHY DO YOU WANT THIS? If you only have internal connections, there is no need to encrypt the traffic unless you have to hide something from you wife or so :-))) Quote Link to comment
chow Posted November 7, 2023 Author Share Posted November 7, 2023 Quote The main question is: WHY DO YOU WANT THIS? If you only have internal connections, there is no need to encrypt the traffic unless you have to hide something from you wife or so :-))) My life is not nearly that exciting. Mostly that it is habit to go to <service>.<domain> and if I can maintain that, I will. My other option, I suppose, is to keep it all hosted on the smaller linux box now that it is not pulling double duty as a quasi-NAS. Bitwarden, for instance, doesn't work on http:// (although is likely a setting I can toggle somewhere in the docker-setting/config). Quote The problem is that for a "valid certificate" you need an authority to sign it and is trusted by every machine in the LAN. As I said, you CAN do it, but you need to set up this CA (certification authority) and have to manually copy its certificate to every single device (which may be hard on some "closed" boxes like routers or so). Yeah -- this is how it works now. I installed a cert on the 3-4 boxes in the house that navigate there. To your point, it doesn't work on my Android phones and, for the love of all things that I cannot possibly understand, my Ubiquiti Dream Machine Pro lacks the ability to let me manage host redirects on the router. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.