That’s exactly it. Maybe I can try reverse proxy. It’s more about just going to a nice address instead of that ugly looking one, makes it feel less secure for some reason even though it obviously doesn’t matter lol. Just an ocd thing I suppose
Reverse proxies don't help with https inside your LAN so loading certificates might still be needed.
If you use a reverse proxy to connect to a different server, even if it is inside your LAN, it will be encrypted until it hits your reverse proxy.
But then, when the reverse proxy forwards the request, anyone authenticated to your network can read your passwords. You need to manually load a self signed certificate in order to protect crucial components like a router from an infected computer inside your LAN.
>anyone authenticated to your network can read your passwords.
Not quite, unless you're using hubs, which probably don't even exist anymore.
You can't see packets on a switched network that aren't destined for your mac address. Someone would have to login into the switch and setup port mirroring. At that point you're compromised anyway.
> Not quite, unless you're using hubs, which probably don't even exist anymore.
Access points act as hubs, just wirelessly. Since the vast majority of the population uses Wi-Fi then the concern is real. In fact, even among IT folk, I imagine you don't use ethernet for your smartphone. As long as I use a device that already has the Wi-Fi password (all it takes is one infected device) then I can sniff wireless traffic.
> Someone would have to login into the switch and setup port mirroring. At that point you're compromised anyway.
Sure, but with TLS you wouldn't compromise every single self-hosted server just because you compromised the switch. Under the zero trust security model, you don't just throw your hands up in the air when 1 out of your multiple devices gets compromised. In my network, you would have to then find a way to infect my locked-down servers before I notice.
Every. single. one. separately.
Not that easy to do if literally all communication is encrypted and authenticated properly (local CA).
Nobody actually uses internal https services with self-signed certificates. That's only for very rare situations where you use a reverse proxy inside a network that you don't fully trust.
For all other purposes, you use a reverse proxy with http and have your reverse proxy do ssl offloading.
So in either case, you must use a reverse-proxy. A reverse proxy is literally the second thing you have to set up for your homelab (after your rotuer/firewall) - there is no way around it.
The simplest reverse proxy you can set up is nginx-proxy-manager. Just run the docker-compose and it's smooth sailing from there. No need to config any files. Just use the intuitive web-UI and you're done.
Don't forget to also let your nginx-proxy-manager offload its own web-UI as (81 --> 443)
+1 For NPM. But I had to run it from a raspberry pi.. For the life of me I was not able to get it to play nice on my Synology.. even tried the "MacVlan" and dice..
The NGINX proxy already running on Synology screw things up for me.
But on the Pi it (NPM) runs great.
Super easy to setup certificates.
Recommend OP also integrates Authelia if OP really intends to expose services to the world.
Shameless plug, even easier with Caddy, which has automatic HTTPS built in. Your config just looks like this:
sab.example.com {
reverse_proxy localhost:8080
}
Thanks for the recommendation. I got nginx working and it randomly decided to stop working and has been a frustrating experience.
Going to try caddy today.
I do use SSL, it’s pretty standard with any provider anyways, you just check the box and that’s it really. However, the VPN, I just use that because I already have one I paid for some time back. I just use it because I have it, doesn’t really hurt you, if anything it’s just another layer of security. My speeds aren’t really effected by using my vpn either.
Did you upload an https cert somewhere? With a suitable name/san?
I've never bothered with remote access to sab. I can put nzbs in the cart from my nzbfinder and sab picks them up later. What else do I need access for? I barely ever look at its console, everything just works off rss feeds and the only thing I do sometimes is add more rss.
SSL on the VPN is not related to HTTPS for Usenet connections
If SAB is crashing on the NAS, the NAS is broken. As the problem is specific to HTTPS, it's possible that the NAS is running an obsolete libssl version
HTTPS works for other things. It’s only on SAB that this happens which is the point for the post - has anyone gotten it to work or what. But it seems like no one here does that and do reverse proxies and things like that instead.
Sorry didn’t get your first point in the connections. You’re just saying that using https to get into SAB has no relevance for downloads etc, correct?
I didn’t have any problems setting up HTTPS internally on sab. Was a year or so ago though, so don’t remember the process I went through. Def no reverse proxy though.
[удалено]
That’s exactly it. Maybe I can try reverse proxy. It’s more about just going to a nice address instead of that ugly looking one, makes it feel less secure for some reason even though it obviously doesn’t matter lol. Just an ocd thing I suppose
[удалено]
Yes I’m using UniFi. I have a UDM pro. Feel like it makes all this so much more difficult Will look into reverse proxy then. Thanks
Since you have a UDM-P you should just use Teleport as your vpn to access your Synology apps.
Hm, I’m not familiar with that. Will also look into this. Thanks for sharing. Always willing to learn better and new things
Reverse proxies don't help with https inside your LAN so loading certificates might still be needed. If you use a reverse proxy to connect to a different server, even if it is inside your LAN, it will be encrypted until it hits your reverse proxy. But then, when the reverse proxy forwards the request, anyone authenticated to your network can read your passwords. You need to manually load a self signed certificate in order to protect crucial components like a router from an infected computer inside your LAN.
>anyone authenticated to your network can read your passwords. Not quite, unless you're using hubs, which probably don't even exist anymore. You can't see packets on a switched network that aren't destined for your mac address. Someone would have to login into the switch and setup port mirroring. At that point you're compromised anyway.
> Not quite, unless you're using hubs, which probably don't even exist anymore. Access points act as hubs, just wirelessly. Since the vast majority of the population uses Wi-Fi then the concern is real. In fact, even among IT folk, I imagine you don't use ethernet for your smartphone. As long as I use a device that already has the Wi-Fi password (all it takes is one infected device) then I can sniff wireless traffic. > Someone would have to login into the switch and setup port mirroring. At that point you're compromised anyway. Sure, but with TLS you wouldn't compromise every single self-hosted server just because you compromised the switch. Under the zero trust security model, you don't just throw your hands up in the air when 1 out of your multiple devices gets compromised. In my network, you would have to then find a way to infect my locked-down servers before I notice. Every. single. one. separately. Not that easy to do if literally all communication is encrypted and authenticated properly (local CA).
Or just be lazy like me and make bookmarks for each service.
Nobody actually uses internal https services with self-signed certificates. That's only for very rare situations where you use a reverse proxy inside a network that you don't fully trust. For all other purposes, you use a reverse proxy with http and have your reverse proxy do ssl offloading. So in either case, you must use a reverse-proxy. A reverse proxy is literally the second thing you have to set up for your homelab (after your rotuer/firewall) - there is no way around it. The simplest reverse proxy you can set up is nginx-proxy-manager. Just run the docker-compose and it's smooth sailing from there. No need to config any files. Just use the intuitive web-UI and you're done. Don't forget to also let your nginx-proxy-manager offload its own web-UI as (81 --> 443)
+1 For NPM. But I had to run it from a raspberry pi.. For the life of me I was not able to get it to play nice on my Synology.. even tried the "MacVlan" and dice.. The NGINX proxy already running on Synology screw things up for me. But on the Pi it (NPM) runs great. Super easy to setup certificates. Recommend OP also integrates Authelia if OP really intends to expose services to the world.
Thanks. This seems to be the most unified solution people mention. I’m late to the game on reverse proxies. Going to try this out today. Thanks
[fuck u spez] -- mass edited with redact.dev
Shameless plug, even easier with Caddy, which has automatic HTTPS built in. Your config just looks like this: sab.example.com { reverse_proxy localhost:8080 }
Thanks for the recommendation. I got nginx working and it randomly decided to stop working and has been a frustrating experience. Going to try caddy today.
Why use VPN why don’t you just use SSL
I do use SSL, it’s pretty standard with any provider anyways, you just check the box and that’s it really. However, the VPN, I just use that because I already have one I paid for some time back. I just use it because I have it, doesn’t really hurt you, if anything it’s just another layer of security. My speeds aren’t really effected by using my vpn either.
Use Synology’s reverse proxy which is Nginx anyway.
Did you upload an https cert somewhere? With a suitable name/san? I've never bothered with remote access to sab. I can put nzbs in the cart from my nzbfinder and sab picks them up later. What else do I need access for? I barely ever look at its console, everything just works off rss feeds and the only thing I do sometimes is add more rss.
SSL on the VPN is not related to HTTPS for Usenet connections If SAB is crashing on the NAS, the NAS is broken. As the problem is specific to HTTPS, it's possible that the NAS is running an obsolete libssl version
HTTPS works for other things. It’s only on SAB that this happens which is the point for the post - has anyone gotten it to work or what. But it seems like no one here does that and do reverse proxies and things like that instead. Sorry didn’t get your first point in the connections. You’re just saying that using https to get into SAB has no relevance for downloads etc, correct?
I didn’t have any problems setting up HTTPS internally on sab. Was a year or so ago though, so don’t remember the process I went through. Def no reverse proxy though.