James Brechtel
ce7c21985d
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
44 lines
1.4 KiB
Markdown
44 lines
1.4 KiB
Markdown
+++
|
|
title = "HTTPS @ Home"
|
|
date = "2022-11-08"
|
|
+++
|
|
|
|
I run a lot of services at home.
|
|
|
|
This includes, but isn't limited to
|
|
|
|
- [ArchiveBox](https://archivebox.io/)
|
|
- [VaultWarden](https://github.com/dani-garcia/vaultwarden)
|
|
- [Navidrome](https://github.com/navidrome/navidrome)
|
|
- [Plex](https://plex.tv)
|
|
- [LibrePhotos](https://github.com/LibrePhotos/librephotos)
|
|
- This blog
|
|
|
|
and a lot more.
|
|
|
|
Pretty much anything that's served up over HTTP is always nice if not necessary to have behind TLS.
|
|
|
|
[LetsEncrypt](https://letsencrypt.org/) long ago brought free certs to the masses and there are a lot of tools for automating that nowadays.
|
|
|
|
My preferred approach for getting all the unnecessary nonsense I self-host at home behind TLS is [Caddy](https://caddyserver.com).
|
|
|
|
I have a super straight forward setup, generally:
|
|
|
|
- Run Caddy in a docker container
|
|
- Create a wildcard CNAME record in my DNS pointing at my home's (effectively) static IP
|
|
- Add an entry in my Caddyfile for each services I'm running at home on its own subdomain
|
|
- If it's a service then I add it with a `reverse_proxy` block
|
|
- If it's a static site (like this) then there's a block for
|
|
- If it's something I want only accessible on my home network then I put a block like
|
|
|
|
```txt
|
|
@local_network {
|
|
path *
|
|
remote_ip <home subnet here>
|
|
}
|
|
```
|
|
|
|
in the directive. And voila.
|
|
|
|
Then tell Caddy to reload the config and I'm done.
|