I want my self hosted things to use https. For example, I have Jellyfin installed via docker, and I want it to use https instead of http.
I don’t care about necessarily doing this the “right” way, as I won’t be making Jellyfin or any other service public, and will only be using it on my local network.
What is the easiest way to do this? Assume everything I host is in docker. Also a link to a tutorial would be great.
Thanks!
The easiest way is to pay for a public domain, use a subdomain of that which does not have an A record on the wide internet, and then use certbot to get Let’s Encrypt certificates for them and auto-renew. Stuff these in your individual reverse-proxy instances (or propagate them, no idea how) and you’re done
I usw nginxproymanager for that. It has an integrated function to create and update letsencrypt certificates. Creating a New host takes like 1 minute.
With caddy you can easily set up a local issued certificate for https. It would shine a nice warming on your browser unless you install the CA certificate on the computer you use to visit the site though.
https://caddyserver.com/docs/automatic-https#local-https
This is the easiest way I know how to do it. Caddy takes almost no configuration to get working.
I roll out Step CA to my workstation with an Ansible role. All other clients on the lab trust this CA and are allowed to request certificates for themselves through ACME, like LetsEncrypt.
All my services on all clients on the network are exposed through traefik, which also handles the ACME process.
When it comes to Jellyfin, this is entirely counter-productive. Your media server needs to be accessible to be useful. Jellyfin should be run with host networking to enable DLNA, which will never pass through TLS. Additionally, not all clients support custom CAs. Chromecast or the OS on a TV are prime candidates to break once you move your Jellyfin entirely behind a proxy with custom CA certificates. You can waste a lot of time on this and achieve very little. If you only use the web UI for Jellyfin, then you might not care, but I prefer to keep this service out of the fancy HTTPS setup.
Just be aware of the risks involved with running your own CA.
Fuck that. People like to act like running an SMTP server or a CA is some major shit, while everyone is fucking up on these subjects every single day.
SMTP with good delivery and whatnot is entirely possible it just takes an IP with a good reputation and enough patience to read and understand the ISPmail guide and a few other details. Running a CA is a security vulnerability and a major pain if you plan to deploy it to the devices of your entire family.
https://lemmy.world/comment/10089750
This is how I did it.
