this post was submitted on 15 Apr 2025
22 points (92.3% liked)

Selfhosted

46118 readers
601 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
HybridSarcasm@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
22
Self hosting and HSTS preload domains (lemmy.ca)
submitted 6 days ago* (last edited 6 days ago) by wraith@lemmy.ca to c/selfhosted@lemmy.world
21 comments fedilink hide all child comments
 

I have a domain that requires HSTS preload. I want to self host a few things using that domain (and subdomains), like nextcloud, pihole, and vaultwarden. How much of an issue is HSTS preload going to be if I do that? Will I need to set up a wildcard cert for everything? Or will it just work™️ because it's internal or traffic is through a VPN?

I can't find much about this so any help would be appreciated!

you are viewing a single comment's thread
view the rest of the comments
[–] just_another_person@lemmy.world 1 points 6 days ago (1 children)

Well, that's the simplest way in practice, but not usability. Let me explain:

You control the IP address space once you're connected to your VPN, and you control the various settings that connection makes, including DNS.

You have a network already, and a VPN of some sort, so that means you have a network device that is terminating that VPN. Is that a router you're familiar with, or a box on your network?

[–] wraith@lemmy.ca 1 points 6 days ago (1 children)

I haven't set up the VPN yet. I am getting as much info as I can before I start any work. For the sake of this discussion, it would be a box on my network.

[–] just_another_person@lemmy.world 2 points 6 days ago* (last edited 6 days ago)

Then you just need to run a DNS Forwarder, or something with a DNS forwarding capability. Your router most likely already has this.

DNS is essentially just a request and a response from a service. These can be public or private. A DNS Forwarder on your network will quickly respond if it knows that something is when asked, and return an IP address. If it doesn't know what it is, it will ask the public services available.

So if you have an internal-only network, a VPN into that network, and a forwarder or other DNS service on that network, you just tell your VPN client of choice to switch to using that DNS instead of public once it connects. It's a simple setting that every VPN solution supports, and actually makes you MORE secure by not using public DNS servers by default. You can add any record you want to said forwarder, and it will return whatever value you give it for a given domain name.

Here's a simple workflow as an example:

  1. Setup all your services
  2. Setup names in your local DNS for each service like "service1.jimmypoops.dev", or "jellyfin.woopsiedoodle.net"
  3. Install VPN client on your phone and make sure your internal DNS server name is used for that connection
  4. Connect to VPN from phone and request the DNS names you added
  5. You DNS will return the correct IP to visit.

All contained within your local network and VPN by extension.

No need for public DNS entries or TLDs and HSTS requirements.