Hello everyone. Need some opinions here. Does it worth all the trouble to make things like jellyfin and immich run with HTTPS for services that are only accesible in the LAN? I ask it 'cause, as far as I know, there is no way to put a valid certificate like let’s encrypt for a service that is not accessible from the net and I don’t plan to buy a certificate for myself. But I have some trouble with the rest of my family having issue with their browsers complaining about the lack of https every time a browser is updated. So, what would be the best solution?

  • beerclue@lemmy.worldEnglish
    10·
    16 days ago

    You can use DNS01 for services not accessible from the outside. I use a caddy reverse proxy, with a wildcard cert for *.mydomain.com. caddy handles that for me automagically. Needed? Maybe not, but it’s a whole lot prettier, and I learned new things about certs and caddy :)

  • versionc@lemmy.worldEnglish
    5·
    16 days ago

    as far as I know, there is no way to put a valid certificate like let’s encrypt for a service that is not accessible from the net

    There definitely is. All of my local services run on a wildcard cert that I got from a DNS challenge with Let’s Encrypt. As long as the reverse proxy can access whatever source is issuing the certificate, and as long as the client browser can access public certificate ledgers and has DNS info about your services, things will work just fine locally.

    I recommend Netbird to give access to services to your family members, for access control and for the DNS server it provides. It also gives you the bonus of accessing your services remotely.

    Feel free to ask if you have any questions.

  • Decq@lemmy.worldEnglish
    2·
    16 days ago

    Let’s encrypt doesn’t have to be accessible from the web, it accesses the web itself. It’s a subtly difference i guess, but you don’t need port forwarding or anything. Of course if your jellyfin/immich service is completely blocked from going out on the internet then it still won’t work.

    as far as I know, there is no way to put a valid certificate like let’s encrypt for a service that is not accessible from the net

    I don’t think that’s true. But Let’s encrypt does need to verify the domain name. If it’s just a domain you made up in your LAN that is an issue yes. But I have no experience with that though.

    You could use self-signed certificates, they are free. but you would need to add custom trusted CA to all the user devices manually. I’ve never done this myself so no clue how troublesome this really is.

    What I do is have a reverse proxy that requests a wildcard certificate (e.g ‘*.example.com’) with Let’s encrypt. And then route all my services through the reverse proxy with subdomains. You can get free domains with duckdns.org or others.

  • bizarroland@lemmy.worldEnglish
    1·
    16 days ago

    When I went through the trouble of doing that, I got nginx reverse proxy set up and then got a Let’s Encrypt for my internal local addressing scheme through Let’s Encrypt.

    It was kind of intimidating to set up, but it worked flawlessly.