I have a domain that requires HSTS preload. I want to self host a few things using that domain (and subdomains), like nextcloud, pihole, and vaultwarden. How much of an issue is HSTS preload going to be if I do that? Will I need to set up a wildcard cert for everything? Or will it just work™️ because it’s internal or traffic is through a VPN?

I can’t find much about this so any help would be appreciated!

  • wraith@lemmy.caOPEnglish
    1·
    16 hours ago

    So I should just host it with an IP address instead of using the domain?

    I hadn’t thought to do that, at least not for anything other than short lived internal-network-only projects and tests. An IT guy in the company I work for advised me to just get a domain and host with it/subdomains to make it easier to manage if I wanted to host multiple services.

    • just_another_person@lemmy.worldEnglish
      1·
      16 hours ago

      Well, that’s the simplest way in practice, but not usability. Let me explain:

      You control the IP address space once you’re connected to your VPN, and you control the various settings that connection makes, including DNS.

      You have a network already, and a VPN of some sort, so that means you have a network device that is terminating that VPN. Is that a router you’re familiar with, or a box on your network?

      • wraith@lemmy.caOPEnglish
        1·
        16 hours ago

        I haven’t set up the VPN yet. I am getting as much info as I can before I start any work. For the sake of this discussion, it would be a box on my network.

        • just_another_person@lemmy.worldEnglish
          2·
          15 hours ago

          Then you just need to run a DNS Forwarder, or something with a DNS forwarding capability. Your router most likely already has this.

          DNS is essentially just a request and a response from a service. These can be public or private. A DNS Forwarder on your network will quickly respond if it knows that something is when asked, and return an IP address. If it doesn’t know what it is, it will ask the public services available.

          So if you have an internal-only network, a VPN into that network, and a forwarder or other DNS service on that network, you just tell your VPN client of choice to switch to using that DNS instead of public once it connects. It’s a simple setting that every VPN solution supports, and actually makes you MORE secure by not using public DNS servers by default. You can add any record you want to said forwarder, and it will return whatever value you give it for a given domain name.

          Here’s a simple workflow as an example:

          1. Setup all your services
          2. Setup names in your local DNS for each service like “service1.jimmypoops.dev”, or “jellyfin.woopsiedoodle.net
          3. Install VPN client on your phone and make sure your internal DNS server name is used for that connection
          4. Connect to VPN from phone and request the DNS names you added
          5. You DNS will return the correct IP to visit.

          All contained within your local network and VPN by extension.

          No need for public DNS entries or TLDs and HSTS requirements.