Does Caddy or Traefik get me anything I don't already have?
https://lemmy.world/post/21778874
=> More informations about this toot | More toots from d00phy@lemmy.world
No.
=> More informations about this toot | More toots from catloaf@lemm.ee
Well, not using Cloudflare would make us all rely a bit less on a single company that already dominates the internet. And it'd make them unable to theoretically mess with your traffic and snoop on your data. Other than that... I don't think you're missing out on features.
=> More informations about this toot | More toots from hendrik@palaver.p3x.de
What would you recommend as an alternative? Right now I’m just using them for DNS.
=> More informations about this toot | More toots from theRealBassist@lemmy.world
I really don't know what to recommend to other people. I use opennic.org for DNS. And I don't use any tunnels, I just do port forwarding on my router. I have an internet connection that allows that.
=> More informations about this toot | More toots from hendrik@palaver.p3x.de
1984.hosting has a freely available to use DNS service for domains. They’re a good company that does what Njalla say they do but without the bullshit of stealing peoples domains.
=> More informations about this toot | More toots from Zelaf@sopuli.xyz
How is cloudflare stealing domains?
=> More informations about this toot | More toots from keepee@lemmy.world
No, Njalla is. They have a history of stealing domains and banning users without explaining why and absolutely refuse to look into why a user got banned in the first place. On top of that generally terrible customer support.
I’ve had the complete opposite experience with 1984.hosting, support has been great and they even support GPG keys to one of their emails if you want to keep your inquires encrypted.
=> More informations about this toot | More toots from Zelaf@sopuli.xyz
Interesting. I hadn’t even heard of Njalla, but now I know to avoid them, thanks.
=> More informations about this toot | More toots from keepee@lemmy.world
desec.io is also a good option
=> More informations about this toot | More toots from freezy@discuss.tchncs.de
That actually seems like a solid option. Do you happen to know how well it integrates with Traefik and the like for setting up reverse proxies?
=> More informations about this toot | More toots from theRealBassist@lemmy.world
If you use caddy it works like a charm out of the box with their desec module. If you run caddy with via docker compose you can integrate the respective module pretty easily, check the ”Adding custom Caddy modules" section on their docker hub page.
=> More informations about this toot | More toots from freezy@discuss.tchncs.de
Except that everything I under your control and not managed by a third party, not much I think.
If this setup works for you and you’re happy with it, just keep it going.
If you have time to spare, want to learn new things, tinkerer arround with network security, certificates, DNS, reverse proxy and, and, and… You can give it a try with a virtual machine and docker containers. But keep in mind that’s not an easy way and involves a lot of personal time before you get a GOOD working self-hosted / exposed services.
I wouldn’t recommend to open any port on your router except for a secured tunnel like wireguard and connect to your services through that tunnel. Opening port 443/80 on your router is bound to some heavy automated scanning and brute force by bots. If you don’t have the necessary knowledge/tool/hardware, this is just going to put you at risk of ddos and remote attacks.
That’s way something like cloudflare is populate, they most of the time take care of that nuisance and also why something like wireguard is popular among the selfhosting community.
=> More informations about this toot | More toots from N0x0n@lemmy.ml
I’ve recently introduced CrowdSec and crowdsec-bouncer-traefik-plugin into my setup and it’s really great to see it block all those spam bots and brute force attempts.
=> More informations about this toot | More toots from mbirth@lemmy.ml
Do you have a guide on how to do his? I couldn’t get the middleware to work to actually bounce connections
=> More informations about this toot | More toots from Lem453@lemmy.ca
You have to actually add the middleware into the (default) chain for your https entrypoint (I think in most tutorials it’s called websecure) - in my static conf I have this:
address: :443
http:
middlewares:
- crowdsec-bouncer@file
- secure-headers@file
And in my dynamic conf I have this:
middlewares:
crowdsec-bouncer:
plugin:
crowdsec-bouncer-traefik-plugin:
CrowdsecLapiKey: "### Enter your LAPI Key here ###"
Enabled: true
=> More informations about this toot | More toots from mbirth@lemmy.ml
Thanks for the tip !! I will certainly give it a look, It’s kinda annoying for my family members to always connect via wireguard.
For me it’s fine though, I even route my traffic to ProtonVPN but my family is always nagging how they need to “do something” to get access to the hosted services or that it “doesn’t work”.
=> More informations about this toot | More toots from N0x0n@lemmy.ml
Which crowdsec lists did you use? I’m on the free plan and can only subscribe to three of them and most of everything on the free tier looks like is useless since my Suricata can sync its rules with Proofpoint ET Open rulesets which are significantly more robust
=> More informations about this toot | More toots from BaroqueInMind@lemmy.one
I’ve only subscribed to the “Free proxies” blocklist. But these are only additional blocklists. The main attraction of CrowdSec is their “CAPI” (Central API) which has all the current malicious actors detected in the network of CrowdSec instances.
=> More informations about this toot | More toots from mbirth@lemmy.ml
I switched from SWAG to Caddy. Its config file is much simpler, with many best practice settings being default resulting in each sites being like 3 lines of code. Implementing something like mTLS requires one line per site, just super nice to configure, and you’re not left without a template config for more obscure services.
That being said, SWAG does more than enough and Nginx is a powerful software so you really aren’t missing out on anything but more streamlined config.
=> More informations about this toot | More toots from EncryptKeeper@lemmy.world
Not depend on a specific corporation to access all your services for one.
A reverse proxy (I use nginx) will let you centralize certificates and allow the use of subdomains easily, without depending from a specific service provider like cloudflare.
Looks like you are are a lucky american with access to a real IP address, good for you, a luxury nowadays where CG-NAT is common place everywhere.
Opening a port is not even possible where I live.
=> More informations about this toot | More toots from Shimitar@feddit.it
I was an avid nginx user but having caddy handle the ssl certificate refreshes is amazing.
I probably am outdated on nginx (maybe it supports it?) but caddy is what I use from here on out.
=> More informations about this toot | More toots from Cpo@lemm.ee
Yeah it supports cert creation through let’s encrypt now.
=> More informations about this toot | More toots from AustralianSimon@lemmy.world This content has been proxied by September (3851b).Proxy Information
text/gemini