this post was submitted on 15 Apr 2025
23 points (92.6% liked)

Selfhosted

46212 readers
506 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
CannaVet@lemmy.world
Loki@lemmy.world
HybridSarcasm@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
23
Self hosting and HSTS preload domains (lemmy.ca)
submitted 1 week ago* (last edited 1 week ago) by wraith@lemmy.ca to c/selfhosted@lemmy.world
21 comments fedilink hide all child comments
 

I have a domain that requires HSTS preload. I want to self host a few things using that domain (and subdomains), like nextcloud, pihole, and vaultwarden. How much of an issue is HSTS preload going to be if I do that? Will I need to set up a wildcard cert for everything? Or will it just work™️ because it's internal or traffic is through a VPN?

I can't find much about this so any help would be appreciated!

you are viewing a single comment's thread
view the rest of the comments
[–] just_another_person@lemmy.world 2 points 1 week ago* (last edited 1 week ago)

Then you just need to run a DNS Forwarder, or something with a DNS forwarding capability. Your router most likely already has this.

DNS is essentially just a request and a response from a service. These can be public or private. A DNS Forwarder on your network will quickly respond if it knows that something is when asked, and return an IP address. If it doesn't know what it is, it will ask the public services available.

So if you have an internal-only network, a VPN into that network, and a forwarder or other DNS service on that network, you just tell your VPN client of choice to switch to using that DNS instead of public once it connects. It's a simple setting that every VPN solution supports, and actually makes you MORE secure by not using public DNS servers by default. You can add any record you want to said forwarder, and it will return whatever value you give it for a given domain name.

Here's a simple workflow as an example:

  1. Setup all your services
  2. Setup names in your local DNS for each service like "service1.jimmypoops.dev", or "jellyfin.woopsiedoodle.net"
  3. Install VPN client on your phone and make sure your internal DNS server name is used for that connection
  4. Connect to VPN from phone and request the DNS names you added
  5. You DNS will return the correct IP to visit.

All contained within your local network and VPN by extension.

No need for public DNS entries or TLDs and HSTS requirements.