So, I have a few services (Jellyfin, Home Assistant, etc) that I am running, and have been acessing via their IP’s and port numbers.

Recently, I started using NGINX so that I could setup entries in my Pi Hole, and access my services via some made up hostname (jellyfin.home, homeassistant.home, etc).

This is working great, but I also own a few domains, and thought of adding an SSL cert to them as well, which I have seen several tutorials on and it seems straight forward.

My questions:

  • Will there be any issues running SSL certs if all of my internal service are inward facing, with no WAN access? My understanding is that when I try to go to jellyfin.mydomainname.com, it will do the DNS lookup, which will point to a local address for NGINX on my network, which the requesting device will then point to and get the IP of the actual server.

  • Are there risks of anything being exposed externally if I use an actual CA for my cert? My main goal is to keep my home setup off of the internet.

  • root@lemmy.worldOP
    link
    fedilink
    English
    arrow-up
    2
    ·
    2 years ago

    Gotcha. Yeah I read about doing a self-hosted CA, but then I have to add the cert to every device that needs access to the service, which I don’t think the family would be thrilled about. I was going to use the cert generator in NGINX and use the key from my actual domain. This way I don’t need to add the certs manually.

    My only worry is exposing something accidentally, but if my firewall rules prevent any outside access from my services (Jellyfin, Nginx, Homelab, etc) and the only thing with internet is the device accessing it (a laptop or TV), then I think I should be ok…

    • Omripresent@leddit.social
      link
      fedilink
      English
      arrow-up
      1
      ·
      2 years ago

      If you have a domain you own that’s the way to go, I went by your .home naming assuming that’s what you’re using. Since .home can’t be registered similar to .local, LetsEncrypt wouldn’t be an option.

      I have a split DNS setup on my end so a service like jellyfin would resolve only internally since I want to limit it, but others would be both public and internal.