I was initially looking at this to see how they automated their Let's Encrypt and if it was better than just using Caddy. I was disappointed to find they are just creating a self-signed RootCA and issuing certs.
> Now if you go into Chromium browser settings and search "certificates", in the Security tab, Manage Certificates, you can add an Authority. Import 'ca.pem'. Tell the browser to Trust this certificate for identifying websites. This should add 'org-test-ca' to your browser. This allows HTTPS certificates signed by that to be seen as valid in your browser.
Basically, inotifywait on the config directory and request new certificates as needed. Grep the config files for hostnames (and ignore if labeled NOSSL). And a configuration snippet to include the same SSL config for anything that needs SSL (including the .well-known/acme-challenge directory). Oh, and use cron to renew periodically.
> I was disappointed to find they are just creating a self-signed RootCA and issuing certs.
Agreed. Not sure why you'd go through the trouble of importing a self-signed CA when you can provision certs for any internal service with LE. I dont use self-signed and instead have been using LE certs provisioned for internal services for the last couple years. Extra nice to be able to leverage DNS challenge for cert provisioning at home to get around overloading common ports.
I know a lot of people mention Caddy but I find Traefik [0] (pronounced "traffic") more flexible. It's routing and middleware configurations are fantastic. Especially when you want to stick a reverse proxy in front of things that are a pain to provision certs into (switches, routers, old embedded web interfaces, etc).
For development I'm sure SimpleHTTPServer is fine for most use-cases (except SPAs, of course), but for more serious use, nginx and SimpleHTTPServer couldn't be more different.
Tangential at best: where can you get a hold on a Raspberry Pi 4 in Europe? Every store is sold-out and the ones that aren't only allow one per customer.
It's a bit more work, but for single-digit quantities you could just buy one per store from a bunch of vendors, possibly repeating weekly or whatever until you get the desired number?
I'm ashamed that I was so naïve about this, but I was disappointed to realize that hosting a website to the entire public internet on my Pi was non-trivial. Of course once I dug into the idea it was obvious why it was difficult and furthermore that it would be a dangerous thing to do. Just sharing and curious if anyone has done it or knows useful documentation on the topic.
It sounds like you Pi doesn't have a public IP address. So you need some way to tunnel requests to it. On solution would to be SSH into one of your own public boxes somewhere and use reverse port forwarding (-R). Although that's probably not very reliabile on its own as you have to make sure the connection stays alive. More professional solutions are probably ngrok or cloudflare tunnel. The latter is meant exactly for what you describe: expose a service on a private machine as a public facing web site.
Why was is complicated? I'm hosting https://talumriel.de for my German novels on a Rapberry Pi 3b, using Nginx and Letsencrypt with cryptbot. It's probably not super-secure, but the setup was very easy. I basically just followed one of the tutorials on the Net.
I've been hosting my application on a 3B+ for years. What makes the Pi different to any other machine that you have on your home network? Assuming you have a static IP, all you have to do is forward ports 80/443 (or whatever) to the right machine/ports.
They're great little machines for this exact purpose. No need to have a full blown PC serving trivial stuff. Only problem is, they use SD cards and eventually. I've had a quality 128GB card in mine that has died/been corrupted about 3 times in 4 years. That's my biggest issue with these amazing little machines
This guide is just for hosting locally. If you want to host to the outside internet you also need to do port forwarding on your router. So that when someone connects to your outside IP your router relays that to the pi specifically.
It's not super dangerous, just make sure you keep everything updated (your linux OS, your server software). And make sure that you only open the ports you need to.
Instead of opening ports on your firewall, you could introduce a mesh. I'm using nebula by slack, rest is 90's style with apache /nginx, lego for le dns-challenged certs, and the nebula lighthouse as a proxy. Works fine, is secure and does not bind 443 on your router to.a specific pi.
the goal was to run nginx in docker, if you want to run nginx without docker you can just not do the docker parts. not sure what you mean about properly configure software - you can configure nginx the same whether you use docker or not?
[+] [-] InvaderFizz|4 years ago|reply
[+] [-] inportb|4 years ago|reply
https://git.inportb.com/jyio/docker-nginx-auto
Basically, inotifywait on the config directory and request new certificates as needed. Grep the config files for hostnames (and ignore if labeled NOSSL). And a configuration snippet to include the same SSL config for anything that needs SSL (including the .well-known/acme-challenge directory). Oh, and use cron to renew periodically.
[+] [-] windexh8er|4 years ago|reply
Agreed. Not sure why you'd go through the trouble of importing a self-signed CA when you can provision certs for any internal service with LE. I dont use self-signed and instead have been using LE certs provisioned for internal services for the last couple years. Extra nice to be able to leverage DNS challenge for cert provisioning at home to get around overloading common ports.
I know a lot of people mention Caddy but I find Traefik [0] (pronounced "traffic") more flexible. It's routing and middleware configurations are fantastic. Especially when you want to stick a reverse proxy in front of things that are a pain to provision certs into (switches, routers, old embedded web interfaces, etc).
[0] https://traefik.io/traefik/
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] ThinkBeat|4 years ago|reply
Install apache (or nginx or lighttpd) on your box using your distros package manager of choice.
Configure https on apache.
[+] [-] LeoPanthera|4 years ago|reply
[+] [-] schwartzworld|4 years ago|reply
[+] [-] capableweb|4 years ago|reply
[+] [-] suprfsat|4 years ago|reply
[+] [-] butz|4 years ago|reply
[+] [-] NortySpock|4 years ago|reply
Sure, I could install lighttpd myself, but docker-compose gives me a common configuration file format.
[+] [-] nimbius|4 years ago|reply
[+] [-] antongribok|4 years ago|reply
[+] [-] yrds96|4 years ago|reply
[+] [-] capableweb|4 years ago|reply
[+] [-] horsellama|4 years ago|reply
[+] [-] emilfihlman|4 years ago|reply
You might want to also grab the sd card from there.
I recommend getting the power supply, case and fan from Digikey.
[+] [-] kzrdude|4 years ago|reply
[+] [-] butz|4 years ago|reply
[+] [-] yjftsjthsd-h|4 years ago|reply
[+] [-] megous|4 years ago|reply
[+] [-] pzduniak|4 years ago|reply
[+] [-] jsisto|4 years ago|reply
[+] [-] kaycebasques|4 years ago|reply
[+] [-] dividuum|4 years ago|reply
[+] [-] 13415|4 years ago|reply
[+] [-] oblak|4 years ago|reply
They're great little machines for this exact purpose. No need to have a full blown PC serving trivial stuff. Only problem is, they use SD cards and eventually. I've had a quality 128GB card in mine that has died/been corrupted about 3 times in 4 years. That's my biggest issue with these amazing little machines
[+] [-] rain1|4 years ago|reply
It's not super dangerous, just make sure you keep everything updated (your linux OS, your server software). And make sure that you only open the ports you need to.
[+] [-] chuchichaestli|4 years ago|reply
[+] [-] alsobrsp|4 years ago|reply
[+] [-] Gigachad|4 years ago|reply
[+] [-] rain1|4 years ago|reply
[+] [-] tragictrash|4 years ago|reply
[+] [-] lovek3292|4 years ago|reply