Subject: Re: Citadel tip of the day - using the Docker image with Let's Encrypt
1 - Set up a reverse proxy and load the certificates there.
2 - Point the reverse proxy to forward any TLS/port 443 traffic to the application.
3 - Instruct the reverse proxy to forward any non-tls/port 80 traffic to a dummy server that either
--> issues a 302 redirect to the https version of the site
--> accepts let's encrypt traffic for certificate renovation
The moment you operate more than one site from the same domestic LAN this setup just makes more sense than most stuff people is doing elsewhere.
Subject: Re: Citadel tip of the day - using the Docker image with Let's Encrypt
I do the same thing with a NGINX proxy server that sits between me and the outside world.
Does all the DNS name to internal IP translations for me, so i can run more than one "service" on a single external IP. Handles the certs and easy renewals. And for things that dont have their own internal security ( or is a pain to manage ), i can prop up a login on the proxy and still present it to the outside.
I guess in theory it helps to handle random DoS attacks too, it takes the hit instead of the app server.
Mon Dec 30 2024 00:28:16 UTC from darknetuser Subject: Re: Citadel tip of the day - using the Docker image with Let's EncryptWell, what I do for this sort of setup where I have a web application that I want to treat as a black box is:
1 - Set up a reverse proxy and load the certificates there.
2 - Point the reverse proxy to forward any TLS/port 443 traffic to the application.
Subject: Re: Citadel tip of the day - using the Docker image with Let's Encrypt
The moment you operate more than one site from the same domestic LAN
this setup just makes more sense than most stuff people is doing
elsewhere.
Yes, I have done similar things and it works quite well.
Remember, however, that a fully deployed Citadel site uses TLS for more than just the web service. For example, if you are using the email service, good luck getting Google or Microsoft to talk to you if you don't offer STARTTLS.
Subject: Re: Citadel tip of the day - using the Docker image with Let's Encrypt
Remember, however, that a fully deployed Citadel site uses TLS for
more than just the web service. For example, if you are using the
email service, good luck getting Google or Microsoft to talk to you if
you don't offer STARTTLS.
The solution I use as a reverse proxy can do lots of crazy things beyond being an http(s) proxy. It can also work as a TCP dumb relay. You could add TLS to arbitrary connections using it.
I don't think it is sophisticate enough for doing STARTTLS without addons, though. You could hack some solution for that but at that point it is no longer ellegant.
Subject: Re: Citadel tip of the day - using the Docker image with Let's Encrypt
There are a lot of ways to skin that particular cat, and a lot of use cases.
In another part of my world I have a system set up that automatically renews a wildcard certificate with Let's Encrypt every 60 days, and automatically contacts every site or server that uses it to do a certificate update. It has to integrate with the DNS server to do that.
Our objective here, however, is to honor our tradition of making things not just easy, but "Citadel Easy (tm)". Everything is self-contained and doesn't require the site operator to set up any external dependencies. Less concise integrations are always available, but the default installation must be as easy-peasy as possible. Our mission is to put excellent software into the hands of site operators who don't want their data being handled by big SaaS operators -- and we want that to be easy.