Selfhosted

51445 readers

435 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago

MODERATORS

HybridSarcasm@lemmy.world

HybridSarcasm@lemmy.hybridsarcasm.xyz

Second set of eyes - DNS Nameservers (sh.itjust.works)

submitted 2 weeks ago by BingBong@sh.itjust.works to c/selfhosted@lemmy.world

24 comments fedilink hide all child comments

Hello all, I'm looking for a second set of eyes before I potentially screw up all my self hosted services. I'll be the first to admit I'm not an IT expert and am getting a wee bit lost in all of the reading I've been doing so please go easy on me.

I'm currently working to get my domain (already registered) to be used for internal addresses as well as get a working SSL certificate. I am following wolfgangs instructions with the exception that I already have my domain registered with BlueHost. BlueHost does not appear to be directly supported by nginx and wants to charge me $90/year for an SSL certificate which is far more than I'm willing to pay for my little self-hosting hobby.

Fundamentally I believe I need to point my domain to new nameservers which provide support for 'Let's Encrypt'. If there were a vendor that offered that as a service I think I could leave the domain with bluehost and simply point the nameservers elsewhere. I "think" cloudflare offers this but its the only one and I've heard mixed things about using it from the standpoint of privacy. Does anyone have suggestions?

The other option I see, which seems more broadly supported, is to transfer my domain from bluehost to another vendor. Does anyone have suggestions? I've struggled to see the renewal costs when looking at these transfers.

Before fully borking my setup, would appreciate some input on if I'm on the right track or not. Thank you!

you are viewing a single comment's thread
view the rest of the comments

[–] dihutenosa@piefed.social 1 points 2 weeks ago

I'm not sure if I agree.

You can't easy man in the middle authenticated protocols like SSH or HTTPS.

Unless you own a CA, or are a powerful country able to coerce a CA, or mandate installing one into users' PCs.

As for SSH - you missed the "TOFU" bit, Trust On First Use. Do you verify your SSH host keys every time before connecting to a new server? The docs for GitHub doesn't even mention it.

unencrypted/unauthenticated protocols are on their death bed.

I partially agree - encryption appears to be a solved problem today. Key distribution, however is not, it's layers upon layers of half-solutions of wishful thinking, glued together with hope.

The layers should be independent to allow for maximum flexibility.

Depends on your threat model and priorities, right :) HPKP is helpful and does not require DNSSEC. DANE and CAA are helpful but require DNSSEC.