←back to thread

.localhost Domains

(inclouds.space)
301 points todsacerdoti | 3 comments | 10 Apr 25 14:19 UTC | HN request time: 0.617s | source
Show context
octagons ◴[10 Apr 25 15:58 UTC] No.43645228[source]
Against much well-informed advice, I use a vanity domain for my internal network at home. Through a combination Smallstep CA, CoreDNS, and Traefik, any services I host in my Docker Swarm cluster automatically are immediately issued a signed SSL certificate, load-balanced, and resolvable. Traefik also allows me to configure authentication for any services that I may not wish to expose without such.

That said, I do recommend the use of the internal. zone for any such setup, as others have commented. This article provides some good reasons why (at least for .local) you should aim to use a standards-compliant internal zone: https://community.veeam.com/blogs-and-podcasts-57/why-using-...

replies(2): >>43645339 #>>43645906 #
1. tbyehl ◴[10 Apr 25 17:02 UTC] No.43645906[source]
What's the argument against using one's own actual domain? In these modern times where every device and software wants to force HTTPS, being able to get rid of all the browser warnings is nice.
replies(1): >>43646410 #
2. waynesonfire ◴[10 Apr 25 17:52 UTC] No.43646410[source]
I think this is ideal. You make a great point that even if you were to use .internal TLD that is reserved for internal use, you wouldn't be able to use letsencrypt to get a SSL certificate for it. Not sure if there are other ssl options for .internal. But, self-signed is a PITA.

I guess the lesson is to deploy a self-signed root ca in your infra early.

replies(1): >>43648734 #
3. octagons ◴[10 Apr 25 22:51 UTC] No.43648734[source]
Check out Smallstep’s step-ca server [0]. It still requires some work, but it allows you to run your own CA and ACME server. I have nothing against just hosting records off of a subdomain and using LE as mentioned, but I personally find it satisfying to host everything myself.

[0] https://smallstep.com/docs/step-ca/