(brainbaking.com)

253 points akyuu | 1 comments | 16 Nov 25 13:12 UTC | HN request time: 0.001s | source

Show context

quaintdev ◴[16 Nov 25 15:56 UTC] No.45946006[source]▶

I do not have a solution for blog like this but if you are self hosting I recommend enabling mTLS on your reverse proxy.

I'm doing this for a dozen services hosted at home. The reverse proxy just drops the request if user does not present a certificate. My devices which can present cert can connect seamlessly. It's a one time setup but once done you can forget about it.

replies(2): >>45946395 #>>45948221 #

1. bogwog ◴[16 Nov 25 20:42 UTC] No.45948221[source]▶

>>45946006 #

Wireguard is much better. Not only is it easier to set up/maintain, it even works on Android and iOS. I used to use client authentication for my private git server, but getting client certs installed on every client browser or app was a pain in the ass, and not even possible for some mobile browsers.

Today, my entire network of self hosted stuff exists in a personal wireguard VPN. My firewall blocks everything except the wireguard port (even SSH).

↑

The internet is no longer a safe haven