Yesterday I decided to start “officially” selfhosting. With almost no experience with Docker, I struggled for eight hours straight, but I finally have it working.
Currently, the two tools I am selfhosting with Docker Compose are LibreTranslate and spotDL. I’m only accessing them over the local network using a direct IP:PORT, so there’s no domain name. I don’t want to use a custom DNS, since it is fingerprintable online, so I want to keep it the same as my VPN.
With that said, I want to add encryption to the connections. I was able to generate my own self signed certificates with this command:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./certs/key.key -out ./certs/cert.crt
spotDL was easy to setup with these self signed certs, since it has command flags for --enable-tls, --key-file, and --cert-file. LibreTranslate has an environment variable for - LT_SSL=true, however it gives the following error:
libretranslate | (URLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)')),)
That led me to this issue which is 2 and a half years old. LibreTranslate doesn’t have a way to specify certificates that I know of.
I tried using Nginx Proxy Manager to create a reverse proxy, but I couldn’t quite figure it out. (I also didn’t understand Docker Compose at the time. I had a few hours to go before I did) NPM also seems to want Let’s Encrypt certificates which can’t be given without a DNS record. I tried manually providing certificates in the config file, but I don’t quite understand NPM enough to be able to set it up properly on my own.
My requirements are:
- No changing the DNS from my VPN’s default
- No port forwarding, everything should be accessed by the local network only
- No email required (ability to use a fake email without risk is fine)
- Only free and open source software
- Modern security standards where available
I also would like help adding the self signed certificates as a permanent exception in Brave browser, if possible.
https://www.youtube.com/watch?v=BKCj6A4CHV4
Not necessarily docker but gives a good vibe for self signed certs. Also i don’t see why u need encryption if ur only accessing ur data over local network (I presume via a vpn) its unnecessary unless ur worried about someone snooping packets on ur lan.
Personally I have my services available to the internet with a letsencrypt cert for a domain served via nginx that served my services at relevent routes. SSL isn’t really nessasary unless ur transporting across an untrusted network (such as the internet instead of over a VPN).
Encryption in transit even internally is a good practice. That said, op is making life hard by refusing to use DNS.