undefined | Better HN

0 pointsvladvasiliu1y ago0 comments

> – TLS termination mandatorily happens at Cloudflare (i.e. your traffic is mitm'ed). That's because this free product is meant as a gateway drug (aka a loss leader) to Cloudflare's WAF/Anti-DDOS products (which require TLS termination to happen on their side for technical reasons).

But on the flip side, this allows you to have a nice certificate on your outside connection without having to fiddle with letsencrypt or whathaveyou.

0 comments

KennyBlanken1y ago

If someone finds LetsEncrypt challenging, they don't have sufficient network andsystem administrator skills to be running a private, public-facing web server. They should be running tailscale.

vladvasiliuOP1y ago

Well, one of the "challenges" is the one in a different comment: most registrars don't allow fine-grained control over who can update what DNS records.

Can it be done? Sure. But do I want to spend money on this for my home lab if I can work around it? Not a chance.

I'm kinda sensitive to the "MITM as a service" argument, but for my use case, it's not a problem.

kuschku1y ago

> Well, one of the "challenges" is the one in a different comment: most registrars don't allow fine-grained control over who can update what DNS records.

Afaik, every major registrar allows you to add an NS record for the _acme-challenge subdomain, allowing you to put the _acme-challenge subdomain on a custom, self-hosted DNS server.

That in turn allows you to make the permissions as specific as you'd like. Personally I just run powerdns in docker for this.

2 more replies

skinner9271y ago

You don’t need automated DNS fiddling for lets encrypt. Certbot can either hook into Apache or NGINX, or run its own standalone server for verification.

3 more replies

pnutjam1y ago

I've had excellent controls using NearlyFreeSpeech.net for DNS (minor cost) and time4vps.com (free). Maybe very old registrars restrict DNS records..?

janwillemb1y ago

Parent did not say it was challenging.

I find fiddling with LE tedious because it has to be repeated too often.

slt20211y ago

certbot and crontab needs to be setup just once, to solve cert problem

2 more replies

wibblewobble1251y ago

I’ve been using caddy for a year which does everything for you. Basically nginx/haproxy but with https built-in via LE, no fiddling about with cert files and brittle LE scripts, also supports subdomains equally easily.

jgalt2121y ago

so public server via http only then?

immibis1y ago

The point of TLS is to prevent your traffic getting MITMed. This benefit disappears if you have to let someone MITM your traffic to get TLS.

LoganDark1y ago

This depends. The point of TLS is to protect your application from hostile networks. Cloudflare hasn't proven hostile yet.

j / k navigate · click thread line to collapse

0 comments

KennyBlanken1y ago

If someone finds LetsEncrypt challenging, they don't have sufficient network andsystem administrator skills to be running a private, public-facing web server. They should be running tailscale.

vladvasiliuOP1y ago

Well, one of the "challenges" is the one in a different comment: most registrars don't allow fine-grained control over who can update what DNS records.

Can it be done? Sure. But do I want to spend money on this for my home lab if I can work around it? Not a chance.

I'm kinda sensitive to the "MITM as a service" argument, but for my use case, it's not a problem.

kuschku1y ago

> Well, one of the "challenges" is the one in a different comment: most registrars don't allow fine-grained control over who can update what DNS records.

Afaik, every major registrar allows you to add an NS record for the _acme-challenge subdomain, allowing you to put the _acme-challenge subdomain on a custom, self-hosted DNS server.

That in turn allows you to make the permissions as specific as you'd like. Personally I just run powerdns in docker for this.

2 more replies

skinner9271y ago

You don’t need automated DNS fiddling for lets encrypt. Certbot can either hook into Apache or NGINX, or run its own standalone server for verification.

3 more replies

pnutjam1y ago

I've had excellent controls using NearlyFreeSpeech.net for DNS (minor cost) and time4vps.com (free). Maybe very old registrars restrict DNS records..?

janwillemb1y ago

Parent did not say it was challenging.

I find fiddling with LE tedious because it has to be repeated too often.

slt20211y ago

certbot and crontab needs to be setup just once, to solve cert problem

2 more replies

wibblewobble1251y ago

jgalt2121y ago

so public server via http only then?

immibis1y ago

The point of TLS is to prevent your traffic getting MITMed. This benefit disappears if you have to let someone MITM your traffic to get TLS.

LoganDark1y ago

This depends. The point of TLS is to protect your application from hostile networks. Cloudflare hasn't proven hostile yet.

j / k navigate · click thread line to collapse