mTLS is mutual TLS, more commonly known as client cert authentication (alongside the modern standard server authentication), for anyone else who has never heard of it by that name
this post was submitted on 04 Jan 2026
26 points (96.4% liked)
Selfhosted
54368 readers
1114 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
-
No low-effort posts. This is subjective and will largely be determined by the community member reports.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 2 years ago
MODERATORS
I've never heard it called anything but mTLS. :shrug:
mTLS is the more common name these days.
Give the Pangolin project a look.
It's a reverse proxy with tunneling solution that can expose domain names to the internet without having to manage the certificates or open ports.
I use it in my home lab and it's very very good
In the interest of giving more than “there are tons of those” I’ll suggest starting the search with https://caddyserver.com/
It provides a CA, reverse proxy, and can act as its own ACME server, providing mTLS between instances.
If you feel up for answering, what is your use case for wanting to manage your own mTLS?
My main use case is using it to protect my exposed Home Assistant instance in a way that doesn't require a VPN that family can screw up. I can just install the cert into the app for them and it Just Works. I also use it for my own Gotify notifications.
As a more general rule, I apply it to anything I want to expose but can't easily protect using OIDC logins. I used to put more behind it, but I recently opened up my services to friends and family, so I moved to using Authentik as my primary defense for most things. mTLS was great when it was just me, I can easily install the cert into my own browser and all of my Android apps (except Firefox Android...) but friends and family just zone out when I explain why their new phone doesn't connect, so I had to adjust my systems to compensate.
I’ve found Authentik’s proxy will break things that don’t support it (like a Jellyfin app; afaik no app supports hitting an Authentik proxy login first). Do you have a way around that? Or are the friends/fam web-browser only unless they get around to the certificate?
You can use Authentik to setup an LDAP outpost then use a jellyfin LDAP plug-in to sync everything up.
https://github.com/jellyfin/jellyfin-plugin-ldapauth?tab=readme-ov-file
I don't want to manage my mTLS. That's why I'm looking for a better solution.
To actually answer your question, I use mTLS to protect all my self hosted services. It is highly secure since it operates on the transport layer.
Gotchya, so at the reverse proxy stage you have a pathway for “if they have the mTLS certificate, allow in” to let you access your stuff from outside your local network?