this post was submitted on 25 Jan 2025
2 points (75.0% liked)

homelab

7447 readers
1 users here now

founded 4 years ago
MODERATORS
[email protected]
2
SSL Certs With NGINX (lemmy.world)
submitted 2 months ago by [email protected] to c/[email protected]
10 comments fedilink hide all child comments
 

I recently generated a self-signed cert to use with NGINX via it's GUI.

  1. Generate cert and key
  2. Upload these via the GUI
  3. Apply to each Proxy Host

Now when I visit my internal sites (eg, jellyfin.home) I get a warning (because this cert is not signed by a trusted CA) but the connection is https.

My question is, does this mean that my connection is fully encrypted from my client (eg my laptop) to my server hosting Jellyfin? I understand that when I go to jellyfin.home, my PiHole resolves this to NGINX, then NGINX completes the connection to the IP:port it has configured and uses the cert it has assigned to this proxy host, but the Jellyfin server itself does not have any certs installed on it.

top 10 comments
sorted by: hot top controversial new old
[–] [email protected] 2 points 2 months ago (1 children)

Heyia ! I battled a few weeks to get my own mini-ca to work in my own lan (green padlock, no warning) while a lot of people would argue that it doesn't add much security wise and give a fault sense of protection, it still encrypts your communication in your LAN.

Normally you will give NGNIX a "server" certificate, the one that will be tested against your rootCA installed on your computer/laptop for each service (or a wildcard domain cert).

If you want to see if your communication is encrypted and secure, give wireshark a try and look if your communication is in plaintext or encrypted gibberish !

Also If you want I got some good documentation on how to create your own mini-ca in your homelab !

[–] [email protected] 2 points 2 months ago* (last edited 2 months ago) (1 children)

Ah, I guess I might need to add my RootCA to my phone, laptop, pc huh? That would get rid of the untrusted warnings. Yes, please feel free to share if you have documentation!

Update: I setup my own local CA and got it working. Thanks for the tip!

[–] [email protected] 1 points 2 months ago* (last edited 2 months ago)

https://we.tl/t-JuecCJUxc0

This is an extract from Demystifying Cryptography with OpenSSL 3.0 Discover the best techniques to enhance your network security with OpenSSL 3.0 ! It's really a good read and helped me to make a secure and self-signed certificate environment. In this example though he uses the ED448 algorithm which won't work on most browser (if any...).

Last year when I followed this tutorial I also tried with EdDSA with Curve25519 but also here TLS wasn't working and the certificate just got rejected by Firefox. See here ! It seems resolved though so you can give it a shot :).

Else just fall down to RSA and longer keys. Why? Just to quote something else from the book:

NIST curves are developed by NSA and standardized by NIST. Brainpool curves are proposed by the Brainpool workgroup, a group of cryptographers that were dissatisfied with NIST curves because NIST curves were not verifiably randomly generated, so they may have intentionally or accidentally weak security.

Hope it helps :)

[–] [email protected] 2 points 2 months ago (1 children)

Unlikely, if there are no certs in jellyfin itself. Did you configure jellyfin for https and configure nginx to use the https port?

[–] [email protected] 1 points 2 months ago (1 children)

I haven't. I created this custom cert and uploaded in in NGINX (NGINX itself isn't using SSL) and applied it to each proxy client, then when I visit one of them it appears to be HTTPS, but I feel that it probably isn't actually giving me the protections I imagine.

[–] [email protected] 2 points 2 months ago (1 children)

If jellyfin isn't configured for https, then the proxy is terminating the encryption and it proceeds unencrypted. If it's purely internal routing that's fine, but if not then additional configuration is required.

But if it's all on the LAN, it's probably not a big deal in any case.

[–] [email protected] 1 points 2 months ago (1 children)

Gotcha, that matches my assumptions. Yes everything is internal. It's accessible remotely via Wireguard, but I mostly wanted to get some practice with NGINX/ TLS certs (also way easier to refer to things around the house with <service>.homelab isntead of IP:port, haha.

So if I did want this to be fully encrypted, I would essentially need to configure each service (jellyfin, home assistant, etc) to have SSL on them with this self-signed cert/ key that I used on NGINX (or perhaps new cert/ key) and then I would be all set?

[–] [email protected] 1 points 2 months ago

Yes. Or, just don't expose jellyfin to the LAN and be okay with traffic being unencrypted on the LAN. Personally I use traefik and jellyfin as containers on one host, so that traffic never transits any Ethernet.

[–] [email protected] 1 points 2 months ago (1 children)

Is Jellyfin running on the same host as nginx? Then, yes your connection to jellyfin is encrypted.

[–] [email protected] 1 points 2 months ago

They’re both different VMs on different VLANs running on the same Proxmox host