One of the most anxiety-inducing parts of self-hosting for me is ensuring that everything is as locked-down security-wise as possible. That's become even more critical as I increase my footprint, adding my own domain and subdomains that point to each service. I'm also a little particular, and while I could use a self-signed TLS certificate to ensure HTTPS for the services that need it, the reminder that it hasn't been done "properly" every time I access those services irks me.
And while there's any number of reverse proxies that I could use to access those services, few are as easy to set up and use as Caddy. //
Officially, Caddy is an open-source web server that can be used for many things. But because it's so easy to set up and includes built-in automatic HTTPS with TLS certificate management, it's often used as a reverse proxy for the home lab. That's because every domain, IP address, and even localhost are served over HTTPS, thanks to the fully automated, self-managed certificate authority.
The entire server is controlled by a single configuration file, the "Caddyfile," which is human-readable, and most tasks are handled with a few simple lines of text.
This tutorial will guide you through the process of setting up a TLS certificate using acme.sh and IONOS Cloud DNS. By following these steps, you will be able to secure your web server with a valid TLS certificate issued by ZeroSSL.
lukem
If you're going to use test values in your test systems, why not use test values allocated for documentation purposes that aren't expected to be used in "live" networks?
IETF RFC 5737 section 3 allocates three IPv4 CIDR ranges for documentation:
192.0.2.0/24, 198.51.100.0/24, and 203.0.113.0/24.
September 5, 2025 at 8:02 am
Certbot uses a number of different commands (also referred to as “subcommands”) to request specific actions such as obtaining, renewing, or revoking certificates. The most important and commonly-used commands will be discussed throughout this document; an exhaustive list also appears near the end of the document.
The certbot script on your web server might be named letsencrypt if your system uses an older package.
In addition to cached redirects, HTTP Strict Transport Security (aka HSTS) may be at play. HSTS is a security feature that forces the browser to use HTTPS even when accessing an HTTP URL.
The browser will start using HSTS for a domain after receiving a Strict-Transport-Security header from the server. The browser also ships with a list of domains for which HSTS is enabled by default.
In Chrome, there is a way to delete your domain from HSTS after it was added by the server. Though, you can’t exclude domains that are baked in the browser (this includes popular websites and notably everything under the new .dev TLD)
Go to chrome://net-internals/#hsts. Enter example.com under Delete domain security policies and press the Delete button.
Now go to chrome://settings/clearBrowserData, tick the box Cached images and files and press click the button Clear data.
already known bug. And very nasty. As i can see internally no fix ready yet.
Unofficial workaround:
Open in Vivaldi's address field chrome://flags/#https-upgrades
Set to Disable
Restart Vivaldi
⚠ Flags settings are always very experimental, unofficial and can cause other issues.
I hope you can remember much later that you made such changes when something is wrong.
Script to create (1) a local certificate authority, (2) a host certificate signed by that authority for the hostname of your choice
While Let’s Encrypt and its API has made it wonderfully easy for anyone to generate and install SSL certificates on their servers, it does little to help developers with HTTPS in their development environments. Creating a local SSL certificate to serve your development sites over HTTPS can be a tricky business. Even if you do manage to generate a self-signed certificate, you still end up with browser privacy errors.
In this article, we’ll walk through creating your own certificate authority (CA) for your local servers so that you can run HTTPS sites locally without issue. //
dobes_vandermeer
I put this all together in a shell script you can run: https://gist.github.com/dobesv/13d4cb3cbd0fc4710fa55f89d1ef69be
Third-party-Tools to check your configuration
Use this server to make DNS queries against an Unbound instance and get logs. The Unbound instance is configured very similarly to Let's Encrypt's production servers, and is started fresh for each query so there are no caching effects.
It’s not NTP. There’s no way it’s NTP. It was NTP
Let's Debug is a diagnostic tool/website to help figure out why you might not be able to issue a certificate for Let's Encrypt™.
Certbot is a free, open source software tool for automatically using Let’s Encrypt certificates on manually-administrated websites to enable HTTPS.
See this page fetch itself, byte by byte, over TLS
- This page performs a live, annotated https: request for its own source. It’s inspired by The Illustrated TLS 1.3 Connection and Julia Evans’ toy TLS 1.3.
- It’s built on subtls, a pure-JS TLS 1.3 implementation that depends only on SubtleCrypto. Raw TCP traffic is carried via a serverless WebSocket proxy.
all the tags from https://b.plas.ml
1st-amendment 2nd-amendment 4th-amendment 5th-amendment 9/11 a8 abortion acl adhd afghanistan africa a/i air-conditioning amateur-radio amazon america american android animals anti-americanism antifa anti-semitism antiv antivirus aoip apollo apple appliances archaeology architecture archive art astronomy audio automation avatar aviation backup bash batteries belleville bible biden bill-of-rights biology bookmarks books borg bush business calibre camping capitalism cellphone censorship chemistry children china christianity church cia clinton cloud coldwar communication communist composed computers congress conservatives constitution construction cooking copyleft copyright corruption cosmology counseling creation crime cron crypto culture culture-of-death cummins data database ddt dd-wrt defense democrats depression desantis development diagrams diamonds disinformation diy dns documentation dokuwiki domains dprk drm drm-tpm drugs dvd dysautonomia earth ebay ebola ebook economics education efficiency electricity electronics elements elwa email energy engineering english environment environmentalism epa ethernet ethics europe euthanasia evolution faa facebook family fbi fcc feminism finance firewall flightsim flowers fonts français france fraud freebsd free-speech fun games gardening genealogy generation generators geography geology gifts git global-warming google gop government gpl gps graphics green-energy grounding hdd-test healthcare help history hollywood homeschool hormones hosting houses hp html humor hunting hvac hymns hyper-v imap immigration india infosec infotech insects instruments interesting internet investing ip-addressing iran iraq irs islam israel itec j6 journalism jumpcloud justice kindle kodi language ldap leadership leftist leftists legal lego lgbt liberia liberty linguistics linux literature locks make malaria malware management maps markdown marriage mars math media medical meshcentral metatek metric microbit microsoft mikrotik military minecraft minidisc missions moon morality mothers motorola movies mp3 museum music mythtv names nasa nature navigation navy network news nextcloud ntp nuclear obama ocean omega opensource organizing ortlip osmc oxygen paint palemoon paper parents passwords patents patriotism pdf petroleum pets pews photography photo-mgmt physics piano picasa plesk podcast poetry police politics pollution pornography pots prayer pregnancy presentations press printers privacy programming progressive progressives prolife psychology purchasing python quotes rabbits rabies racism radiation radio railroad reagan recipes recording recycling reference regulations religion renewables republicans resume riots rockets r-pi russia russiagate safety samba satellites sbe science sci-fi scotus secularism security servers shipping ships shooting shortwave signal sjw slavery sleep snakes socialism social-media software solar space spacex spam spf spideroak sports ssh statistics steampowered streaming supplement surveillance sync tarsnap taxes tck tds technology telephones television terrorism tesla theology thorium thumbnail thunderbird time tls tools toyota trains transformers travel trump tsa twitter typography ukraine unions united.nations unix ups usa vaccinations vangelis vehicles veracrypt video virtualbox virus vitamin vivaldi vlc voting vpn w3w war water weather web whatsapp who wifi wikipedia windows wordpress wuflu ww2 xigmanas xkcd youtube zfs