There’s no certificate at the VPS level. It forwards everything to and from the self hosted reverse proxy.

Now that you mention it though, there may be a slight complication with pinning the reverse proxy to the domain API for cert renewals. I’ll have to check how I have mine configured but I may have given my reverse proxy a IPv6 and configured that for cert renewals.

That would mean some down time as you update the IP if your ISP rotates it.

This is fine unless you have a slightly higher threat model.

Me personally, I dislike the idea that if someone (VPS provider or LE) were to snoop inside my VPS, they would have all of my unencrypted data where TLS ends and wireguard picks it up.

I don’t do anything illegal, but I do have photos, personal files, and deeply personal journals/notes for which I enjoy the comfort of mind when kept private and secure.

My recommendation is always to have your TLS equipped reverse proxy on your own hardware. Then use a VPS as a SSL passthrough proxy that forwards requests to the locally hosted reverse proxy. You can connect the two via wireguard.

This has a few benefits. It keeps encryption end to end. It also allows you to connect to your server via your domain name even in you LAN. You can hijack your domain at the router level DNS menu to reroute to your local reverse proxy. And it keeps the TLS connection.

This is fine if the post is something insanely low effort.

But I do worry if this ends up being too aggressive.

One of the things that made reddit so awful is how over moderated it was.

I don’t really take issue with dozens of posts by newbies asking the same basic question over and over. I used to be one and am occasionally back there again if I start a new hobby. Hopefully newcomers don’t get pushed off by overly sensitive moderation.

It would be helpful if you could provide a hypothetical example of what is considered a “low effort” post.

Your first suggestion is a clever one.

I can imagine writing a small script on the host machine to listen for subdomains, forward them to pfsense to update the aliases, and possibly set them to expire after a few days for security reasons.

Surely something like this exists. How to find it…?

I had similar concerns in the past. I decided to move all of my VPS hosted services to a physical server that I control. I then use a VPS as a portal, set to simply forward traffic without unencrypting the HTTPS. Look up SSL pass through.

I’ve been using it for many months and I like it a lot. Only one of my banking apps doesn’t work.

Currently my main issue is that webauthn stopped working after an update. And the community support hasn’t been helpful.

I wish they had better documentation in general.

I disagree. I think if the company wants to sell its customers’ data, they need to first submit to installation of cameras in every room of each member of the board of directors private domicles, live streamed ala Fishtank style on the internet. I think that’s a fair trade.

I’m in the same boat as you in that I need Instagram for work. My approach is to create a separate work profile in GrapheneOS. I handle all of my mobile work apps in that profile using a separate VPN from all other profiles. I don’t expect to be completely free from tracking in this profile, but for my threat model I don’t mind too much. Any web queries I make in this profile I keep strictly work related.

People arguing you just shouldn’t use Instagram need to remember Instagram is a tool just like Windows, Adobe, etc. Sometimes you need a specific tool to do your job and I believe as long as you containerize that aspect of your life then you’ll be fine.

Just don’t use your work Instagram for personal stuff, not even browsing memes.

I’m familiar with Proxmox, virtualbox, and KVM/KVM manager.

If I want to set up a PC to virtualize multiple operating systems, but with the feel of a multiboot system, what virtualization software would you suggest?

My goal is for the closest I can get to a multiboot system (windows, Debian, fedora) but virtualized so I can make snapshots. It should feel like I’m on baremetal when inside the VM.

Virtualbox is clunky with lots of pesky UI cluttering the screen and Proxmox doesn’t seem great for this use case.

I replaced the drives, installed the newest version of PVE, then restored all of my VMs from local USB backup. I had to reconfigure a number of things such as HDD pass through and other network settings, but in the end the migration was a success.

I don’t work in IT at all. My self hosting journey started when I got sick of feeling powerless in the face of big tech companies who are increasingly ripping off customers or violating their right to privacy. There’s also the general mistrust that comes from my data being repeatedly breached or leaked because share holder profits are more important than investing in basic security.

I always wonder what legal risks hosting something like this comes with. If you host a public server and uploads are client side encrypted, seems like it would be a magnet for illegal file transfer and CSAM, no?

I use a bunch of Amcrest PoE cameras. None with PTZ though. I run them to a dedicated box running frigatenvr. From there I allow access from Homeassistant with the frigate integration.

IP cameras allow you to access the device via web gui where you can view and configure the camera for your needs. Once I’ve set them up I only ever access them again through frigate.