I am hosting few services for my friends and family on my server. Due to devices limitations, I can’t install VPN on TVs etc. Is it possible to restrict the access to only those users that have a certificate issued by me?

  • SheeEttin@lemmy.world
    link
    fedilink
    English
    arrow-up
    12
    ·
    1 year ago

    I doubt you’ll be able to install client certificates on TVs either. Typically you’d establish a site to site VPN in each location’s network stack.

    • WhyAUsername_1@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      1
      ·
      1 year ago

      I am hoping it might work. It’s Android TV. So it should support certificates. Site to site VPN is a bit challenging. I will try to explore the mTLS option suggested here.

      Thanks!

  • sv1sjp@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    Personally I use Caddy reverse proxy server and Pihole. I have configured my IP as a domain name in local DNS (example.com).

    Caddy supports automatic TLS 1.3 support. So I just copied the CA file snd I installed to all of my devices (even in my Oculus Quest 2). I want to watch movies? I am coming to movies.example.com. i want to read my books? bookd.example.com.

    Caddy configuration is very easy, even using containers with docker.

  • trimmerfrost@lemm.ee
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    Use mTLS (mutual TLS) also called client certificates with nginx or whatever your webserver is

    • amp@kbin.social
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      mtls over nginx is the simplest way. but be aware that while it works great on desktop browsers, other reduced browsers (incl mobile) often don’t support it.

      • trimmerfrost@lemm.ee
        link
        fedilink
        arrow-up
        2
        arrow-down
        3
        ·
        1 year ago

        It works on Android using Chromium based browsers too. You have to install your client certificate in the Android Settings. When you visit the site using a chromium based browser, it will ask you to verify yourself using the installed certificate. I used to use it in the past

        Unfortunately it doesn’t work with Firefox on Android. Don’t know anything about iOS

    • WhyAUsername_1@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Superb. Planning to implement this with Caddy. Nginx was having performance issues , last time I configured it. Maybe I didn’t configure it well…

      Will try nginx as reverse proxy if Caddy doesn’t work well for mTLS.

  • amp@kbin.social
    link
    fedilink
    arrow-up
    1
    arrow-down
    1
    ·
    1 year ago

    ^ that is the way. works well on desktop browsers, but others like mobile often don’t support mtls :(