I’ve been researching different ways to expose Docker containers to the internet. I have three services I want to expose: Jellyfin, Omnivore (Read-it-later app), and Overseerr.
I’ve come across lots of suggestions, like using Nginx with Cloudflared, but some people mention that streaming media goes against Cloudflared tunnel TOS, and instead recommend Tailscale, or Traefik, or setting up a WireGuard VPN, or using Nginx with a WireGuard VPN.
The amount of conflicting advice has left me confused. So, what would be the best approach to securely expose these containers?
Just my 2 cents.
How is a private CA more secure then an offline CA with cross signed intermediate signing subCA?
You’ll have to explain that one to me.
A public CA (Let’s Encrypt, Komodo, GoDaddy, etc) don’t actually sign certificates with their root CA certificate. The root CA creates a subCA (Or signing CA) that actually generates the certificates and the system holding the private keys of the root certificate is shutdown to prevent access but is brought back online every so often to update the revocation list.
You said a private CA is more secure so I am wondering how that is?
Because a private CA allows you to create a certificate and nobody else has the ability to create certificates unless you give them the keys or a signing CA. With Let’s Encrypt, you are trusting every major certificate authority to not create a cert on your domain; coupled with DNS poisoning means you would end up on a legit-looking but counterfeit website of yours.
Nothing is stopping me from making a certificate from my offline CA for your domain.
Even if you don’t trust the certificate the traffic is still encrypted.
Yea that’s the whole trusting trust thing. You can theoretically set up hour browser to only trust your private CA and not trust any of the publicly trusted CAs. Depends on your threat model I suppose.