Ask HN: How to securely expose an internal webserver to the internet
5 comments
You are on a cursed mission.
If you want someone else to do your auth for you (I.e, sign in with google account before you get proxied to the origin), you will need to allow them to terminate the TLS for you. Otherwise, they won't know the state of the auth mechanism.
If you want someone else to do your auth for you (I.e, sign in with google account before you get proxied to the origin), you will need to allow them to terminate the TLS for you. Otherwise, they won't know the state of the auth mechanism.
If it's just for you, you could simply SSH forward the nextcloud's port to your machine. No need to deal with domains and TLS at all.
No it’s for public access. Still, a reverse ssh tunnel could expose it on a VPS, but there is no authentication and ACL.
SSH port forwarding is also typically slow.
SSH port forwarding is also typically slow.
Pinggy (https://pinggy.io) supports TLS tunnels (end to end encrypted). However, by design that means Pinggy cannot put any authentication layer in front of it. The connection will be end-to-end encrypted from the browser to your server.
Disclosure - I am working with Pinggy.
Disclosure - I am working with Pinggy.
* Cloudflare Access: This is great, but Cloudflare terminates the TLS which is not acceptable (otherwise I will run the application in the cloud)
* Ngrok: The free tier is limited (doesn’t support custom domains and is too limited in bandwidth), and the pricing of the paid tier doesn’t fit
* A reverse proxy on a VPS with something like Authentik or Teleport in front of it. This would work but I prefer that I don’t configure and maintain the Authentik. It seems risky.
I am looking for recommendations.