Hi. I have been into self-hosting for about 2 years, now. My current setup is that I have a home server and a VPS. My ISP does not let me forward any ports (I am behind CGNAT, I think), so, I have connected my home server to a VPS via a WireGuard tunnel and am using Nginx Proxy Manager (NPM) to proxy the services hosted on my homeserver to the public.
Now, the traffic that goes from my home server to the VPS and from VPS to the public are encrypted, but theoretically, the VPS provider can look at the data passing through, since this is technically TLS termination. Although, I trust my VPS provider more than I trust my ISP, I am thinking about setting up TLS passthrough, for additional privacy. But I have a few questions and I would be greatful if anyone can help me.
- Do I need to put the SSL certificates on my homeserver, or can they remain on the VPS if I have to set up TLS Passthrough?
- Is port forwarding required to set up TLS passthough?
- Does NPM support TLS passthrough, or should I shift to HAProxy?
If there are any issues with my current setup, or the assumptions I am making, please guide me.
If you’re using Lets Encrypt, look at doing DNS validation instead of HTTP. Bit easier and you don’t need to worry about that side.
Either way, if you’re passing through all of ports 80 and 443 to your home server thru the WireGuard tunnel to the proxy, HTTP validation should still work fine.