Cloudflare can decrypt the data before it hits my site before it encrypts it
Give Tailscale funnel a try, it provides similar functionality but does not need to terminate yout TLS to do it.
Cloudflare can decrypt the data before it hits my site before it encrypts it
Give Tailscale funnel a try, it provides similar functionality but does not need to terminate yout TLS to do it.
Precisely. Except there is no “Tailscale manage them for you”.
So you could summarize your answer as " Tailscale certificates work like let encrypt".
That’s just not true. When you run an nginx proxy on a tailscale node, that nginx will terminate the TLS. There is no “gap” between your browser and that server.
Both CF and Tailscale play MITM with your HTTPS connection
That’s not correct, tailscale does not intercept the traffic, TLS is terminated on the node. Tailscale mandates HTTPS / TLS with ts.net certificates so it can route traffic to the correct node in your tailnet.
Except you can condense that whole thread into
Is there any other way?
For all intends and purposes, let’s assume there isn’t. Running a DNS server on the ‘open internet’ is notoriously difficult if you are not familiar with the intricacies, especially with regards to security. Running it through a VPN is really the best option you have here.
I absolutely agree with this. If you cannot easily reproduce you configuration, all you are doing is pushing the problems down the line. Eventually, even simple things will get uncomfortable because it becomes uncomfortable to make. Better address the problem now while its still small
I disagree. With licenses that are “straight proprietary”, it’s obviously whats going on. The FSL is proprietary but tries to gaslight you into thinking that maybe its kinda not. That’s clearly worse because it relies on manipulation and can only ever be useful to someone acting in bad faith.
Sure, you can do all of that, fine by me. What you should not do is take that proprietary construct, slap the term “freedom” on in and try to muddy the waters of the FOSS licensing landscape neven further for your own gain.
Except its not like Linux at all. Linux uses the GPL which imposes no usage restrictions. This is why the GPL is a free software license and the FSL is a proprietary software license.
I would actually entertain the argument of protecting themselves against free-riding if and only if they would publish a transparency report detailing how they reimburse open source projects for the “common infrastructure” like, say, Linux, that they use to build and run their commercial offering and how they arrive at the amount they consider fair for their use. So far, I have not been able to find anything remotely like that, so their while argument is marketing and gas lighting.
The GPL is a fair play license as it offers everyone the same opportunities to use the software either for commercial purposes or otherwise. This license is a grants one party substantial rights over others, thus missing the main point of free software: free as in freedom, not free as in beer. That is also why free software organizations like the OSI won’t accept licenses like this as “open”.
Definitely, the specs are nice and I also cannot say I’m a huge fan of the RPi foundation. More competition in this space would be great, but not having mainline support is just too much of a hassle.
Fair, but I’m not running armbian, so my requirements boils down to: Must run any up to date Linux distro without having to side-load custom kernels or anything. Should work out of the box.
Yeah, I figured. I’ll stick to the Raspberries then, mainly because the “just work”™
My experience with Banana PIs is that they require some obscure kernel to run because the developers cannot be bothered to bring their hardware support and drivers upstream. Same was true for uboot. Has any of that changed in the meantime? If not, that this is a no go for me.
With Tailscale, you would typically cut out the VPS, the connection would be client <-> homelab. No intermediary required. You COULD of course do it how you describe with the subnet router and everything, but the point of tailscale is really to have end to end connectivity.
containers are based on namespaces which have always been also a security feature.
Incorrect.
Chroot has been a common “system” technique, afterall.
Incorrect.
Container are not a security concept. Hence, running things inside of a container does not provide any security benefits as opposed to outside of the container.
In actual fact, if you take the time to configure you services with proper systemd security features, you get more secure environments than with running generic containers with “just” unprivileged users.
Out of curiosity, why is that a deal breaker for you?