In the last few days I have been playing with my chicken coop trying to make it more secure and faster/easier to maintain. As a result I’ve made some discoveries that reinforce my notion of chickens over cows. I’m probably not going to do a lot of explaining here but it’s going to be a working outline. Sure there is something to be said for scalable google sized systems but be real… it’s very rare. (see Malcolm Gladwell and Scott Galloway).
Chickens over cows
My ISP gives me a public DHCP IP address. So long as my modem is connected I’ll have the same IP as it renews. This is not a terrible problem but is the IP does change I have to update the DNS of 30 domains. Of course I could use DynDNS but that has other challenges.
I have a proper managed firewall/gateway connection between my router and my lab network. I limit the ports etc that can connect to my network in the modem and the firewall. It’s not exactly pfSense or OpnSense but it’s good enough. I route the various ports to different systems in my lab network.
One system is running haproxy, hosts most of the ACME (letsencrypt) and redirects the http requests via SNI.
Next is a Synology NAS running DSM. This hosts a bunch of different services. Alternate ACME certificates are managed here. This ACME only uses http challenge. Some terminate in other services like http or email. While the haproxy ACME service manages a couple of the certs the synology does to. It’s automated and will auto deploy on other Synology services but requires exporting for some domains on haproxy. (sharing the certs between systems requires scripting)
Anything related to a farm is work, not a hobby – Marty Rainey
And then there are a number of web services systems that share certs so that the systems are trusted.
NOTE http challenge is better than DNS in that DNS can be secured and posswords are not passed around. While wildcard certs are interesting they can provide a gateway for a man in the middle attack.
When restarting haproxy get the cert files from the synology, combine the files into a single PEM file, and copy it to the haproxy cert folder.