I have a domain that requires HSTS preload. I want to self host a few things using that domain (and subdomains), like nextcloud, pihole, and vaultwarden. How much of an issue is HSTS preload going to be if I do that? Will I need to set up a wildcard cert for everything? Or will it just work™️ because it’s internal or traffic is through a VPN?
I can’t find much about this so any help would be appreciated!
You must log in or register to comment.
I self-host on a .dev domain. It’s extremely simple with Caddy, as its HTTPS by default. Anything else is kind of a pain in the ass sometimes.
I also know of those who’ve had great success with Lego although I’ve never personally used it.
I use a .dev and it just works with letsencrypt. I don’t do anything special with wildcards, I just let traefik request a cert for every subdomain I use and it works. I use the tls challenge which works on port 443, so I don’t think HSTS or port 80 matters, but I still forwarded port 80 it so I can serve an http->https redirect since stuff like curl and probably other tools might not know about HSTS.
Required? That’s quite a commitment. Is this a Cloudflare thing?
All it really means is that you have to advertise some metadata about your max-age and (sub)domains associated with whatever the domain is. If you’re only planning to serve over HTTPS, and you have a bulletproof refresh workflow for your certs, it’s not going to be a huge issue. Clients need to respect HSTS first, so if your clients don’t check, it’ll still function.
If you’re just using internal or VPN traffic, there’s literally no point in using it EXCEPT to satisfy client requirements.
Can you expound a bit more on this requirement btw? Now I’m curious.
Required? That’s quite a commitment. Is this a Cloudflare thing?
There are specific TLD which are required at the DNS level to be served over HTTPS.
.devis an example. The browser will physically not load a.devdomain over anything but HTTPS.Google owns a could of TLDs (.app, .dev, etc) and they preloaded all of them 😒
Google requires HSTS preload for all of their domains. Charleston Road Registry (their subsidiary), enforces this by adding the TLD to the HSTS preload list.
Give those domains their own let’s encrypt certificate?
Why is your domain HSTS preloaded?
Google is the registry that owns the rights to the TLD. They require all of the domains they control to have HSTS preload enabled.
Then yeah, VPN or not, you’re going to need to enable TLS. What’s the issue with giving your subdomains a certificate?