this post was submitted on 03 Nov 2023
4 points (75.0% liked)

Selfhosted

40329 readers
426 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Hi everyone.

I was trying to research about how to implement SSL on the traffic between my clients and the containers that I host on my server.

Basically, my plan was to use upstream SSL in HAProxy to attempt to achieve this, but in order for that to work, each individual container on my server needs to be able to decrypt SSL. I do not think that is possible and that every container has the necessary libraries for it. This puts a halt on my idea for upstream encryption of traffic from my reverse-proxy to my containers.

With that said, ChatGPT suggested I use Kubernetes with a service mesh like Istio. The idea was intriguing so I started to read about it; but before I dive head-first into using k3s (TBH it's overkill for my setup), is there any way to implement server-side encryption with podman containers and a reverse-proxy?

After writing all of this, I think I'm missing the point about a reverse-proxy being an SSL termination endpoint, but if my question makes sense to you, please let me know your thoughts!

Thanks!

you are viewing a single comment's thread
view the rest of the comments
[–] ithilelda@lemmy.world 2 points 1 year ago* (last edited 1 year ago) (1 children)

if I'm understanding your question correct, you are trying to use tls on containers that may not have tls libraries?

there are two ways to that. one is to rebuild every container by yourself modifying its services to contain tls. the other is to use a pod. you put your service container and a reverse proxy into the same pod, setup that reverse proxy correctly as an edge proxy terminating tls, and expose only the reverse proxy's port. that way, it will just look like a service with tls enabled.

since you are considering tls for everyone, I assume that you don't care about overheads. adding a reverse proxy in front of every container is like 10-50MB of additional memory, and it won't matter on modern systems.

[–] MigratingtoLemmy@lemmy.world 1 points 1 year ago (1 children)

Thank you, this is an excellent idea. I will probably not run a pod for every container (technically I can, since Netavark is supported for rootless containers in Podman 4.0), but I will definitely have a few pods on my system, where I can definitely use a reverse-proxy for every pod. Just need to figure out how I can automate it.

Thanks again

[–] notfromhere@lemmy.one 2 points 1 year ago

Single node k3s is possible and can do what you’re asking but has some overhead (hence your acknowledgment of overkill). One thing i think it gets right and would help here is the reverse proxy service. It’s essentially a single entity with configuration of all of your endpoints in it. It’s managed programmatically so additions or changes are not needed to he done by hand. It sounds like you need a reverse proxy to terminate the TLS then ingress objects defined to route to individual containers/pods. If you try for multiple reverse proxies you will have a bad time managing all of that overhead. I strongly recommend going for a single reverse proxy setup unless you can automate the multiple proxies setup.