Remix.run Logo
cobertos 2 hours ago

Why not just map the domain to an internal IP and call it a day? Then the only way it can be accessed is through a VPN. Then use a wildcard so none of leaks into cert transparency logs

throw0101d 2 hours ago | parent [-]

> Then use a wildcard so none of leaks into cert transparency logs

You now also have to build infrastructure to distribute the wildcard from (presumably) central place where you generate it to all the different places where it is desired.

And hope the wildcard's private key does not leak from one of myriad of places it now lives.

AlexanderYamanu 8 minutes ago | parent | next [-]

well, I configure my services te request their own wildcard certs from a caching proxy acme to letsencrypt. Easy peasy.

cobertos an hour ago | parent | prev [-]

I have a few Traefik instances that request wildcards independently of each other. Each with the same config, per server.

Leaking is an issue but we're talking about internal services too.