view the rest of the comments
Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
If you use let's encrypt certificates on that subdomain it's pretty easy to find. https://crt.sh/
Not if you get a wildcard certificate, then the CT logs only show *.example.com. The bad guys also can't get subdomains from the DNS server without breaking into it because nowadays DNS servers don't do public zone transfer.
You can also use a wildcard CNAME on the DNS too, just to be extra safe. That way the subdomain names only live in your reverse proxy and on your devices, effectively acting as an additional auth factor (see below though). But it only works if you don't need to define any explicit subdomain; typically clashes with email stuff because a CNAME on *.example.com won't allow you to also have MX on *.example.com or TXT on _dmarc.example.com.
It's true that subdomains are not a super secret auth factor right now because of SNI (Server Name Indication) which transmits them in clear outside TLS connections, so that reverse proxies can do host-based routing. So the subdomain can be intercepted anywhere on routers, by ISP etc. It will also be freely given away to any DNS server you use to resolve them (but you can mitigate that by using DoH or DoT with a privacy-pledged DNS server). You also can't afford to share links to your subdomain with anybody so it's best kept for services used only by a select number of trusted people.
The SNI issue is being worked on btw, we now have Encrypted Hello (ECH) which uses DoH keys to encrypt the domain name outside TLS, but ECH is still being adopted.