It started at 5am. I was up before the rest of the family, so I did what any sensible person with poor sleep habits and a mild obsession with privacy would do. I turned on the TV, opened SmartTube, and had a quick browse through YouTube.
One video in my recommended feed from Techlore caught my eye: “Brave Just Released a Paid Browser: Here’s What You Need to Know.” As someone who has used Brave for years, that title was enough to pull me in. I wanted to keep up with current developments, and it looked like a decent place to start. I will do a separate post about Brave Origin in the coming days, because that deserves its own write-up.
What began as simple browser curiosity quickly turned into a bookmark syncing rabbit hole.
I started looking at Floccus and a few other options. Since I already have Nextcloud running, it was the logical choice for the backend. I downloaded the Floccus app from F-Droid and started the configuration, but then I hit the “How do you want to sync?” setup page, and that changed the direction of the whole morning.
The options were laid out clearly. If I wanted to sync with the native Bookmarks app for Nextcloud, or use Linkwarden or Karakeep, the notes were explicit: “This option cannot make use of end-to-end encryption.” To actually get E2EE, I’d have to use a WebDAV share, Google Drive, or Dropbox.
That made me stop.
At first, I thought it was okay. I was self-hosting, it was all “local” anyway, and I wasn’t handing my data to a third-party cloud provider. But as I sat there in the quiet of the early morning, the wider picture finally dawned on me. The bookmarks themselves weren’t the issue; it was the journey they took to get to my server.
I realised that my VPS was terminating TLS.
This meant that because those specific self-hosted sync methods lacked built-in E2EE, my traffic, bookmarks, folders, the lot, existed in plain text on IONOS hardware before being passed to my home lab. Not because IONOS were doing anything shady. I have been a customer for years, and their support is spot on; I don’t have an issue with them. But the architecture was flawed. I was handing a provider visibility that they simply did not need to have.
That was the uncomfortable bit. I’m a FOSS enthusiast for a reason, and if the architecture allows for a “man-in-the-middle” by design, it doesn’t matter how much you like the provider. You’ve expanded your trust boundary too far.
The mission was immediate: move the TLS termination to my home lab and turn the VPS into a “blind pipe.”
I migrated Nginx Proxy Manager into a Proxmox container in my lab and reconfigured the VPS using socat. Now, it just moves raw TCP packets. No decryption. No keys. It sees nothing but encrypted noise, and I still have zero open ports on my local network.
Fixing the fallout took a bit of work, I had to set up split DNS with AdGuard Home to stop local devices from triggering 403 errors by trying to loop out to the VPS, and I had to sort some Docker DNS quirks. But it was worth it.
A 5am browse turned into a proper privacy rethink. Brave Origin was the spark, Floccus was the trigger, and a pipe-only VPS was the fix. I’ve reclaimed total control over my data, exactly how it should be.