this post was submitted on 10 Jan 2025
83 points (95.6% liked)

Selfhosted

41153 readers
334 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

tldr: I'd like to set up a reverse proxy with a domain and an SSL cert so my partner and I can access a few selfhosted services on the internet but I'm not sure what the best/safest way to do it is. Asking my partner to use tailsclae or wireguard is asking too much unfortunately. I was curious to know what you all recommend.

I have some services running on my LAN that I currently access via tailscale. Some of these services would see some benefit from being accessible on the internet (ex. Immich sharing via a link, switching over from Plex to Jellyfin without requiring my family to learn how to use a VPN, homeassistant voice stuff, etc.) but I'm kind of unsure what the best approach is. Hosting services on the internet has risk and I'd like to reduce that risk as much as possible.

  1. I know a reverse proxy would be beneficial here so I can put all the services on one box and access them via subdomains but where should I host that proxy? On my LAN using a dynamic DNS service? In the cloud? If in the cloud, should I avoid a plan where you share cpu resources with other users and get a dedicated box?

  2. Should I purchase a memorable domain or a domain with a random string of characters so no one could reasonably guess it? Does it matter?

  3. What's the best way to geo-restrict access? Fail2ban? Realistically, the only people that I might give access to live within a couple hundred miles of me.

  4. Any other tips or info you care to share would be greatly appreciated.

  5. Feel free to talk me out of it as well.

(page 2) 49 comments
sorted by: hot top controversial new old
[–] powermaker450@discuss.tchncs.de 3 points 1 week ago* (last edited 1 week ago)

if you know/use docker, the solution that has been the most straightforward for me is SWAG. the setup process is fairly easy when combined with registering your domain with Porkbun, as they allow free API access needed for obtaining top-level (example.com) as well as wildcard (*.example.com) SSL certificates.

along with that, exposing a new service is fairly easy with the plethora of already included nginx configs for services like Nextcloud, Syncthing, etc.

[–] jimmy90@lemmy.world 2 points 1 week ago (1 children)

nixos with nginx services does all proxying and ssl stuff, fail2ban is there as well

[–] a_fancy_kiwi@lemmy.world 1 points 1 week ago (1 children)

I know I should learn NixOS, I even tried for a few hours one evening but god damn, the barrier to entry is just a little too high for me at the moment 🫤

[–] jimmy90@lemmy.world 1 points 1 week ago* (last edited 1 week ago) (6 children)

i guess you were able to install the os ok? are you using proxmox or regular servers?

i can post an example configuration.nix for the proxy and container servers that might help. i have to admit debugging issues with configurations can be very tricky.

in terms of security i was always worried about getting hacked. the only protection for that was to make regular backups of data and config so i can restore services, and to create a dmz behind my isp router with a vlan switch and a small router just for my services to protect the rest of my home network

load more comments (6 replies)
[–] iAmTheTot@sh.itjust.works 2 points 1 week ago

I use nginx manager in its own docker container on my unraid server. Was pretty simple to set up all things considered. I would call myself better with hardware than software but not a complete newb and I got it running with minimal headache.

[–] j4k3@lemmy.world 2 points 1 week ago (1 children)

I've tried 3 times so far in Python/gradio/Oobabooga and never managed to get certs to work or found a complete visual reference guide that demonstrates a complete working example like what I am looking for in a home network. (Only really commenting to subscribe to watch this post develop, and solicit advice:)

[–] a_fancy_kiwi@lemmy.world 3 points 1 week ago* (last edited 6 days ago) (1 children)

I've played around with reverse proxies and ssl certs and the easiest method I've found so far was docker. Just haven't put anything in production yet. If you don't know how to use docker, learn, it's so worth it.

Here is the tutorial I used and the note I left for myself. You'll need a domain to play around with. Once you figure out how to get NGINX and certbot set up, replacing the helloworld container with a different one is relatively straight forward.

DO NOT FORGET, you must give certbot read write permissions in the docker-compose.yml file which isn't shown in this tutorial
-----EXAMPLE, NOT PRODUCTION CODE----

    nginx:
        container_name: nginx
        restart: unless-stopped
        image: nginx
        depends_on:
            - helloworld
        ports:
            - 80:80
            - 443:443
        volumes:
            - ./nginx/nginx.conf:/etc/nginx/nginx.conf
            - ./certbot/conf:/etc/letsencrypt:ro
            - ./certbot/www:/var/www/certbot:ro

    certbot:
      image: certbot/certbot
      container_name: certbot
      volumes: 
        - ./certbot/conf:/etc/letsencrypt:rw
        - ./certbot/www:/var/www/certbot:rw
      command: certonly --webroot -w /var/www/certbot --keep-until-expiring --email *email* -d *domain1* -d *domain2* --agree-tos
[–] Breve@pawb.social 2 points 1 week ago (1 children)

I'd add that Traefik works even better with Docker because you tag your other containers that have web ports and Traefik picks that up from Docker and terminates the SSL connection for them. You don't even have to worry about setting up SSL on every individual service, Traefik will take care of that even for services that don't implement SSL.

[–] a_fancy_kiwi@lemmy.world 1 points 1 week ago (1 children)

You don’t even have to worry about setting up SSL on every individual service

I probably need to look into it more but since traefik is the reverse proxy, doesn't it just get one ssl cert for a domain that all the other services use? I think that's how my current nginx proxy is set up; one cert configured to work with the main domain and a couple subdomains. If I want to add a subdomain, if I remember correctly, I just add it to the config, restart the containers, and certbot gets a new cert for all the domains

[–] Breve@pawb.social 2 points 1 week ago

Traefik basically has certbot built in so when you configure a new hostname on a service it automatically handles requesting and refreshing the cert for you. It can either request individual certificates for each hostname or a wildcard certificate (*.yourdomain.com) that covers all subdomains.

The neat trick is that in Docker you configure Traefik by adding Docker tags to the other containers you want to proxy. When you start up a container, Traefik automatically reads the config from the tags, does any necessary setup, then viola it's ready to go!

[–] Evotech@lemmy.world 2 points 1 week ago (3 children)
[–] AMillionMonkeys@lemmy.world 1 points 1 week ago (1 children)
[–] possiblylinux127@lemmy.zip 1 points 1 week ago* (last edited 1 week ago) (1 children)
[–] AMillionMonkeys@lemmy.world 1 points 1 week ago (1 children)
[–] possiblylinux127@lemmy.zip 1 points 1 week ago (1 children)
[–] Dirk@lemmy.ml 1 points 1 week ago

Smith & Wesson

load more comments (2 replies)
[–] greylinux@lemm.ee 2 points 1 week ago

I used to do a reverse proxy setup with caddy , but now I self host a Wireguard VPN. It has access to Nextcloud on the same machine, Home Assistant and Kodi on another. On our phones, Wireguard only has access to certain apps the rest of the network traffic is normal, so a nice simple setup.

load more comments
view more: ‹ prev next ›