Just learned how to do a reverse proxy
-
[email protected]replied to [email protected] last edited by
Don’t listen to this guy. You don’t have to turtle all your stuff inside a VPN if you don’t want to. Hosting services on the internet is what the internet was created for. It’s up to you whether what you want to host is exposed to the internet or not, and as long as you’re aware of the risks do what you want man. I will mention that Immich specifically might not be the best idea to expose since it’s so unstable, but that depends on your level of comfortability. Worst case scenario is somebody gets into your Immich and can see all your photos. Would this be a dealbreaker for you? If so don’t expose it publicly
-
[email protected]replied to [email protected] last edited by
You’re hearing about it now. It’s an issue with the way iOS handles background tasks and there isn’t any way to fix it. It’s just how the OS works.
-
[email protected]replied to [email protected] last edited by
Well, apparently a bunch of farmers are smart enough to press a button without even bothering me about it.
-
[email protected]replied to [email protected] last edited by
Why would farmers not be smart enough to press buttons?
-
[email protected]replied to [email protected] last edited by
Nobody said they had to. I made him aware of the risks in case he wasn't. You seem to have an axe to grind there.
-
[email protected]replied to [email protected] last edited by
I’m not a big fan of amateur know-nothings regurgitating the same nonsense regurgitated to them by previous know-nothings, attempting to further the cycle to people finding their footing with self hosting. It was a big problem on the self hosted reddit and up to this point has been less of a problem here.
-
[email protected]replied to [email protected] last edited by
Yah, imagine my surprise, it's almost like people are smart enough to manage a VPN without you holding their hands.
-
[email protected]replied to [email protected] last edited by
Manage, but not set up. Something tells me you had to do that part for them. And while pushing a button to start your VPN back up every time you want to access your remote service isn’t hard, it’s a nuisance that can be avoided in situations where it isn’t necessary in the first place.
-
[email protected]replied to [email protected] last edited by
And yet here you are, making sure this guy knows he can expose anything he wants except the specific thing you decided is troublesome like immich. Maybe you'll be here to help him put it all back together with your wealth of knowledge and experience.
Take a hard look at yourself, you're doing all the stuff you accuse someone else of. Maybe you aren't always the smartest person in the room. In any case, I'm done with your shit. Go ruin someone else's day, you ray of sunshine.
-
[email protected]replied to [email protected] last edited by
Yeah maybe you should take notes on how to relay a little bit of relevant knowledge in the context of what it is they’re trying to do, and let them decide how it fits their use case, instead of repeating broad, inaccurate generalizations dictating what people should and shouldn’t do across the board.
If you’re not going to be helpful or informative, then don’t bother chiming in at all.
-
[email protected]replied to [email protected] last edited by
Many ISPs will give you a dynamic (changing) IP rather than a static (unchanging) IP. Just check your IP once a week for a few weeks to see if it changes.
There are some services that get around this by checking your ip regularly and updating their records automatically. This is called a dynamic DNS provider (DDNS). I used to use "noip" but since then there are quite a few like cloudflare DDNS.
Beyond that you just would want to make sure your router or whatever device is assigning IPs on your network to give a static assignment to the server. Assigning IPs is handled by a DHCP server and it would usually be your router, but if you have a pihole you might be using that as a DHCP server instead.
Between DDNS and DHCP you can make sure both your external IP and internal IP are static.
-
[email protected]replied to [email protected] last edited by
Yeah, you always have to account for the wife factor. Same reason I’m using Plex instead of Jellyfin; I’d personally prefer Jellyfin, but the wife factor (really the mother-in-law factor, but whatever…) demands that it doesn’t require a ton of config on the user’s end. If the goal is to encourage use by your family, it can’t be fiddly or difficult to set up on their end.
-
[email protected]replied to [email protected] last edited by
Gotcha. Thanks for the insight!
It's annoying, as I'd like to expose things for other people in my family (like Overseerr or whatever) without hassling them to also start a VPN or other stumbling block steps.
I was hoping that reverse proxy to overseerrs login screen would be safe enough. 8(
Does docker help limit things at all? I'm running my services through docker, which seems to limit the folders the container can hit. Feels like that would limit the damage someone could do even if they bypassed the login page of Overseerr or whatever app it is?
-
[email protected]replied to [email protected] last edited by
Thanks for the insight! Does running this in a docker container help limit the damage at all? Seems like they'd only be able to access the few folders I have the container access to?
-
[email protected]replied to [email protected] last edited by
Sounds like Cloudflare tunnels. I used that for a while, until I realized I didn't want to be tied to Cloudflare.
-
[email protected]replied to [email protected] last edited by
Maybe a bit, but if you're not running rootless docker if they get out of that container they'll have the run of your docker host. It is a lot of layers to crack, but sometimes they've got nothing but time, or it's been so long since the containers been updated that its trivial. That's why rootless docker or podman, and Watchtower are your friends.
-
[email protected]replied to [email protected] last edited by
First of all let me make this absolutely clear, docker is not expected to be secure to that level. While they try to make it hard for someone to escape a container, it's not their main concern so expect that there are vulnerabilities that would allow an attacker to escape.
Now the second thing, the Overseer login screen might be secure enough for your case, the problem is that login is hard to do right, and Overseer are doing several other stuff as well, so they might not give it enough emphasis, and even if they do, maybe Immich devs don't, or any one of the dozens of other services, so there are dozen of possible points of failure. Things like Authelia or Google OAuth are focused on authentication, so they do that absolutely right, and then they become the only point of failure for authentication.
To be fair, if you keep things updated it's unlikely not having auth would be a problem. Mostly because most hackers won't even know of your server to begin with. And most systems are secure enough for most casual hacks. But it's an investment worth the time if you plan on making something available to the internet.
-
[email protected]replied to [email protected] last edited by
Ah, I figured... I used to do this with Wireguard instead of Tailscale.
-
[email protected]replied to [email protected] last edited by
In a nutshell, CGNAT users must spend money for something that people with IPv4 addresses can do for free
