Just learned how to do a reverse proxy
-
[email protected]replied to [email protected] last edited by
Just be sure to read up on network security and set yourself up for success! Even tunnels can still be an attack surface. Always keep everything up to date! And plan for the worst case.
-
[email protected]replied to [email protected] last edited by
Can someone ELI5? I'm a noob who aspires to set up immich in the near future. I only recently started making efforts to separate myself from the cloud. So far I've got a wireguard server set up and I've disconnected both my Bambu printers from the cloud and I'm currently setting up some home assistant stuff. Pretty soon I'm hoping to set up a NAS, Immich, Plex (or similar) and replace my google nest cameras.
-
[email protected]replied to [email protected] last edited by
Quick, now lean a firewall with a good IDN
and fail2ban
-
[email protected]replied to [email protected] last edited by
Nice work!
-
[email protected]replied to [email protected] last edited by
Wow, so my understanding of the terms 'reverse proxy' and Tailscale must be wrong then, because I thought they were mutually exclusive. I'll go do some more research, unless someone feels like explaining how you can do both at the same time.
Also, I think the 'Risks' section of this page is informative:
-
[email protected]replied to [email protected] last edited by
I think self hosting the proxy with the services at hobbyist scale mitigates most of the security risks. The single point of failure risk is another matter. I once had to effectively reverse-hack my services by uploading a Jenkins test job through an existing java project to regain access. Ever since then, I maintain a separate ddns address that's just used for emergency ssh access.
-
[email protected]replied to [email protected] last edited by
came here to leave this exact response!
-
[email protected]replied to [email protected] last edited by
Why do you serve things to a public? Because unless you're serving a public, that's a dumb to do...
-
[email protected]replied to [email protected] last edited by
Congrats! I just pulled off the same thing last week using cloudflare tunneling? The phrase “reverse proxy” scared me too much lol. So props to you.
-
[email protected]replied to [email protected] last edited by
I prefer wazuh. Much more powerful and preconfigured with tons of rules
-
[email protected]replied to [email protected] last edited by
A lemmy instance, a wiki, and a couple of other website type things, yes.
Publicly facing things are pretty limited, but it's still super handy inside the LAN with Adguard Home doing DNS rewrites to point it to the reverse proxy.
I appreciate what you're saying, though. A lot of people get in trouble by having things like Radarr etc. open to the internet through their reverse proxy.
-
[email protected]replied to [email protected] last edited by
Same boat. I only learned the other day that localhost, is localhost for the container. I couldn't get a bunch of stuff running for.ever, till I learned the way I was calling things needed to be to host.docker.internal.
-
[email protected]replied to [email protected] last edited by
Tailscale?
Is this setup advisable for the CGNATED environment?
-
[email protected]replied to [email protected] last edited by
You will need a VPS as your other endpoint
-
[email protected]replied to [email protected] last edited by
Pretty much I have caddy on a VPS that's pointing to my internal IP using a tailscale tunnel. You are still exposing the web gui to the Internet so I just changed authentication to OAuth to mitigate since risk. There is still a possibility of attacks via zero days, but my immich is on a VM and I'm creating firewall rules to just allow certain ports out.
-
[email protected]replied to [email protected] last edited by
Am I making a mistake by having my Jellyfin server proxied through nginx? The other service I set up did need to be public so I just copied the same thing when I set up Jellyfin but is that a liability even with a password to access?
-
[email protected]replied to [email protected] last edited by
I just finally got it this weekend when I got Matrix-synapse and Pixelfed working on the same box.
All I can say is good for you! It wasn’t easy. And it’s so powerful.
-
[email protected]replied to [email protected] last edited by
I appreciate the extra details but I still don't know what "caddy", "VPS", "tailscale tunnel", or "zero days" are, but I can look it up.
-
[email protected]replied to [email protected] last edited by
I just got this set up last week too. Same setup with caddy on a free oracle vps, tailscale on vps and home pfsense router, tailscale on pfsense advertising routes (private IPs of my docker hosted services).
CGNAT sucks 🤮
-
[email protected]replied to [email protected] last edited by
This is very short sighted. I can think of dozens of things to put on the open internet that aren’t inherently public. The majority are things for sharing with multiple people you want to have logins for. As long as the exposed endpoints are secure, there’s no inherent problem.
