Just learned how to do a reverse proxy
-
Can someone ELI5? I'm a noob who aspires to set up immich in the near future. I only recently started making efforts to separate myself from the cloud. So far I've got a wireguard server set up and I've disconnected both my Bambu printers from the cloud and I'm currently setting up some home assistant stuff. Pretty soon I'm hoping to set up a NAS, Immich, Plex (or similar) and replace my google nest cameras.
-
Quick, now lean a firewall with a good IDN
and fail2ban
-
Nice work!
-
Wow, so my understanding of the terms 'reverse proxy' and Tailscale must be wrong then, because I thought they were mutually exclusive. I'll go do some more research, unless someone feels like explaining how you can do both at the same time.
Also, I think the 'Risks' section of this page is informative:
-
I think self hosting the proxy with the services at hobbyist scale mitigates most of the security risks. The single point of failure risk is another matter. I once had to effectively reverse-hack my services by uploading a Jenkins test job through an existing java project to regain access. Ever since then, I maintain a separate ddns address that's just used for emergency ssh access.
-
came here to leave this exact response!
-
Why do you serve things to a public? Because unless you're serving a public, that's a dumb to do...
-
Congrats! I just pulled off the same thing last week using cloudflare tunneling? The phrase âreverse proxyâ scared me too much lol. So props to you.
-
I prefer wazuh. Much more powerful and preconfigured with tons of rules
-
A lemmy instance, a wiki, and a couple of other website type things, yes.
Publicly facing things are pretty limited, but it's still super handy inside the LAN with Adguard Home doing DNS rewrites to point it to the reverse proxy.
I appreciate what you're saying, though. A lot of people get in trouble by having things like Radarr etc. open to the internet through their reverse proxy.
-
Same boat. I only learned the other day that localhost, is localhost for the container. I couldn't get a bunch of stuff running for.ever, till I learned the way I was calling things needed to be to host.docker.internal.
-
-
You will need a VPS as your other endpoint
-
Pretty much I have caddy on a VPS that's pointing to my internal IP using a tailscale tunnel. You are still exposing the web gui to the Internet so I just changed authentication to OAuth to mitigate since risk. There is still a possibility of attacks via zero days, but my immich is on a VM and I'm creating firewall rules to just allow certain ports out.
-
-
I just finally got it this weekend when I got Matrix-synapse and Pixelfed working on the same box.
All I can say is good for you! It wasnât easy. And itâs so powerful.
-
I appreciate the extra details but I still don't know what "caddy", "VPS", "tailscale tunnel", or "zero days" are, but I can look it up.
-
I just got this set up last week too. Same setup with caddy on a free oracle vps, tailscale on vps and home pfsense router, tailscale on pfsense advertising routes (private IPs of my docker hosted services).
CGNAT sucks đ¤Ž
-
This is very short sighted. I can think of dozens of things to put on the open internet that arenât inherently public. The majority are things for sharing with multiple people you want to have logins for. As long as the exposed endpoints are secure, thereâs no inherent problem.
-
