Just learned how to do a reverse proxy

zebragoose@sh.itjust.works

Nice work!

perishthethought@lemm.ee

Wow, so my understanding of the terms 'reverse proxy' and Tailscale must be wrong then, because I thought they were mutually exclusive. I'll go do some more research, unless someone feels like explaining how you can do both at the same time.

Also, I think the 'Risks' section of this page is informative:

https://en.m.wikipedia.org/wiki/Reverse_proxy

lambdabeta@lemmy.ca

I think self hosting the proxy with the services at hobbyist scale mitigates most of the security risks. The single point of failure risk is another matter. I once had to effectively reverse-hack my services by uploading a Jenkins test job through an existing java project to regain access. Ever since then, I maintain a separate ddns address that's just used for emergency ssh access.

51dusty@lemmy.world

came here to leave this exact response!

tritonium@midwest.social

Why do you serve things to a public? Because unless you're serving a public, that's a dumb to do...

happydoors@lemm.ee

Congrats! I just pulled off the same thing last week using cloudflare tunneling? The phrase “reverse proxy” scared me too much lol. So props to you.

jagged_circle@feddit.nl

I prefer wazuh. Much more powerful and preconfigured with tons of rules

walden@sub.wetshaving.social

A lemmy instance, a wiki, and a couple of other website type things, yes.

Publicly facing things are pretty limited, but it's still super handy inside the LAN with Adguard Home doing DNS rewrites to point it to the reverse proxy.

I appreciate what you're saying, though. A lot of people get in trouble by having things like Radarr etc. open to the internet through their reverse proxy.

skeptomatic@lemmy.ca

Same boat. I only learned the other day that localhost, is localhost for the container. I couldn't get a bunch of stuff running for.ever, till I learned the way I was calling things needed to be to host.docker.internal.

kratoz29@lemm.ee

Tailscale?

Is this setup advisable for the CGNATED environment?

randombullet@programming.dev

You will need a VPS as your other endpoint

randombullet@programming.dev

Pretty much I have caddy on a VPS that's pointing to my internal IP using a tailscale tunnel. You are still exposing the web gui to the Internet so I just changed authentication to OAuth to mitigate since risk. There is still a possibility of attacks via zero days, but my immich is on a VM and I'm creating firewall rules to just allow certain ports out.

lumun@lemmy.zip

Am I making a mistake by having my Jellyfin server proxied through nginx? The other service I set up did need to be public so I just copied the same thing when I set up Jellyfin but is that a liability even with a password to access?

ch00f@lemmy.world

I just finally got it this weekend when I got Matrix-synapse and Pixelfed working on the same box.

All I can say is good for you! It wasn’t easy. And it’s so powerful.

ramenshaman@lemmy.world

I appreciate the extra details but I still don't know what "caddy", "VPS", "tailscale tunnel", or "zero days" are, but I can look it up.

couch1potato@lemmy.dbzer0.com

I just got this set up last week too. Same setup with caddy on a free oracle vps, tailscale on vps and home pfsense router, tailscale on pfsense advertising routes (private IPs of my docker hosted services).

CGNAT sucks 🤮

kairubyte@lemmy.dbzer0.com

This is very short sighted. I can think of dozens of things to put on the open internet that aren’t inherently public. The majority are things for sharing with multiple people you want to have logins for. As long as the exposed endpoints are secure, there’s no inherent problem.

randombullet@programming.dev

It's hard to explain from scratch.

Caddy is a reverse proxy software that essentially redirects traffic from a certain port to another port. For example external:port => internal:port. It also enables SSL encryption meaning everything will be encrypted en route between the external and the user.

VPS is a virtual private server. Just someone else's computer you can expose to the Internet.

Tailscale is a mesh VPN that uses wire guard as its transport. I use this to tunnel between my VPS and my Immich server to hide my home IP and to allow encrypted traffic between my Immich server and my VPS.

A zero-day (also known as a 0-day) is a vulnerability in software or hardware that is typically unknown to the vendor and for which no patch or other fix is available. The vendor thus has zero days to prepare a patch, as the vulnerability has already been described or exploited.

There's no fix other than security through layers.

noggog@programming.dev

Just out of curiosity, is the tail scale part of this required? If i just reverse proxy things and have them only protected from there by the login screen of the app being shown, that's obviously less safe. But the attackers would still need to brute force my passwords to get any access? If they did, then they could do nasty things within the app, but limited to that app. Are there other vulnerabilities I'm not thinking about?

ikidd@lemmy.world

The attack surface might be an entire API, not just your login screen. You have no idea what that first page implements that could be used to gain access.

You can improve this by putting a basic auth challenge at least in front of the applications webpage. That would drastically reduce the potential endpoints.