Just learned how to do a reverse proxy

lambdabeta@lemmy.ca

I think self hosting the proxy with the services at hobbyist scale mitigates most of the security risks. The single point of failure risk is another matter. I once had to effectively reverse-hack my services by uploading a Jenkins test job through an existing java project to regain access. Ever since then, I maintain a separate ddns address that's just used for emergency ssh access.

51dusty@lemmy.world

came here to leave this exact response!

tritonium@midwest.social

Why do you serve things to a public? Because unless you're serving a public, that's a dumb to do...

happydoors@lemm.ee

Congrats! I just pulled off the same thing last week using cloudflare tunneling? The phrase “reverse proxy” scared me too much lol. So props to you.

jagged_circle@feddit.nl

I prefer wazuh. Much more powerful and preconfigured with tons of rules

walden@sub.wetshaving.social

A lemmy instance, a wiki, and a couple of other website type things, yes.

Publicly facing things are pretty limited, but it's still super handy inside the LAN with Adguard Home doing DNS rewrites to point it to the reverse proxy.

I appreciate what you're saying, though. A lot of people get in trouble by having things like Radarr etc. open to the internet through their reverse proxy.

skeptomatic@lemmy.ca

Same boat. I only learned the other day that localhost, is localhost for the container. I couldn't get a bunch of stuff running for.ever, till I learned the way I was calling things needed to be to host.docker.internal.

kratoz29@lemm.ee

randombullet@programming.dev

You will need a VPS as your other endpoint

randombullet@programming.dev

Pretty much I have caddy on a VPS that's pointing to my internal IP using a tailscale tunnel. You are still exposing the web gui to the Internet so I just changed authentication to OAuth to mitigate since risk. There is still a possibility of attacks via zero days, but my immich is on a VM and I'm creating firewall rules to just allow certain ports out.

lumun@lemmy.zip

ch00f@lemmy.world

I just finally got it this weekend when I got Matrix-synapse and Pixelfed working on the same box.

All I can say is good for you! It wasn’t easy. And it’s so powerful.

ramenshaman@lemmy.world

I appreciate the extra details but I still don't know what "caddy", "VPS", "tailscale tunnel", or "zero days" are, but I can look it up.

couch1potato@lemmy.dbzer0.com

I just got this set up last week too. Same setup with caddy on a free oracle vps, tailscale on vps and home pfsense router, tailscale on pfsense advertising routes (private IPs of my docker hosted services).

CGNAT sucks 🤮

kairubyte@lemmy.dbzer0.com

This is very short sighted. I can think of dozens of things to put on the open internet that aren’t inherently public. The majority are things for sharing with multiple people you want to have logins for. As long as the exposed endpoints are secure, there’s no inherent problem.

randombullet@programming.dev

noggog@programming.dev

Just out of curiosity, is the tail scale part of this required? If i just reverse proxy things and have them only protected from there by the login screen of the app being shown, that's obviously less safe. But the attackers would still need to brute force my passwords to get any access? If they did, then they could do nasty things within the app, but limited to that app. Are there other vulnerabilities I'm not thinking about?

ikidd@lemmy.world

The attack surface might be an entire API, not just your login screen. You have no idea what that first page implements that could be used to gain access.

You can improve this by putting a basic auth challenge at least in front of the applications webpage. That would drastically reduce the potential endpoints.

nibodhika@lemmy.world

It's not required, but probably OP has a home server with Immich and a VPS which exposes it to the internet. In that setup you need Tailscale for the VPS to access your home server. Sometimes you can't directly expose your home server for different reasons, e.g. ISP doesn't give you an external IP directly (I've had this, where my router would get a 10.x IP so I couldn't port forward because the internet IP was being shared between multiple houses), or the ISP gives you a dynamic IP so there's no guarantee that your IP won't change next time you reset the router, etc.

Also it provides an extra layer of separation, so for example a DDOS would hit the VPS which probably has automatic countermeasures, and even if someone were to gain access to the VPS they still need an extra jump to get to the home server (obviously if they exploit something on immich they would get direct access to the home server).

ramenshaman@lemmy.world

That actually helps a lot, thanks!