Just learned how to do a reverse proxy

skeptomatic@lemmy.ca

Same boat. I only learned the other day that localhost, is localhost for the container. I couldn't get a bunch of stuff running for.ever, till I learned the way I was calling things needed to be to host.docker.internal.

kratoz29@lemm.ee

Tailscale?

Is this setup advisable for the CGNATED environment?

randombullet@programming.dev

You will need a VPS as your other endpoint

randombullet@programming.dev

Pretty much I have caddy on a VPS that's pointing to my internal IP using a tailscale tunnel. You are still exposing the web gui to the Internet so I just changed authentication to OAuth to mitigate since risk. There is still a possibility of attacks via zero days, but my immich is on a VM and I'm creating firewall rules to just allow certain ports out.

lumun@lemmy.zip

Am I making a mistake by having my Jellyfin server proxied through nginx? The other service I set up did need to be public so I just copied the same thing when I set up Jellyfin but is that a liability even with a password to access?

ch00f@lemmy.world

I just finally got it this weekend when I got Matrix-synapse and Pixelfed working on the same box.

All I can say is good for you! It wasn’t easy. And it’s so powerful.

ramenshaman@lemmy.world

I appreciate the extra details but I still don't know what "caddy", "VPS", "tailscale tunnel", or "zero days" are, but I can look it up.

couch1potato@lemmy.dbzer0.com

I just got this set up last week too. Same setup with caddy on a free oracle vps, tailscale on vps and home pfsense router, tailscale on pfsense advertising routes (private IPs of my docker hosted services).

CGNAT sucks 🤮

kairubyte@lemmy.dbzer0.com

This is very short sighted. I can think of dozens of things to put on the open internet that aren’t inherently public. The majority are things for sharing with multiple people you want to have logins for. As long as the exposed endpoints are secure, there’s no inherent problem.

randombullet@programming.dev

It's hard to explain from scratch.

Caddy is a reverse proxy software that essentially redirects traffic from a certain port to another port. For example external:port => internal:port. It also enables SSL encryption meaning everything will be encrypted en route between the external and the user.

VPS is a virtual private server. Just someone else's computer you can expose to the Internet.

Tailscale is a mesh VPN that uses wire guard as its transport. I use this to tunnel between my VPS and my Immich server to hide my home IP and to allow encrypted traffic between my Immich server and my VPS.

A zero-day (also known as a 0-day) is a vulnerability in software or hardware that is typically unknown to the vendor and for which no patch or other fix is available. The vendor thus has zero days to prepare a patch, as the vulnerability has already been described or exploited.

There's no fix other than security through layers.

noggog@programming.dev

Just out of curiosity, is the tail scale part of this required? If i just reverse proxy things and have them only protected from there by the login screen of the app being shown, that's obviously less safe. But the attackers would still need to brute force my passwords to get any access? If they did, then they could do nasty things within the app, but limited to that app. Are there other vulnerabilities I'm not thinking about?

ikidd@lemmy.world

The attack surface might be an entire API, not just your login screen. You have no idea what that first page implements that could be used to gain access.

You can improve this by putting a basic auth challenge at least in front of the applications webpage. That would drastically reduce the potential endpoints.

nibodhika@lemmy.world

It's not required, but probably OP has a home server with Immich and a VPS which exposes it to the internet. In that setup you need Tailscale for the VPS to access your home server. Sometimes you can't directly expose your home server for different reasons, e.g. ISP doesn't give you an external IP directly (I've had this, where my router would get a 10.x IP so I couldn't port forward because the internet IP was being shared between multiple houses), or the ISP gives you a dynamic IP so there's no guarantee that your IP won't change next time you reset the router, etc.

Also it provides an extra layer of separation, so for example a DDOS would hit the VPS which probably has automatic countermeasures, and even if someone were to gain access to the VPS they still need an extra jump to get to the home server (obviously if they exploit something on immich they would get direct access to the home server).

ramenshaman@lemmy.world

That actually helps a lot, thanks!

nibodhika@lemmy.world

I'll try to ELI5, if there's something you don't understand ask me.

Op has a home server where he's running immich, that's only accessible when he's at home via the IP, so something like http://192.168.0.3:3000, so he installed Tailscale on that server. Tailscale is a VPN (Virtual Private Network) that allows you to connect to your stuff remotely, it's a nice way to do it because it is P2P (peer-to-peer) which means that in theory only he can access that network, whereas if he were using one of the many VPNs people use for other reasons, other people on the same VPN could access his server.

Ok, so now he can access his immich instance away from home, all he has to do is connect to the VPN on his phone or laptop and he'll be able to access it with something like http://my_server:3000 since Tailscale adds a DNS (Domain Name System) which resolves the hostnames to whatever IP they have on the Tailscale network.

But if you want to give your family access it's hard to explain to them that they need to connect to this VPN, so he rented a VPS (Virtual Private Server) on some company like DigitalOcean or Vultr and connected that machine to the Tailscale network. He probably also got a domain name from somewhere like namecheap, and pointed that domain name to his VPS. Só now he can access his VPS by using ssh [email protected]. Now all he needs to do is have something on the VPS which redirects everything that comes to a certain address into the Tailscale machine, Caddy is a nice way to do this, but the more traditional approach is ngnix, so if he puts Caddy on that VPS a config like this:

immich.myserver.com {
    handle {
        reverse_proxy my_server.tailscale.network.name:3000
    }
}

Then any requests that come to https://immich.myserver.com will get redirected to the home server via Tailscale.

It is a really nice setup, plus OP also added authentication and some other stuff to make it a bit more secure against attacks directly on immich.

ikidd@lemmy.world

This is necessary for CGNat ISPs. That or cloudflared or ngrok or the like. Because you aren't really routable on a CGNAT address.

nibodhika@lemmy.world

O have a very similar setup but have a couple of questions if you don't mind me asking, what did you used for OAuth? and where is it running? I tried athelia on the VPS but had some problems I can't remember now and decided it wasn't worth the time at the time, but probably should set it up.

guy@piefed.social

Thank you for the explanation. But that's it than? Just convenience with ports?

ikidd@lemmy.world

Like, good for you, man.

But you should really keep your stuff inside the VPN and not expose things, it opens up a pile of potential risks that you don't need to have. You can still use a reverse proxy inside the VPN and use your own DNS server that spits out internal addresses to your devices.

boonhet@lemm.ee

Well it IS pretty nice to be able to tell people to go to jellyfin.example.com instead of example.com:8096, but you also get security benefits for using a properly set up reverse proxy. You don't need to keep your ports open to the whole internet, only the reverse proxy accesses them. As far as the rest of the internet is concerned, you have :443 open.