Just learned how to do a reverse proxy
-
[email protected]replied to [email protected] last edited by
This is necessary for CGNat ISPs. That or cloudflared or ngrok or the like. Because you aren't really routable on a CGNAT address.
-
[email protected]replied to [email protected] last edited by
O have a very similar setup but have a couple of questions if you don't mind me asking, what did you used for OAuth? and where is it running? I tried athelia on the VPS but had some problems I can't remember now and decided it wasn't worth the time at the time, but probably should set it up.
-
[email protected]replied to [email protected] last edited by
Thank you for the explanation. But that's it than? Just convenience with ports?
-
[email protected]replied to [email protected] last edited by
Like, good for you, man.
But you should really keep your stuff inside the VPN and not expose things, it opens up a pile of potential risks that you don't need to have. You can still use a reverse proxy inside the VPN and use your own DNS server that spits out internal addresses to your devices.
-
[email protected]replied to [email protected] last edited by
Well it IS pretty nice to be able to tell people to go to jellyfin.example.com instead of example.com:8096, but you also get security benefits for using a properly set up reverse proxy. You don't need to keep your ports open to the whole internet, only the reverse proxy accesses them. As far as the rest of the internet is concerned, you have :443 open.
-
[email protected]replied to [email protected] last edited by
I don’t even bother with the internal DNS server. I just set my A records in Cloudflare to point to the private IPs
-
[email protected]replied to [email protected] last edited by
Do the private IPs not change at all? Or can you handle that automatically?
I have next to no experience, but I’m pretty sure that wouldn’t work for me since my IP changes? Idk
-
[email protected]replied to [email protected] last edited by
Opening it up lets you use it from devices that aren't on tailscale, or for friends and family. I have the same idea with Nebula instead of Tailscale, if I can figure it out.
-
[email protected]replied to [email protected] last edited by
You can either set a DHCP reservation in your router, or manually set the IP on the device.
When I say private IP, I’m referring to the internal IP e.g 192.168.1.X
Means internally I just go to the domain without having to remember the IP I set.
-
[email protected]replied to [email protected] last edited by
Not really. Personally I'd allow the service account running jellyfin only access to read media files to avoid accidental deletion but otherwise no.
Also, jellyfin docs have a sample proxy config. You should use that. It's a bit more in depth than a normal proxy config.
-
[email protected]replied to [email protected] last edited by
I want to be able to upload/download/share my photos from anywhere in the world without using a VPN. Additionally, this satisfies the wife requirement. It works in the background without her needing her to turn on the VPN. I don't want her to keep asking me how do I turn on the VPN? If it's just me, then no issue, I'll use a VPN.
-
[email protected]replied to [email protected] last edited by
I just use google OAuth since everyone I know has a google account. It just can't use OAuth on private IP addresses, just FQDNs.
-
[email protected]replied to [email protected] last edited by
Authelia is great. Recently added protection for multiple domains.
-
[email protected]replied to [email protected] last edited by
I tired the same, but my router wants to be smart by filtering DNS responses that points to local IP. I guess whoever designed it considered it a security feature.
It is a stock router from the ISP, its configuration interface is minimal, borderline to non existent. -
[email protected]replied to [email protected] last edited by
Oooh. That makes more sense, thank you.
I somehow thought you’d meant your global IP addresses, lol
-
[email protected]replied to [email protected] last edited by
You set up the VPN and it's always on. There's no hassle.
-
[email protected]replied to [email protected] last edited by
Unless you’re on IOS that will shut your VPN off regularly. Or you want somebody else to be able to access what you’re hosting without having to walk theme through a VPN setup they won’t understand.
-
[email protected]replied to [email protected] last edited by
I have a couple dozen customers on ios that use their camera servers via Tailscale. Never had a peep about that sort of thing.
-
[email protected]replied to [email protected] last edited by
Don’t listen to this guy. You don’t have to turtle all your stuff inside a VPN if you don’t want to. Hosting services on the internet is what the internet was created for. It’s up to you whether what you want to host is exposed to the internet or not, and as long as you’re aware of the risks do what you want man. I will mention that Immich specifically might not be the best idea to expose since it’s so unstable, but that depends on your level of comfortability. Worst case scenario is somebody gets into your Immich and can see all your photos. Would this be a dealbreaker for you? If so don’t expose it publicly. Otherwise you’re perfectly fine.
-
[email protected]replied to [email protected] last edited by
Don’t listen to this guy. You don’t have to turtle all your stuff inside a VPN if you don’t want to. Hosting services on the internet is what the internet was created for. It’s up to you whether what you want to host is exposed to the internet or not, and as long as you’re aware of the risks do what you want man. I will mention that Immich specifically might not be the best idea to expose since it’s so unstable, but that depends on your level of comfortability. Worst case scenario is somebody gets into your Immich and can see all your photos. Would this be a dealbreaker for you? If so don’t expose it publicly
