Just learned how to do a reverse proxy

starshipwinepineapple@programming.dev

Many ISPs will give you a dynamic (changing) IP rather than a static (unchanging) IP. Just check your IP once a week for a few weeks to see if it changes.

There are some services that get around this by checking your ip regularly and updating their records automatically. This is called a dynamic DNS provider (DDNS). I used to use "noip" but since then there are quite a few like cloudflare DDNS.

Beyond that you just would want to make sure your router or whatever device is assigning IPs on your network to give a static assignment to the server. Assigning IPs is handled by a DHCP server and it would usually be your router, but if you have a pihole you might be using that as a DHCP server instead.

Between DDNS and DHCP you can make sure both your external IP and internal IP are static.

pm_your_nudes_please@lemmy.world

Yeah, you always have to account for the wife factor. Same reason I’m using Plex instead of Jellyfin; I’d personally prefer Jellyfin, but the wife factor (really the mother-in-law factor, but whatever…) demands that it doesn’t require a ton of config on the user’s end. If the goal is to encourage use by your family, it can’t be fiddly or difficult to set up on their end.

noggog@programming.dev

Gotcha. Thanks for the insight!

It's annoying, as I'd like to expose things for other people in my family (like Overseerr or whatever) without hassling them to also start a VPN or other stumbling block steps.

I was hoping that reverse proxy to overseerrs login screen would be safe enough. 8(

Does docker help limit things at all? I'm running my services through docker, which seems to limit the folders the container can hit. Feels like that would limit the damage someone could do even if they bypassed the login page of Overseerr or whatever app it is?

noggog@programming.dev

Thanks for the insight! Does running this in a docker container help limit the damage at all? Seems like they'd only be able to access the few folders I have the container access to?

lka1988@lemmy.dbzer0.com

Sounds like Cloudflare tunnels. I used that for a while, until I realized I didn't want to be tied to Cloudflare.

ikidd@lemmy.world

Maybe a bit, but if you're not running rootless docker if they get out of that container they'll have the run of your docker host. It is a lot of layers to crack, but sometimes they've got nothing but time, or it's been so long since the containers been updated that its trivial. That's why rootless docker or podman, and Watchtower are your friends.

nibodhika@lemmy.world

First of all let me make this absolutely clear, docker is not expected to be secure to that level. While they try to make it hard for someone to escape a container, it's not their main concern so expect that there are vulnerabilities that would allow an attacker to escape.

Now the second thing, the Overseer login screen might be secure enough for your case, the problem is that login is hard to do right, and Overseer are doing several other stuff as well, so they might not give it enough emphasis, and even if they do, maybe Immich devs don't, or any one of the dozens of other services, so there are dozen of possible points of failure. Things like Authelia or Google OAuth are focused on authentication, so they do that absolutely right, and then they become the only point of failure for authentication.

To be fair, if you keep things updated it's unlikely not having auth would be a problem. Mostly because most hackers won't even know of your server to begin with. And most systems are secure enough for most casual hacks. But it's an investment worth the time if you plan on making something available to the internet.

eletes@sh.itjust.works

Sounds like you're ready to jam with the console cowboys

kratoz29@lemm.ee

Ah, I figured... I used to do this with Wireguard instead of Tailscale.

kratoz29@lemm.ee

In a nutshell, CGNAT users must spend money for something that people with IPv4 addresses can do for free

tritonium@midwest.social

And yet you've not provided one example, hmmmm

overshoot2648@lemm.ee

I've been wanting do something similar, but with Authentik. Does anyone know a good guide on this?

kairubyte@lemmy.dbzer0.com

Seriously?

Plex, Jellyfin, VaultWarden, AdGuard, Home Assistant, GameVault, any flavor of pastebin, any flavor of wiki, and the list goes on.

If you’re feeling spicy throw whatever the hell you want onto a reverse proxy and put it behind a zero trust login.

The idea that opening up anything at all through to the open internet is “dumb” is antiquated. Are there likely concerns that need to be addressed? Absolutely. But don’t make blanket statements about virtually nothing belonging on the open internet.

overshoot2648@lemm.ee

We wouldn't be in this mess if we switched to ipv6, but nOoOooOo... we can't possibly do that...

ikidd@lemmy.world

Lack of routability is a feature for ISPs, not a bug.

wolflink@sh.itjust.works

Most routers have a feature to assign static IPs to a specific MAC address. You can also tell most devices to try to take a specific IP instead of using DHCP.

There are multiple ways to set it up, but it’s very possible to set a specific device to always have the same local IP, which is usually the first step to many self-hosting scenarios.

wolflink@sh.itjust.works

I only let things I trust are secure (e.g. ssh) have access from the internet, other services I hide behind a VPN (e.g. Tailscale).

hawk@lemmynsfw.com

Absolutely that's what the internet was made for!

But family photos keep a bit more secure, Particularly if it's syncing directly from your phone, I take a lot of explicit photos of my wife, but also code that I'm writing on my computer, or the kids playing, etc.

hawk@lemmynsfw.com

To be fair, wireguard is pretty painless.

lefixxx@lemmy.world

Why would.ypu need reverse proxy if you use tailscale? Can't you just use tailscale domain names?