Just learned how to do a reverse proxy

noggog@programming.dev

Gotcha. Thanks for the insight!

It's annoying, as I'd like to expose things for other people in my family (like Overseerr or whatever) without hassling them to also start a VPN or other stumbling block steps.

I was hoping that reverse proxy to overseerrs login screen would be safe enough. 8(

Does docker help limit things at all? I'm running my services through docker, which seems to limit the folders the container can hit. Feels like that would limit the damage someone could do even if they bypassed the login page of Overseerr or whatever app it is?

noggog@programming.dev

Thanks for the insight! Does running this in a docker container help limit the damage at all? Seems like they'd only be able to access the few folders I have the container access to?

lka1988@lemmy.dbzer0.com

Sounds like Cloudflare tunnels. I used that for a while, until I realized I didn't want to be tied to Cloudflare.

ikidd@lemmy.world

Maybe a bit, but if you're not running rootless docker if they get out of that container they'll have the run of your docker host. It is a lot of layers to crack, but sometimes they've got nothing but time, or it's been so long since the containers been updated that its trivial. That's why rootless docker or podman, and Watchtower are your friends.

nibodhika@lemmy.world

First of all let me make this absolutely clear, docker is not expected to be secure to that level. While they try to make it hard for someone to escape a container, it's not their main concern so expect that there are vulnerabilities that would allow an attacker to escape.

Now the second thing, the Overseer login screen might be secure enough for your case, the problem is that login is hard to do right, and Overseer are doing several other stuff as well, so they might not give it enough emphasis, and even if they do, maybe Immich devs don't, or any one of the dozens of other services, so there are dozen of possible points of failure. Things like Authelia or Google OAuth are focused on authentication, so they do that absolutely right, and then they become the only point of failure for authentication.

To be fair, if you keep things updated it's unlikely not having auth would be a problem. Mostly because most hackers won't even know of your server to begin with. And most systems are secure enough for most casual hacks. But it's an investment worth the time if you plan on making something available to the internet.

eletes@sh.itjust.works

Sounds like you're ready to jam with the console cowboys

kratoz29@lemm.ee

Ah, I figured... I used to do this with Wireguard instead of Tailscale.

kratoz29@lemm.ee

In a nutshell, CGNAT users must spend money for something that people with IPv4 addresses can do for free

tritonium@midwest.social

And yet you've not provided one example, hmmmm

overshoot2648@lemm.ee

I've been wanting do something similar, but with Authentik. Does anyone know a good guide on this?

kairubyte@lemmy.dbzer0.com

Seriously?

Plex, Jellyfin, VaultWarden, AdGuard, Home Assistant, GameVault, any flavor of pastebin, any flavor of wiki, and the list goes on.

If you’re feeling spicy throw whatever the hell you want onto a reverse proxy and put it behind a zero trust login.

The idea that opening up anything at all through to the open internet is “dumb” is antiquated. Are there likely concerns that need to be addressed? Absolutely. But don’t make blanket statements about virtually nothing belonging on the open internet.

overshoot2648@lemm.ee

We wouldn't be in this mess if we switched to ipv6, but nOoOooOo... we can't possibly do that...

ikidd@lemmy.world

Lack of routability is a feature for ISPs, not a bug.

wolflink@sh.itjust.works

Most routers have a feature to assign static IPs to a specific MAC address. You can also tell most devices to try to take a specific IP instead of using DHCP.

There are multiple ways to set it up, but it’s very possible to set a specific device to always have the same local IP, which is usually the first step to many self-hosting scenarios.

wolflink@sh.itjust.works

I only let things I trust are secure (e.g. ssh) have access from the internet, other services I hide behind a VPN (e.g. Tailscale).

hawk@lemmynsfw.com

Absolutely that's what the internet was made for!

But family photos keep a bit more secure, Particularly if it's syncing directly from your phone, I take a lot of explicit photos of my wife, but also code that I'm writing on my computer, or the kids playing, etc.

hawk@lemmynsfw.com

To be fair, wireguard is pretty painless.

lefixxx@lemmy.world

Why would.ypu need reverse proxy if you use tailscale? Can't you just use tailscale domain names?

fedegenerate@lemmynsfw.com

You can still use a reverse proxy inside the VPN and use your own DNS server that spits out that internal address to your devices for your various applications.

Excuse me what? Here's my dumb ass navigating to "[device name]:[port] over tailscale.

I've tried this a couple times and I've always failed. I could never figure out how to get a http://service.domain request to my Nginx install to be proxied in the first place. I tried putting pihole on tailscale and setting that as tailscale's DNS. It blocked ads but I couldn't navigate to custom domains. I put NPM on tailscale hoping that was the issue. I looked for LocalDNS/CNAMES in tailscale to see if I could do it that way. Do I have to set a local machine as an exit node and do split DNS shenanigans, service.domain goes through to my local and everything else the wider web? Do I set a router node?!

Not expecting you to troubleshoot, I don't have time to see it through anyhow. Just annoyed at myself I couldn't figure it out and driven to try again.

deepus@lemm.ee

Nice one dude, i know the pain of not having nerdy friends to share shit like this with.