this post was submitted on 10 Jan 2025
86 points (95.7% liked)

Selfhosted

52506 readers
2079 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

tldr: I'd like to set up a reverse proxy with a domain and an SSL cert so my partner and I can access a few selfhosted services on the internet but I'm not sure what the best/safest way to do it is. Asking my partner to use tailscale or wireguard is asking too much unfortunately. I was curious to know what you all recommend.

I have some services running on my LAN that I currently access via tailscale. Some of these services would see some benefit from being accessible on the internet (ex. Immich sharing via a link, switching over from Plex to Jellyfin without requiring my family to learn how to use a VPN, homeassistant voice stuff, etc.) but I'm kind of unsure what the best approach is. Hosting services on the internet has risk and I'd like to reduce that risk as much as possible.

  1. I know a reverse proxy would be beneficial here so I can put all the services on one box and access them via subdomains but where should I host that proxy? On my LAN using a dynamic DNS service? In the cloud? If in the cloud, should I avoid a plan where you share cpu resources with other users and get a dedicated box?

  2. Should I purchase a memorable domain or a domain with a random string of characters so no one could reasonably guess it? Does it matter?

  3. What's the best way to geo-restrict access? Fail2ban? Realistically, the only people that I might give access to live within a couple hundred miles of me.

  4. Any other tips or info you care to share would be greatly appreciated.

  5. Feel free to talk me out of it as well.

EDIT:

If anyone comes across this and is interested, this is what I ended up going with. It took an evening to set all this up and was surprisingly easy.

  • domain from namecheap
  • cloudflare to handle DNS
  • Nginx Proxy Manager for reverse proxy (seemed easier than Traefik and I didn't get around to looking at Caddy)
  • Cloudflare-ddns docker container to update my A records in cloudflare
  • authentik for 2 factor authentication on my immich server
you are viewing a single comment's thread
view the rest of the comments
[–] tritonium@midwest.social 3 points 9 months ago* (last edited 9 months ago) (1 children)

Why do so many people do this incorrectly. Unless you are actually serving a public then you don't need to open anything other than a WireGuard tunnel. My phone automatically connects to WireGuard as soon as I disconnect from my home WiFi so I have access to every single one of my services and only have to expose one port and service.

If you are going through setting up caddy or nginx proxy manager or anything else and you're not serving a public.... you're dumb.

[–] RyeMan@lemmy.world 5 points 9 months ago (4 children)

What are you using to auto connect to VPN when you disconnect from your home wifi?

[–] g_damian@lemmy.world 3 points 9 months ago

WG Tunnel does that natively, you can whitelist some wifis and auto connect on other and optionally on mobile data

[–] TieDyePie@lemmy.world 1 points 9 months ago

Tasker on android, bit faffy and shouldn't at all be necisary

[–] tritonium@midwest.social 1 points 9 months ago* (last edited 9 months ago)

I setup Tasker to do it before there was any other options but now there are apps that will handle this. I've not tried them because my Tasker script works perfectly but I've noticed this one browsing f-droid and it looks appealing: WG Auto Connect - https://f-droid.org/en/packages/de.marionoll.wgautoconnect/

[–] MMAniacle@lemm.ee 1 points 9 months ago

The Wireguard iOS app has an “on-demand” toggle that automatically connects when certain conditions are met (on cellular, on wifi, exclude certain networks, etc)