this post was submitted on 19 Jan 2025
77 points (94.3% liked)

Selfhosted

52479 readers
1489 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

I've been researching different ways to expose Docker containers to the internet. I have three services I want to expose: Jellyfin, Omnivore (Read-it-later app), and Overseerr.

I've come across lots of suggestions, like using Nginx with Cloudflared, but some people mention that streaming media goes against Cloudflared tunnel TOS, and instead recommend Tailscale, or Traefik, or setting up a WireGuard VPN, or using Nginx with a WireGuard VPN.

The amount of conflicting advice has left me confused. So, what would be the best approach to securely expose these containers?

top 43 comments
sorted by: hot top controversial new old
[–] MangoPenguin@lemmy.blahaj.zone 54 points 9 months ago (2 children)

Is it just you that needs access? VPN like Tailscale or Wireguard is the most secure option then, as it's not exposing any services to the internet.

Otherwise a reverse proxy in front of things like Traefik or Nginx, make sure things are automatically updated ASAP, and make sure auth is enabled on the services.

[–] tofuwabohu@slrpnk.net 10 points 9 months ago

Yeah, I feel like exposing ports 80 and 443 towards an up to date nginx/whatever is referred to as a super dangerous thing in this community and also the selfhosted subreddit. Recommending cloudflare is almost the default, which I find a bit sad given many people selfhost to escape the reliance on big monopolist companies.

One can add different layers of security of course, but having nginx with monitoring in it's own VM without keys to jump to another VM is enough of risk mitigation for me.

[–] MoonlitSanguine@lemmy.one 4 points 9 months ago (1 children)

Thankyou. Since it's just my devices (laptop/phone) that need access, I think WireGuard—or possibly Tailscale—seems like the best solution for me.

[–] MangoPenguin@lemmy.blahaj.zone 2 points 9 months ago

Tailscale is very easy and handles everything for you but you are relying on their services, so if you want to be 100% self hosted Wireguard is the way to go.

[–] plm00@lemmy.ml 18 points 9 months ago (1 children)

"Secure" and "exposed" are antonyms in this scenario, that's the nature of the beast. I use Nginx which I have a domain pointing to. Worst case scenario, a hacker brute forces access to my container and mucks around within the confines. As I understand from a WireGuard VPN, there's an added level of security. You have to use the VPN to get access to your home ports, and then you can access your Docker containers as configured. There's an added layer of security.

Some things to consider:

  • Do you have a target on your back?
  • Does your container contain sensitive data?
  • If so, does your container have access to external directories?
  • Does your project have security options like Geo Blocking, rate limiting, etc?

I've been running some local servers for a few years only behind Nginx. So far nothing bad has happened. But that doesn't mean something bad couldn't happen later.

[–] MoonlitSanguine@lemmy.one 1 points 9 months ago (1 children)

Thanks for the info.

Do you have a target on your back?

No.

Does your container contain sensitive data?

No.

If so, does your container have access to external directories?

I have a hard drive mounted to the media folder that Jellyfin can access, and also a config folder. Omnivore/Overseer will probably be similar once I add them. Could this be a problem?

  - '/home/${USER}/server/configs/jellyfin:/config'
  - '/home/${USER}/server/media:/data/media'

Does your project have security options like Geo Blocking, rate limiting, etc?

That is a good idea. Thankyou

[–] plm00@lemmy.ml 2 points 9 months ago

What I was referring to is called a Bind Mount, where host directories are exposed to the docker container. You may be fine if it's an external hard drive. I use bind mounts because they're easier to back up, but I acknowledge they are less safe.

You may be perfectly fine as you are now. My (and others) suggestions are for added security. As it stands, if there's no target on your bind, the only bad traffic you'll get are from bots trying to pick away at your domain and sub domains. Generally they're not a problem. But being extra safe costs nothing but time.

[–] maplebar@lemmy.world 10 points 9 months ago (1 children)

Do you actually want to expose the things to "the internet", or do you just want yourself (and an approved set of other users) to be able to access them from outside of your network?

If it's the former, you're going to want to learn about DNS, NAT, exposing ports, firewall settings, and network monitoring.

But if it's the latter, then I recommend checking out tailscale because that gives you and some friends LAN-like access with a great internal DNS and it works really well.

[–] HurlingDurling@lemmy.world 2 points 9 months ago (3 children)

The thing with tailscale is that its just a VPN connection -- from my understanding. Why not just self host your own VPN server?

[–] BCsven@lemmy.ca 3 points 9 months ago

Yes, but No, but. It's like an always on self discovering VPN. No need to connect and login if you lose connection or change from WiFi to cell to Ethernet, it just figures it out. And as other commentor said it is wireguard. So you can set it up yourself without a 3rd party, just takes a little bit of tech savvy skill and trasfering some public keys between each set of connections. Tailscale just makes it effortless.

[–] ikidd@lemmy.world 3 points 9 months ago

I'll just use Tailscale until they fuck it up, which I'm sure they will, eventually. It's not very hard to rebuild using something else for the 40 or 50 nodes I'm likely to have. I've done it before and I'm sure I'll do it again.

[–] maplebar@lemmy.world 2 points 9 months ago

Yeah it's wireguard under the hood iirc, so you probably could put in effort in order to achieve roughly what tailscale does, if you have the knowledge and time involved in doing that. I don't think there's any secret sauce that would be impossible to someone to DIY.

I don't blame people for being skeptical, especially those of us in the Linux, FOSS, and self-hosted world. I was skeptical too, because part of the reason I wanted to self-host was to move away from a dependency on companies, and I'm weary of the mere possibility of tailscale's eventual capitalist enshittification. But after trying it, I have to admit that it's been a game changer for me.

For me personally, tailscale is just an easy out-of-the-box solution that works well for what I want it to do (give me encrypted access to my server from anywhere in the world). I'm not so good at networking that I could get anywhere near the level of convenience that tailscale affords me, and I have too many other projects that I want to do before reinventing tailscale for myself. So instead I have a small free tailnet with all of my devices (and a couple other users' devices), and it has totally changed my relationship with self-hosting and my server.

In my view, It's a pretty good deal, for now at least.

[–] Evkob@lemmy.ca 9 points 9 months ago (1 children)

It depends on if you want to access it from anywhere (or give others access), or if you're only accessing your server from specific devices.

Since I only ever access my server from my phone or my desktop, I use Wireguard via wg-easy. You set it up as a docker container on your server and it gives you a neat web UI (defaults to port 51821) from which to add Wireguard clients. Once connected through Wireguard, you can access your services as if you're on the server's local network.

Note, you'll of course have to open up a port for Wireguard on your router for this to work, the default being 51820.

[–] harsh3466@lemmy.ml 3 points 9 months ago

wg-easy is fabulous! I use it too and I love it

[–] gdog05@lemmy.world 9 points 9 months ago (1 children)

My preference is just Cloudflare with or without nginx. Not sure if you're using a hypervisor or not but it makes things exceedingly easy and I feel plenty safe enough inside of a Cloudflare tunnel. I stream a lot of data from Jellyfin. All day long, several streams to several people for over a year now with no problems. Last I knew, Cloudflare removed the language about video streaming from their TOS. Not sure if that's changed but functionality on my end hasn't.

I am using Unraid but I've installed the Cloudflare tunnel in docker containers and TrueNAS without many issues. Takes a bit of copying/pasting to get set up but it's not terrible and everything is very responsive to make sure you're doing things correctly.

[–] Stupidmanager@lemmy.world 1 points 9 months ago

+1 for cloudflare. But I don’t use their tunnel products, I just expose my ports to only their known IPs. With cloudflare you have a nice “free” waf in front with tls that points to a secure(nginx proxy) or unsecured docker container. Audiobookshelf is a great example. Is best to use their dns product too, for easy management of your public facing sites.

[–] Fuzzypyro@lemmy.world 7 points 9 months ago (2 children)

Networking is fun because there are literally infinite potential options. There really isn’t a best option. It’s just what do you prefer. In my case I like to write a docker compose and write a tailscale container into it. I then set the service I want to expose either to my own tailnet or to the internet through funnel or though this other implementation I came up with a while back that I still need to do a write up on. Either way here is a guide i wrote with some docs as reference on my forgejo (git alternative). Docs are kinda a mess but hopefully it makes sense enough to help you out.

Tailscale docker compose examples

[–] nfms@lemmy.ml 3 points 9 months ago

I just installed tailscape and it works for my needs. Will read up on your docs. Thx

[–] MoonlitSanguine@lemmy.one 1 points 9 months ago

I've noticed 🥲, which hopefully means there’s no horribly wrong choice. I am leaning towards Tailscale, or maybe WireGuard. Thanks for the docs

[–] isgleas@lemmy.ml 5 points 9 months ago (1 children)

Depending on your level of paranioia. First, you don't expose your containers, but their port(s).

With a reverse proxy, you will likely expose only 1 port, 443, no matter how many apps/containers/ports it will be pointing internally. For this, having a proper dns setup will be key, and a service like cloudflare dns (not tunnel), which additionally you can proxy your proxy. Also, you will need certificates (letsencrypt) for your traffic to be encrypted. Here, everybody will potentially have access to your services.

Another option is a zero trust tunnel, but as you had seen streaming may break tos. It will be likely enforced if you stream a lot, but I seriously doubt you'll get any problem by having sporadic one or two users.

Tailscale, you need to add all the devices you need to access your services into the mesh, and you'll need to re-authenticate every one again every few months.

Setting up a VPN (selfhosted) will require your devices to sign into it when accessing your services, and it seems to me the best approach as this way you will nave the most control over your setting.

Don't forget to mention that, for this to work, your ISP should provide you with public IP, because if on CGNAT you will have to go with something like tunnels or tailscale.

[–] Asparagus0098@sh.itjust.works 3 points 9 months ago

For Tailscale you can disable key expiry on select devices.

[–] notfromhere@lemmy.ml 5 points 9 months ago (1 children)
  1. Never host anything that is externally accessible
  2. If you have to, put it behind a VPN (OVPN, Wireguard, IPSec, Tailscale, etc.)
  3. Certificate based authentication is preferred for VPN tunnels
  4. Always TLS encrypt your actual endpoints. Private CAs are most secure but a pain in the ass. Let’s Encrypt is very simple to set up in most cases.

Just my 2 cents.

[–] slazer2au@lemmy.world 1 points 9 months ago (1 children)

How is a private CA more secure then an offline CA with cross signed intermediate signing subCA?

[–] notfromhere@lemmy.ml 3 points 9 months ago (1 children)

You’ll have to explain that one to me.

[–] slazer2au@lemmy.world 1 points 9 months ago (1 children)

A public CA (Let's Encrypt, Komodo, GoDaddy, etc) don't actually sign certificates with their root CA certificate. The root CA creates a subCA (Or signing CA) that actually generates the certificates and the system holding the private keys of the root certificate is shutdown to prevent access but is brought back online every so often to update the revocation list.

You said a private CA is more secure so I am wondering how that is?

[–] notfromhere@lemmy.ml 1 points 9 months ago (1 children)

Because a private CA allows you to create a certificate and nobody else has the ability to create certificates unless you give them the keys or a signing CA. With Let’s Encrypt, you are trusting every major certificate authority to not create a cert on your domain; coupled with DNS poisoning means you would end up on a legit-looking but counterfeit website of yours.

[–] slazer2au@lemmy.world 1 points 9 months ago (1 children)

Nothing is stopping me from making a certificate from my offline CA for your domain.

Even if you don't trust the certificate the traffic is still encrypted.

[–] notfromhere@lemmy.ml 1 points 9 months ago

Yea that’s the whole trusting trust thing. You can theoretically set up hour browser to only trust your private CA and not trust any of the publicly trusted CAs. Depends on your threat model I suppose.

[–] Shimitar@feddit.it 4 points 9 months ago

Slap a good reverse proxy in front of it (nginx I what I use) and set it up with HTTPS using let's Encrypt. For added layer of security setup also some SSO like Authelia.

Or just go the VPN way but then, that will not be access from internet, only via VPN, only you will be accessing it.

[–] bruhduh@lemmy.world 4 points 9 months ago
[–] Shimitar@feddit.it 3 points 9 months ago (2 children)

Sorry third post. Trying to summarize.

  1. Get external access. Either via port-forward (you lucky American) or via VPS+ssh-tunnel or VPS+wireguard. Stay away from an hard dependency like tailscale and cloudflare (my personal opinion).

  2. Setup a reverse proxy with SSL certs via let's Encrypt (don't go wildcard, no need to, just add complexity)

That's the concept, implementation requires clearly extra steps...

See my wiki (https://wiki.gardiol.org/). O describe both the simple and the complex solution. But to be honest, the complex solution is not fully described yet.

[–] archomrade@midwest.social 2 points 9 months ago (1 children)

Is the reason you advocate avoiding VPN dependencies simply due to downtime if the tailscale service fails? Or is there a particular security vulnerability associated with using VPN subnets?

[–] Shimitar@feddit.it 2 points 9 months ago

Mostly not being dependent from a specific vendor, that's all.

I prefer to use a VPS of my choice that I can replace when I want or need to.

As far as its backed by wireguard its safe enough I guess.

[–] MoonlitSanguine@lemmy.one 2 points 9 months ago (1 children)

I am leaning towards Wireguard, as I don't think I'm behind a CGNAT. But, I’ll check out your wiki for more details though. Thankyou

[–] sxan@midwest.social 3 points 9 months ago

@shimitar's advice is what I'd go with.

Ideally:

  1. Set up a Wireguard subnet. Test it thoroughly, including restarting the server a couple of times.
  2. Close all ports except your Wireguard ports in your server firewall. Do this manually first (not persistent) and test.
  3. Make the firewall changes permanent.

Then, it kinda doesn't matter what else you do on the server, although you can fuss around with locking things down more.

Caveats:

  • you won't be able to use LetsEncrypt with this
  • accessing your services from an Android phone will be futzy, because Android is too stupid to be able to use more than one VPN at a time. Unless you don't use a VPN on your phone, in which case it won't be an issue.
  • you'll only be able to access your server from computers/systems in your Wireguard subnet, so make sure you include multiple devices in the config from which you can ssh

Wireguard is super easy to build VPN networks with, and there are tools (e.g. dsnet) to make it even easier.

[–] romandrajer@lemmy.world 3 points 9 months ago* (last edited 9 months ago)
[–] hendrik@palaver.p3x.de 3 points 9 months ago* (last edited 9 months ago)

It depends on your exact requirements and your definition of "secure". Lots of people like software like Tailscale. And it's relatively secure as it doesn't expose the services to the public but instead is an VPN. I personally don't like Cloudflare at all, but that's also a popular solution to get services exposed to the public internet. What I do is just use NGinx or NginxProxyManager, open up a port in my firewall and be done with it. No extra tunnel providers required and no Cloudflare that could be able to snoop on my connections. It also opens up connections to everyone else, so your software needs to be properly protected with passwords. But yeah, I can see how you get a bazillion different recommendations. I'd say if you prioritize security and it's just your devices connecting, and they can all install a special client, go for something like Tailscale.

[–] thr0w4w4y2@sh.itjust.works 2 points 9 months ago

Twingate is another option if it’s just device to device networking and you trust all the devices that are in your network. It’s free for personal use and peer to peer so no issues with TOS if you’re streaming.

[–] BlastboomStrice@mander.xyz 2 points 9 months ago

Interested in this as well, posting a comment here just to find the post more easily:)

[–] Shimitar@feddit.it 2 points 9 months ago

If you need also external access, because you are behind a CGNAT or in general have no public IP at all, get a VPS and setup some tunneling.

I don't like tailscale/cloudflare dependency so I have a different solution.

I have documented it all here: https://wiki.gardiol.org/

[–] MXX53@programming.dev 2 points 9 months ago

I just tried tailscale in the last month and it will now be my preferred way to access my services outside of my network.

[–] _cryptagion@lemmy.dbzer0.com 1 points 9 months ago

Why would you be using a cloudflare tunnel to stream media? You can do that just fine using any reverse proxy.

[–] MSids@lemmy.world -3 points 9 months ago

Lots of great ideas in this thread. It sounds like you prefer Jellyfin, but I always encourage people to consider Plex. Plex is excellent, and even if you prefer the features or interface of Jellyfin, you should never expose any application (Plex, Jellyfin, or otherwise) directly to the Internet. This should be non-negotiable. Plex uniquely solves for external access with the mobile/desktop apps and app.plex.tv by brokering client connections into your network without a NAT/PAT on your router or firewall. Plex also supports Google logins, which means that you can now have 2fa and potentially phishing-resistant 2fa if you secure your Google account with a passkey.

At my company we only expose our applications behind a WAF and firewall, and I see that some folks here have recommended Cloudflare. For those who may not know, it is no longer enough to simply rely on a firewall. When your application is built with components that may become vulnerable over time, it's critical to use a WAF.