Nice to know!
Allero
joined 2 years ago
Interesting!
But I don't want to mix it too much. I do have a Docker on it with just some essentials, but overall I'd like to keep NAS a storage unit and give the rest to a different server.
I treat NAS as an essential service and the other server as a place to play around without pressure to screw anything
I do remember that and take quite a few precautions. Also, nothing that can be serioisly used against me is in there.
I will eventually!
But for all I understand, it is to put many services on one machine, and I already have a NAS that is not going anywhere
No truly private photos ever enter the NAS, so on that front it should be fine.
VPN is not an option for several reasons, unfortunately.
But I do have a Let's Encrypt certificate, firewall and I ban IP after 5 unsuccessful login attempts. I also have SSH disabled completely.
SSL Test gave me a rating of A
Oh, nice! So I don't have just one, but many external IPs, one for every local device?
Where do I type rpi's IP, just in port forwarding? Or somewhere else?
I want for Nginx proxy, controlled through the Manager, to direct traffic to different physical servers based on subdomain.
I put in nas.my.domain and I get my Synology on its DSM port. I put in pi.my.domain and I get a service on my Pi.
Just me and the people I trust, but there are certain inconveniences around using VPN for access.
First, I live in the jurisdiction that is heavily restrictive, so VPN is commonly in use to bypass censorship
Second, I sometimes access my data from computers I trust but can't install VPN clients on
Third, I share my NAS resources with my family, and getting my mom to use a VPN every time she syncs her photos is near impossible
So, fully recognizing the risks, I feel like I have to expose a lot of my services.
Thanks for the pieces of advice! Yes, I tried to connect from external (mobile) network as well.
While not supportive of Big Tech, I do appreciate your piece of advice, and understand self-hosting needs differ!
P.S. Also beware, seems like there's a new attack through Tunnels:
Pretty solid! Though insta-ban on everything :80/443 may backfire - too easy to just enter the domain name without subdomain by accident.