this post was submitted on 19 Jan 2025
75 points (96.3% liked)

Selfhosted

41376 readers
844 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
75
Secure Way to Expose Docker Containers to the Internet? (lemmy.one)
submitted 6 days ago by [email protected] to c/[email protected]
43 comments fedilink hide all child comments
 

I've been researching different ways to expose Docker containers to the internet. I have three services I want to expose: Jellyfin, Omnivore (Read-it-later app), and Overseerr.

I've come across lots of suggestions, like using Nginx with Cloudflared, but some people mention that streaming media goes against Cloudflared tunnel TOS, and instead recommend Tailscale, or Traefik, or setting up a WireGuard VPN, or using Nginx with a WireGuard VPN.

The amount of conflicting advice has left me confused. So, what would be the best approach to securely expose these containers?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 18 points 6 days ago (1 children)

"Secure" and "exposed" are antonyms in this scenario, that's the nature of the beast. I use Nginx which I have a domain pointing to. Worst case scenario, a hacker brute forces access to my container and mucks around within the confines. As I understand from a WireGuard VPN, there's an added level of security. You have to use the VPN to get access to your home ports, and then you can access your Docker containers as configured. There's an added layer of security.

Some things to consider:

  • Do you have a target on your back?
  • Does your container contain sensitive data?
  • If so, does your container have access to external directories?
  • Does your project have security options like Geo Blocking, rate limiting, etc?

I've been running some local servers for a few years only behind Nginx. So far nothing bad has happened. But that doesn't mean something bad couldn't happen later.

[–] [email protected] 1 points 5 days ago (1 children)

Thanks for the info.

Do you have a target on your back?

No.

Does your container contain sensitive data?

No.

If so, does your container have access to external directories?

I have a hard drive mounted to the media folder that Jellyfin can access, and also a config folder. Omnivore/Overseer will probably be similar once I add them. Could this be a problem?

  - '/home/${USER}/server/configs/jellyfin:/config'
  - '/home/${USER}/server/media:/data/media'

Does your project have security options like Geo Blocking, rate limiting, etc?

That is a good idea. Thankyou

[–] [email protected] 2 points 5 days ago

What I was referring to is called a Bind Mount, where host directories are exposed to the docker container. You may be fine if it's an external hard drive. I use bind mounts because they're easier to back up, but I acknowledge they are less safe.

You may be perfectly fine as you are now. My (and others) suggestions are for added security. As it stands, if there's no target on your bind, the only bad traffic you'll get are from bots trying to pick away at your domain and sub domains. Generally they're not a problem. But being extra safe costs nothing but time.