this post was submitted on 19 Jan 2025
75 points (96.3% liked)

Selfhosted

41376 readers
844 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
75
Secure Way to Expose Docker Containers to the Internet? (lemmy.one)
submitted 6 days ago by [email protected] to c/[email protected]
43 comments fedilink hide all child comments
 

I've been researching different ways to expose Docker containers to the internet. I have three services I want to expose: Jellyfin, Omnivore (Read-it-later app), and Overseerr.

I've come across lots of suggestions, like using Nginx with Cloudflared, but some people mention that streaming media goes against Cloudflared tunnel TOS, and instead recommend Tailscale, or Traefik, or setting up a WireGuard VPN, or using Nginx with a WireGuard VPN.

The amount of conflicting advice has left me confused. So, what would be the best approach to securely expose these containers?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 5 points 5 days ago (1 children)
  1. Never host anything that is externally accessible
  2. If you have to, put it behind a VPN (OVPN, Wireguard, IPSec, Tailscale, etc.)
  3. Certificate based authentication is preferred for VPN tunnels
  4. Always TLS encrypt your actual endpoints. Private CAs are most secure but a pain in the ass. Let’s Encrypt is very simple to set up in most cases.

Just my 2 cents.

[–] [email protected] 1 points 5 days ago (1 children)

How is a private CA more secure then an offline CA with cross signed intermediate signing subCA?

[–] [email protected] 3 points 5 days ago (1 children)

You’ll have to explain that one to me.

[–] [email protected] 1 points 5 days ago (1 children)

A public CA (Let's Encrypt, Komodo, GoDaddy, etc) don't actually sign certificates with their root CA certificate. The root CA creates a subCA (Or signing CA) that actually generates the certificates and the system holding the private keys of the root certificate is shutdown to prevent access but is brought back online every so often to update the revocation list.

You said a private CA is more secure so I am wondering how that is?

[–] [email protected] 1 points 5 days ago (1 children)

Because a private CA allows you to create a certificate and nobody else has the ability to create certificates unless you give them the keys or a signing CA. With Let’s Encrypt, you are trusting every major certificate authority to not create a cert on your domain; coupled with DNS poisoning means you would end up on a legit-looking but counterfeit website of yours.

[–] [email protected] 1 points 5 days ago (1 children)

Nothing is stopping me from making a certificate from my offline CA for your domain.

Even if you don't trust the certificate the traffic is still encrypted.

[–] [email protected] 1 points 4 days ago

Yea that’s the whole trusting trust thing. You can theoretically set up hour browser to only trust your private CA and not trust any of the publicly trusted CAs. Depends on your threat model I suppose.