this post was submitted on 12 Jul 2023
19 points (91.3% liked)

Selfhosted

39435 readers
7 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

Running a TrueNAS Scale server with Jellyfin and planning to add Nextcloud. How would I be able to access these services from outside my network? I have heard portforwarding is unsafe and a VPN seems inconvenient to me.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 15 points 1 year ago (3 children)

Port forwarding is unsafe, but even crossing the road is unsafe. Do you cross the road without watching? In the same way, you just don't let a published server online without doing regular updates. You set up docker, run nextcloud (docker) behind nginx proxy manager, and have watchtower update them regularly. You can also setup 2fa in docker, and pair it with fail2ban.

Every port open widens the attack surface, but those services are made to be published, so there are mitigations against the risks.

[–] [email protected] 2 points 1 year ago (1 children)

I've said this many times before, but it seems relevant here, too. Using a reverse proxy is a good step for security, but you will still want to block certain incoming connections on your firewall. I block everything except for our cell phone provider, my partner's employer, and my employer. We will never be accessing my network from any other source. At the very least, block everything and whitelist your own country; this will prevent a lot of illegitimate connections. If you're using pfSense, the pfBlockerNG plugin makes this very easy to do.

[–] [email protected] 2 points 1 year ago

Yeah, absolutely good point, it's something that can be done in opnsense as well. Certainly blocking any bloc outside your country (or region maybe in Europe) makes sense. I block everything outside RIPE, and also China and Russia.

[–] [email protected] 1 points 1 year ago (2 children)

How does watchtower work with compose stacks? Does it update the whole stack (docker compose pull && docker compose up) in one go or each container individually?

[–] [email protected] 3 points 1 year ago (1 children)

Found out the hard way, it does not. Now I just run a script every week (pull and compose up)

[–] [email protected] 1 points 1 year ago

That's my current solution, just hoped I could properly automate that

[–] [email protected] 1 points 1 year ago

AFAIK one container at a time. Since the different parts of a stack (e.g. app and db) have different release cycles it's not a problem (or it hasn't been for me).

Also, the important bit (from a security perspective) it's the front end (i.e. the web app).

[–] [email protected] 1 points 1 year ago (2 children)

and have watchtower update them regularly

Does this help with Nextcloud on docker?

[–] [email protected] 1 points 1 year ago

If you use the linuxserver.io image, as of last month yes. They migrated to everything updated through the docker container.

[–] [email protected] 1 points 1 year ago

Now you make a good point, you also have to perform the update within the app in nextcloud. I use a custom image so I have to do it anyway, I haven't realised that.

But I guess npm is the one that needs to be updated automatically to avoid most of the attacks on the web