this post was submitted on 19 Jun 2023
3 points (100.0% liked)

Self Hosted - Self-hosting your services.

11440 readers
1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules

Important

Beginning of January 1st 2024 this rule WILL be enforced. Posts that are not tagged will be warned and if not fixed within 24h then removed!

Cross-posting

If you see a rule-breaker please DM the mods!

founded 3 years ago
MODERATORS
 

I have a self hosted server running yunohost that I use for a few services for my own use all of which require login to use so they're safe enough.

However I'm increasingly uncomfortable with the fact that anyone can discover my home IP via my domain name. Especially if I decided to install something like Lemmy or Mastodon.

Yunohost installs dyndns as part of it's setup but, aside from buying a fixed IP from a VPN provider that allows incoming connections I'm not sure what other options I have

I can't change very much on the modem router either. I can forward ports but that's about it.

I can add and manage new domains if necessary.

Any and all ideas welcome but, as you can guess from the fact I'm using yunohost, my networking knowledge is limited so please eli5 :)

top 17 comments
sorted by: hot top controversial new old
[–] [email protected] 5 points 1 year ago (3 children)

I've hidden everything behind Wireguard.
externally my server doesn't even have open ports. everyone who uses my services gets a Wireguard key.

don't know how many people you wanna service or if it's just you - then Wireguard could be a viable solution

[–] [email protected] 4 points 1 year ago

Same here, I'm too paranoid and checking access logs and attempts made me to stop keeping any other port open than wireguard.

[–] [email protected] 1 points 1 year ago (1 children)

How do you handle services that run on devices that can't implement wireguard, like say a Roku or something? Just don't allow?

[–] [email protected] 1 points 1 year ago

in my case Wireguard acts as access to my personal LAN, where all my services (in virtual containers or physical computers) are located. I'm just pointing to their address inside my LAN, which I can access through Wireguard.

[–] [email protected] 1 points 1 year ago

This is what I do.

If all you have is a single open port listening for wireguard connections that's a pretty small surface area to expose.

[–] [email protected] 2 points 1 year ago

If you are cool with using Cloudflare, you can use Argo Tunnel to expose HTTP(S) services to the internet with DDOS protection and all of Cloudflares features.

They've made it free some time ago, you just need a pc/server in your network running the cloudflare agent software.

https://www.cloudflare.com/products/tunnel/

[–] [email protected] 2 points 1 year ago (2 children)

I've had to find a solution similar to what you are looking for. My need was due to being double NAT'ed where I had no control over the internet facing router/NAT.

Personally, my solution was to use Oracle Clouds free tier service to host and NGINX reverse proxy as Oracle also offers free static IPs to there compute instances. From there I used Tailscale to join the instance to a Proxmox container running Docker on my server running services I wanted exposed to the internet (Emby, and a few 'Arrr apps). I've found it to be remarkably stable (much more than I expected).

An alternative method is to use Cloudflare tunnels, which are very easy to get setup. It in essence is the same principle as above but using Cloudflare's 'reverse proxy as a service' type product. I was not able to use this for my needs as Cloudflare do not allow media streaming.

If you do choose the first option, I would recommend isolating the server running the exposed services to its own network that cannot touch your day-to-day network. I also recommend configuring ACLs in Tailscale to restrict traffic to specific ports from specific hosts to minimise any risk of having exposed services. Oh, and automatic updates to the OS and services is ideal.

I saw you are using basic HTTP auth, whilst it is secure enough it does have some issues with making connections more difficult, particularly if you are using any of your services API's (it is also not the best user experience IMO). I would recommend setting up oAuth/SSO if yunohost supports it.

Lastly, as other users have said, even if you don't use either suggestion, put a reverse proxy on it. NGINX Proxy Manager is a nice friendly solution with a web GUI if you are not too familiar with proxy configs

[–] [email protected] 1 points 1 year ago

Thank you, I'll look into that.

[–] [email protected] 1 points 1 year ago

You have several options these days:

  1. Use cloudflare in DNS proxy mode and run a dynamic DNS updater so cloudflare always point to your correct IP address. By using cloudflare DNS in proxy mode, your real IP address will be hidden because all traffics will be routed via cloudflare servers first. The disadvantage is it only works for http/https service. If you need to route other service/port (e.g. ssh) you'll need to use cloudflare tunnel

  2. Rent a small vps and use it as a bastion server. Add your home server and the vps server into tailscale or zerotier network, and then configure it to route traffics to your home server. I personally use this method because it gives me full control and flexibility over using cloudflare, but it does harder to setup.

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago) (1 children)

Google cloudflared tunnels, zeroteir and tailscale. They all solve this exact problem, I've been using cloudflared tunnels to host without exposing my ip for while now, it's relatively easy for https services.

Edit: also just because services require login, doesn't necessarily make them secure if their implementation is terrible. It's best practise to use a reverse proxy like nginx which specialises in having not shit security for authentication, and proxy your services behind it.

[–] [email protected] 1 points 1 year ago

It's best practise to use a reverse proxy like nginx ... for authentication

What kind of authentication are you using for nginx? Just basic http authentication with a .htpasswd file?

That's what I'm using right now, but I've found that not all services play nice with it.

[–] [email protected] 1 points 1 year ago

You have several options these days:

  1. Use cloudflare in DNS proxy mode and run a dynamic DNS updater so cloudflare always point to your correct IP address. By using cloudflare DNS in proxy mode, your real IP address will be hidden because all traffics will be routed via cloudflare servers first. The disadvantage is it only works for http/https service. If you need to route other service/port (e.g. ssh) you'll need to use cloudflare tunnel

  2. Rent a small vps and use it as a bastion server. Add your home server and the vps server into tailscale or zerotier network, and then configure it to route traffics to your home server. I personally use this method because it gives me full control and flexibility over using cloudflare, but it does harder to setup.

[–] [email protected] 1 points 1 year ago

It's best practise to use a reverse proxy like nginx ... for authentication

What kind of authentication are you using for nginx? Just basic http authentication with a .htpasswd file?

That's what I'm using right now, but I've found that not all services play nice with it.

[–] [email protected] 1 points 1 year ago (1 children)

Running a federated service on your home network is just a bad idea in general. You're screaming to the world "hey look, there's a server running potentially exploitable software here!" Even if you hide the IP behind a VPN.

For everything else not so public as a federated service, best bet is to install a WireGuard VPN server on your network. Set it to some random high number port. Undetectable, basically. Then when you're away from home just connect to the VPN and it's basically just like you're still hooked to your WiFi at home.

[–] [email protected] 1 points 1 year ago

That's a good point. My thinking was to try and avoid high VPS costs. Anything more than €10 is out of my price range really and this seemed a way of running via a high spec machine without a high price.

[–] [email protected] 0 points 1 year ago (1 children)

Exposing your IP doesn't matter at all. Any site you browse will have it.

[–] [email protected] 1 points 1 year ago

Except I don't browse via my server, I browse behind a VPN client on my PC/phone etc. The server on the other hand is not behind a VPN client as most providers don't offer a fixed IP or allow port forwarding. Therefore if anyone knows my domain name, they can get my ISP provided IP which resolves my location far too accurately for my liking.