this post was submitted on 27 May 2024
19 points (95.2% liked)

Selfhosted

39435 readers
11 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I have been using no-ip for around two years to remotely access my hosted service, I mostly use their free service except for a few 5 months offers I bought.

Recently, I received a full year offer in email for 8$ (COUPON CODE: MAY8), and I was wondering whether to get that or buy a 2 years domain for the same price (FROM hostinger or namecheap).

I have never bought a doamain before and my knowledge is limited to what I mostly read here. So, per your opinion, what would be better in term of usability and security, a DDNS on the router and a port open per hosted-service? or a domain with reverse proxy?

all 17 comments
sorted by: hot top controversial new old
[–] [email protected] 8 points 5 months ago* (last edited 5 months ago)

I use porkbun for my domains, cloudflare for dns, ddclient connecting to the cloudflare api for dynamic dns, and traefik as a reverse proxy to send subdomains to their respective service.

The only part I have to pay for is the porkbun domain.

$8 for a year is a good deal, but be ready to switch when that expires.

[–] [email protected] 4 points 5 months ago (2 children)

I'm a big fan of cheap (as in ~$10/yr vps) and reverse proxy over wireguard. My home ip isn't exposed and I'm able to quickly spin new containers up by updating my reverse proxy config and adding a wireguard peer.

I keep two VPSs- one as reverse proxy for all my miscellaneous services and another solely for email. The latter port forwards raw traffic over wireguard to my email server container. That way, even if the VPS gets compromised, my personal data remains secure.

I end up paying ~ $30/yr (+ whatever I'm paying in electricity) for domain + VPS. It's a bit more involved than tailscale, etc, but I'm willing to put in a little extra work to make sure I'm not at the mercy of some company getting up to some rent-seeking bullshit.

[–] [email protected] 1 points 5 months ago (1 children)

What $10/yr vps are you using?

[–] [email protected] 2 points 5 months ago

Racknerd via the coupon @ Low end box.

The full price is like $24/yr, so even if it goes up, meh.

[–] [email protected] 1 points 5 months ago

Seems excessive.

[–] [email protected] 2 points 5 months ago* (last edited 5 months ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
DNS Domain Name Service/System
HTTP Hypertext Transfer Protocol, the Web
HTTPS HTTP over SSL
IP Internet Protocol
SSH Secure Shell for remote terminal access
SSL Secure Sockets Layer, for transparent encryption
TLS Transport Layer Security, supersedes SSL
VPS Virtual Private Server (opposed to shared hosting)
nginx Popular HTTP server

7 acronyms in this thread; the most compressed thread commented on today has 14 acronyms.

[Thread #767 for this sub, first seen 28th May 2024, 00:05] [FAQ] [Full list] [Contact] [Source code]

[–] [email protected] 1 points 5 months ago

Getting a domain name may not be enough, if you don’t have a static IP you’ll still need a DDNS service.

What do you get for the paid no-ip service? Is it just a nice subdomain? You can get a custom domain and use a CNAME record to point one or more subdomains to a free DDNS subdomain.

[–] [email protected] 1 points 5 months ago

i buy my domains from namecheap but i use cloudflare for name servers (free tier, dns only for everything) and have ddclient (or whatever the newest version is called now) which runs on my router. my current settings only update cloudflare when the interface changes, and then update time after the change is about 15 minutes for propagation. i work in the network department of my isp so my address doesn't change often, but the isp side of my setup is identical to any other subscriber. i use opnsense, but also manage a very small pfsense box that this works on as well. i update ipv4 dynamically, but not ipv6 yet, but i will.

[–] [email protected] 1 points 5 months ago (1 children)

I opted for dynamic dns and reverse proxy. I configured my reverse proxy to use TLS and also to require client certificates, which I install on my devices. You get so much flexibility and added consistency to your application security that I feel it is a must.

[–] [email protected] 1 points 5 months ago (2 children)

Would you please share what dynamic dns provider you use? I remember trying to set nginx pm to use my no-ip hostname (xyz.ddns.net) but I could not figure out how to link my hosted-services as subdomains (say portainer.xyz.ddns.net)

[–] [email protected] 1 points 5 months ago

I’m using Dynu for DDNS. They support subdomains as part of their DNS. You can configure nginx to service/route requests to each subdomain differently.

[–] [email protected] 1 points 5 months ago (1 children)

Another option is subpaths: xyz.ddns.net/portainer

Just one open port, to your reverse proxy (nginx or other).

The client updating no-ip with your dynamic IP is independent of the reverse proxy software.

[–] [email protected] 2 points 5 months ago (1 children)

Another option is subpaths: xyz.ddns.net/portainer

While you can do that, you should be aware of the security implications (every application can see and modify every other application's cookies). If at all possible, I would try to avoid this setup.

[–] [email protected] 1 points 5 months ago

I second that. This practice comes from a time where domain names were expensive, in many ways: SNI didn't exist/wasn't wide-spread, so each domain name on HTTPS needed a dedicated IP, Certificates weren't democratized yet via letsencrypt/acme and most hosts were big enough to run multiple services, because virtualization wasn't as widely available yet. So putting apps on sub-paths made sense.

Now all of those things are basically dealt with and putting each app on its own sub-domain just makes way more sense.

[–] [email protected] 1 points 5 months ago (1 children)

What about neither and tailscale (free) on all your devices? Or are you often phoning home on outside devices?

I personally bought a domain name (namecheap) for my vps. Then I set up ddclient on my home pc to fetch my external IP every so often and update namecheap. But I didn't feel it was secure enough. Tailscale is easier, and i feel like it adds a layer of security.

[–] [email protected] 1 points 5 months ago

I use tailscale and it is great, i dont mind activating a vpn whenever i want to acces my services, but that is an extra weird step for my sister to access my jellyfin library. Do you use a reverse proxy? If so how many ports do you have exposed (say for 10 hosted services)?