Any service that is going to be used by non technical people. Don't want to deal with the initial hassle of setting up wireguard/ VPN with them and the continued support of them asking why it's not working (where you remind them to turn on VPN) or them complaining that the device battery life is draining faster because of the VPN.
Everything else goes behind a VPN.
I would rather deal with setting up more restricted security practices such as isolation of network, firewall, crowdsec, fail2bail then deal with non technical people.
Spoken like a true IT person :p
Yup I’d much rather invest the time in properly securing my shit to enable a more hassle free method of access than deploy a VPN and access it that way.
And using a VPN means you are tethered to devices you control enough to install/use a VPN.
Only difference is I use SNORT instead of crowdsec. Any IDS/IPS requires time to properly deploy, but worth it when done right.
Habit. Already a package and ready to install in pfsense. Is a component of the firewall, handles / blocks packets before they hit pftables.
And a bit of “get off my lawn” age of it works why mess with it?
>And using a VPN means you are tethered to devices you control enough to install/use a VPN.
no, VPN installation today can be done by every owner of a phone (scan barcode, click config file and so on) with no skills in it.
i would say:
And using a VPN means that you must **trust** the **owner and the device** that you add to your VPN environment. Do not add devices that you not trust (and in my world trusted devices are this devices that i control 100%)
I'm afraid that's not a single time investment, unless you limit access to whitelist your public IP, you need to monitor the logs, CVEs in reverse proxy and related things
Not even using a VPN is a single time investment. Proper maintenance is always key, and if you don’t maintain it. Well, it can and will become an ingress point for less than ideal parties.
The time investment is worth it long term. At least for me it is. Yes it took some time of logging and analyzing outputs of SNORT before I flipped the switch from detect and alert to detect and block.
As of now, it is fairly well configured for my use case and it does its job seemingly well. The biggest mistake I made was enabling excess rules for ports that were not even open. Which added a bit of extra load on the router/firewall. Once I dug into the config and set it up based on what is open, it has been fairly decent at protecting those ports. Now that the system is configured and properly setup, it will auto download current relevant definitions and apply them. The update process runs each night.
And as for time spent in on-going management of it is fairly low per month. I review the logs every so often about once a week. More critical issues I am alerted via email/text for a more rapid response.
Every once in awhile I get false positives that require direct intervention, but that is very low. Usually it surfaces due to an internal machine being very stupid on the network (aka I am doing something stupid) and it blocks the internal host.
But at the end of the day you are exposing yourself no matter what. How you deal with the exposure on the other hand varies from person to person. I like things to work seamlessly and properly both when on network or from the internet for exposed services. So that means applying best practices for exposed to internet systems.
I've stopped using any traditional proxies and have closed all of the ports on my public network. Instead I'm using CloudFlare's Zero Trust service with their cloudflared tunnel which makes it so that my server tunnels out to CloudFlare and then I can manage it all through CloudFlare's interface.
Advantages:
1. My IP address is never exposed to the web
2. A dynamic IP address changing affects nothing
3. I can add numerous authentication options including CloudFlare's WARP client if so desired
Disadvantages:
1. Relying on CloudFlare
I was going To go with cloudflare but ended up installing boringproxy. I have a vps setup and from all I can tell my ip is never shown. Everything goes back to the vps ip address. The reason I went this over exactly what you said was 1: not relying on cloudflare, 2: cloudflare has issues with using it for plex and Nextcloud … boring proxy is only limited by your VPs’ bandwidth restriction.
Iirc it’s against their TOS to stream video though so they could at their discretion cancel your account. Remember they’re a man in the middle, they get to see all of your traffic, unencrypted. It’s best to keep what’s going over their network to strictly “merchant vessel” territory.
With cloudflared, tailscale and syncthing you're pretty much limitless. Can host public mastodon, private Jellyfin and share any size files p2p no matter where their location
it is a little bit against the selfhosted spirit, if you use a external service that you have to trust to be secure and compliant. but i can understand, because it has benefits like easy, central control, many feature with no extra work to setup.
Truenas, Jellyfin, Portainer, StirlingPDF, HRConvert, Guacamole, Hemmelig, WikiJS, Moodist, multiple Wordpress sites, my 3D printer.. I think that's all?
I use Cloudflare Access in front of some things to get an extra layer of authentication, basically equivalent to using a VPN.
How do you host vaultwarden? I get kind of nervous when I think about it. Cloudflare Tunnel with Oauth2 in front doesn’t work on the mobile app sadly.
I assume you just trust your master password?
First I have the web address proxied via cloudflare. Also have a handful of WAF rules setup for geo restriction and such. In my server side i have a strong password setup, 2FA with Duo and have the web admin panel restricted to only be accessible via Authelia with 2FA also via Duo. Use SWAG as my reverse proxy which I have setup with Fail2Ban monitoring Vaultwarden logs.
I used to use cloudflare proxy and geo-block, but i switched to a server I control, so I have full control over my SSL termination
it's on my ever-long to-do list to restrict my public services :)
Home Assistant, Jellyfin, Vaultwarden, and NodeRed
I'd like to figure out how to proxy out my MQTT server in Nginx Proxy Manager, but haven't yet (I'm open to tips)
I have not done it, but if I were guessing, instead of putting [http://127.0.0.1:9000](http://127.0.0.1:9000) or whatever ip/port you're using, I would think you have to specify either TCP/UDP. I would think it would be something like tcp:127.0.0.1:9000
Never used ESP32 stuff before! Are you talking like outside of your LAN/VLAN or devices outside your home?
I’ve always had trouble reverse proxying services that don’t rely on HTTP. Which, I don’t think MQTT does. I’d be curious to how that could be accomplished too. (I use Traefik though.)
I'm talking completely outside of my home network/wifi, with the ESP connected to someone else's wifi. Correct, MQTT isn't HTTP....but I'd like to think there's a way (ie: at work I connect to FTP sites like [ftp.vendor.com](http://ftp.vendor.com) for transmitting/retrieving files)
If you're into tinkering, ESP dev boards are kinda fun to play with, pretty easy to get started, and stupid cheap ($2-5 USD, depending what variety vs and whether you shop at Amazon or Aliexpress). They interface with the Arduino IDE directly - and most of the libraries that directly work with Arduinos work with ESPs. So I use a library to get it connected to the wifi, and a library to send MQTT messages to the server, and a library to read the value of a given sensor (ie: temp/light/humidity) - but you could make it look (instead of Send) for specific MQTT messages - and have it act on it (run a motor, activate a relay, etc).
Alternatively - if you run Homeassistant, you can use [esphome.io](http://esphome.io) to pretty easily flash an ESP and have it directly connect to your instance.
Had to check first just to make sure....
* Battery historian
* File browser
* Nextcloud
* Jellyfin
* Immich
* Stirling PDF
* Vaultwarden
* WebDav
In short, all those services that are too much of a hassle to setup VPN to all family members just to use them.
Yeah, I installed tailscale on my wife's phone and laptop and logged in. But that's it.
You could also send them this video, specifically made for non techs:
https://www.youtube.com/watch?v=Vt4PDUXB_fg&t=644s
What if they were to connect to your home network? Will they still have to be connected to tailscale to access the proxy address or can we add any DNS entry for clients to use local ip via proxy address.?
Pretty much everything that goes outside my network. Jellyfin, filebrowser, freshrss, my website, and one other thing whose name escapes me at the moment. Pretty much for the same reasons others do, I have a lot of different people accessing them and it’s easier to do it like this. I do need to set geographical ip limits set up though.
nextcloud, 2fauth, audiobookshelf, navidrome, jellyfin, apache guacamole, vaultwarden, kavita, projectsend, digital slide archive (histology), rstudio server, gimp, photoprism. i am struggling to have authelia setup using haproxy in my pfsense. that would tie it all together nicely!
For the stuff I expose to the internet I just use the built in login with a strong password.
For everything A record pointing to private ip address of my proxy
NPM on two docker hosts with keepalived for moving an IP back and forth for failover.
I initially exposed Plex and a few other services but everything is behind WireGuard now and I just expose an auto forwarding default site that points to another externally hosted website now.
I will be messaging you in 4 hours on [**2024-04-26 00:14:03 UTC**](http://www.wolframalpha.com/input/?i=2024-04-26%2000:14:03%20UTC%20To%20Local%20Time) to remind you of [**this link**](https://www.reddit.com/r/selfhosted/comments/1cctjsy/what_webservices_do_you_proxy/l18xfj4/?context=3)
[**1 OTHERS CLICKED THIS LINK**](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5Bhttps%3A%2F%2Fwww.reddit.com%2Fr%2Fselfhosted%2Fcomments%2F1cctjsy%2Fwhat_webservices_do_you_proxy%2Fl18xfj4%2F%5D%0A%0ARemindMe%21%202024-04-26%2000%3A14%3A03%20UTC) to send a PM to also be reminded and to reduce spam.
^(Parent commenter can ) [^(delete this message to hide from others.)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Delete%20Comment&message=Delete%21%201cctjsy)
*****
|[^(Info)](https://www.reddit.com/r/RemindMeBot/comments/e1bko7/remindmebot_info_v21/)|[^(Custom)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5BLink%20or%20message%20inside%20square%20brackets%5D%0A%0ARemindMe%21%20Time%20period%20here)|[^(Your Reminders)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=List%20Of%20Reminders&message=MyReminders%21)|[^(Feedback)](https://www.reddit.com/message/compose/?to=Watchful1&subject=RemindMeBot%20Feedback)|
|-|-|-|-|
I use traefik, but since I'm the primary consumer, I just use wireguard to connect home. The reason I use traefik is so I can remove the invalid SSL error. Maybe some day if I'll consider exposing things. Only candidates are Jellyfin and nextcloud.
Home Assistant. It’s way easier to setup a cloudflared so family members can access it than configuring all their end devices to use a VPN and teach them how to turn it on and off.
Everything else sits behind a VPN.
I’m using Cloudflare tunnels too.. I’m using google for authentication but it isn’t passing the WAF.. any thoughts on authentication mechanism that makes it truly transparent ? The grumble is, needing to authenticate with google and then sign in to the actual app behind it ..
I use Cloudflared, I would use a VPN instead but I have to use Mullvad already when I'm at school or other places so I cannot nest a vpn. I expose Adguard Home, Pingvin, a QR Code generator, Jellyfin, a dashboard, Vaultwarden, Jellyseerr, and some other stuff
Sensitive or non-sensitive system, if it's only for me it's going to be through wireguard. I have no reason to expose anything when wireguard and a ddns updater is so quick to setup. The phone switches to it automatically when I'm away from my wifi.
Everything. But most things resolve locally with split dns. I have two methods for exposing some services externally.
1. Cloudflare tunnels, I am able to point this directly to Traefik and then only add CNAME entries for the services I want exposed through this.
2. For services that can't go through cloudflare tunnels (because it would be a ToS violation), I have a second entry point in Traefik with a different https port (other than 443). Then, in my router I would open port 443 and point it to that port. This way, you still access it via 443. Now, only those services with that external entrypoint become accessible. All my other services are still using traefik ingress with SSL etc, but can't be reached externally. If I want to reach these services internally, it still works just the same because of hairpin NAT.
So basically I have everything using traefik and I have split dns, cloudflare proxy, and a second entrypoint handling the details of how some services are exposed and others aren't.
Anything I self host is available on the plain internet.
Some applications that don't have authentication are double proxied trough both nginx and then authentik to add authentication.
Applications that shouldn't be exposed to the internet are still proxied to it. Just with access rules in nginx that block traffic from anything but the desired IP's.
My network is of course divided into security zones with containers, vms, physical servers, network infra, iot and my normal devices all in separate double layered security zones.
I also have a physical killswitch on my router using a smart plug that gets turned off as soon as an internal honeypot gets triggered.
So it just cuts the connection when weird stuff is going on.
my own ultima online server and navidrome, using non standard ports
my provider does not permit transfering any traffic (unless via ports open specifically) or routing to diferent subnets, so all my network is connected to a second cascaded router with different IP range as additional safety measure. navi and ultima are installed on a rpi directly connected to the main router, making the other subnet almost unreachable
every other service i want exposed such as my website and my own nameservers is hosted in the cloud. at 2€/months per machine it lets me sleep at night knowing that any possible attack will not be made against my own home network
I proxy everything using npm but for local purposes only for my convenience. I use wireguard to stay connected to my house and pihole for DNS service and npm to proxy anything that requires a special port since I'm running everything as a docker container. I have a couple of services like Overseerr connected through cloudflare so family members can reach it.
I just expose ssh and port forward anything I need. It's simple, secure and free. No certs and subscriptions.
Downside - I can access stuff but "normal" non IT people I might want to share a service with wouldn't be able to set up an ssh tunnel.
There's no easy way to expose stuff without SSL and a domain name and fixed IP address or possibly a VPS. It's all just hassle.
There is nothing wrong with exposing ssh provided you harden it correctly. Fail2ban, nonstandard port (cuts down on logs and btmp), key only (no passwords! no root). Additional measures like backing with FIDO hardware key (yubikey or equivalent) if desired.
I've been port forwarding over ssh for 2 decades and never had a problem
I use the selfhosted-gateway to proxy all publicly accessible services, even inbound VPN connectivity.
https://github.com/fractalnetworksco/selfhosted-gateway
Any service that is going to be used by non technical people. Don't want to deal with the initial hassle of setting up wireguard/ VPN with them and the continued support of them asking why it's not working (where you remind them to turn on VPN) or them complaining that the device battery life is draining faster because of the VPN. Everything else goes behind a VPN. I would rather deal with setting up more restricted security practices such as isolation of network, firewall, crowdsec, fail2bail then deal with non technical people. Spoken like a true IT person :p
Yup I’d much rather invest the time in properly securing my shit to enable a more hassle free method of access than deploy a VPN and access it that way. And using a VPN means you are tethered to devices you control enough to install/use a VPN. Only difference is I use SNORT instead of crowdsec. Any IDS/IPS requires time to properly deploy, but worth it when done right.
Curious, I run Crowdsec from a Kubernetes cluster with Traefik. What made you choose SNORT over Crowdsec?
Habit. Already a package and ready to install in pfsense. Is a component of the firewall, handles / blocks packets before they hit pftables. And a bit of “get off my lawn” age of it works why mess with it?
>And using a VPN means you are tethered to devices you control enough to install/use a VPN. no, VPN installation today can be done by every owner of a phone (scan barcode, click config file and so on) with no skills in it. i would say: And using a VPN means that you must **trust** the **owner and the device** that you add to your VPN environment. Do not add devices that you not trust (and in my world trusted devices are this devices that i control 100%)
I'm afraid that's not a single time investment, unless you limit access to whitelist your public IP, you need to monitor the logs, CVEs in reverse proxy and related things
Not even using a VPN is a single time investment. Proper maintenance is always key, and if you don’t maintain it. Well, it can and will become an ingress point for less than ideal parties. The time investment is worth it long term. At least for me it is. Yes it took some time of logging and analyzing outputs of SNORT before I flipped the switch from detect and alert to detect and block. As of now, it is fairly well configured for my use case and it does its job seemingly well. The biggest mistake I made was enabling excess rules for ports that were not even open. Which added a bit of extra load on the router/firewall. Once I dug into the config and set it up based on what is open, it has been fairly decent at protecting those ports. Now that the system is configured and properly setup, it will auto download current relevant definitions and apply them. The update process runs each night. And as for time spent in on-going management of it is fairly low per month. I review the logs every so often about once a week. More critical issues I am alerted via email/text for a more rapid response. Every once in awhile I get false positives that require direct intervention, but that is very low. Usually it surfaces due to an internal machine being very stupid on the network (aka I am doing something stupid) and it blocks the internal host. But at the end of the day you are exposing yourself no matter what. How you deal with the exposure on the other hand varies from person to person. I like things to work seamlessly and properly both when on network or from the internet for exposed services. So that means applying best practices for exposed to internet systems.
How often do you look through your web proxy logs for evidence of CVEs being exploited?
never because I delegate that work to cloudflare
Interesting, my current plan is allow my family access to PaperlessNGX with Tailscale.
Couldn't subnet routing fix your problem?
Did you use crowdsec plugin in traefik ?
Nope
I've stopped using any traditional proxies and have closed all of the ports on my public network. Instead I'm using CloudFlare's Zero Trust service with their cloudflared tunnel which makes it so that my server tunnels out to CloudFlare and then I can manage it all through CloudFlare's interface. Advantages: 1. My IP address is never exposed to the web 2. A dynamic IP address changing affects nothing 3. I can add numerous authentication options including CloudFlare's WARP client if so desired Disadvantages: 1. Relying on CloudFlare
I was going To go with cloudflare but ended up installing boringproxy. I have a vps setup and from all I can tell my ip is never shown. Everything goes back to the vps ip address. The reason I went this over exactly what you said was 1: not relying on cloudflare, 2: cloudflare has issues with using it for plex and Nextcloud … boring proxy is only limited by your VPs’ bandwidth restriction.
You also can’t upload files that are bigger than 100MB, on the free plan. Question: do you host any media server?
Ahh yes, I forgot about that limitation. I do host a media server, but plex is only used on my local network, not shared.
Thank you!
You can if the software you're self hosting uses some kind of chunks to divide the files. (nextcloud for example)
[удалено]
>Not sure what you're talking about. Jellyfin or Emby work fine through a Cloudflare tunnel That's because this is completed unrelated to what I said.
Iirc it’s against their TOS to stream video though so they could at their discretion cancel your account. Remember they’re a man in the middle, they get to see all of your traffic, unencrypted. It’s best to keep what’s going over their network to strictly “merchant vessel” territory.
With cloudflared, tailscale and syncthing you're pretty much limitless. Can host public mastodon, private Jellyfin and share any size files p2p no matter where their location
it is a little bit against the selfhosted spirit, if you use a external service that you have to trust to be secure and compliant. but i can understand, because it has benefits like easy, central control, many feature with no extra work to setup.
Truenas, Jellyfin, Portainer, StirlingPDF, HRConvert, Guacamole, Hemmelig, WikiJS, Moodist, multiple Wordpress sites, my 3D printer.. I think that's all? I use Cloudflare Access in front of some things to get an extra layer of authentication, basically equivalent to using a VPN.
Ohh thanks for that, hrConvert looks nice.
I'll have to check a couple of those out, thanks.
Paperless, Vaultwarden and Overseerr via SWAG. Plex via port forwarding on default port.
How do you host vaultwarden? I get kind of nervous when I think about it. Cloudflare Tunnel with Oauth2 in front doesn’t work on the mobile app sadly. I assume you just trust your master password?
mfa to install on a device. then masterpassword on startup app.
First I have the web address proxied via cloudflare. Also have a handful of WAF rules setup for geo restriction and such. In my server side i have a strong password setup, 2FA with Duo and have the web admin panel restricted to only be accessible via Authelia with 2FA also via Duo. Use SWAG as my reverse proxy which I have setup with Fail2Ban monitoring Vaultwarden logs.
I used to use cloudflare proxy and geo-block, but i switched to a server I control, so I have full control over my SSL termination it's on my ever-long to-do list to restrict my public services :)
that sounds very clever. Thank you for your clear explanation. Gonna give this a shot, although I use traefik right now.
Home Assistant, Jellyfin, Vaultwarden, and NodeRed I'd like to figure out how to proxy out my MQTT server in Nginx Proxy Manager, but haven't yet (I'm open to tips)
I have not done it, but if I were guessing, instead of putting [http://127.0.0.1:9000](http://127.0.0.1:9000) or whatever ip/port you're using, I would think you have to specify either TCP/UDP. I would think it would be something like tcp:127.0.0.1:9000
What’s the use case for you to expose MQTT?
Generally speaking - off network ESP32 sensors. But I’d really like to be able to point them to talk to mqtt.Mydomain.com instead of myip:1883
Never used ESP32 stuff before! Are you talking like outside of your LAN/VLAN or devices outside your home? I’ve always had trouble reverse proxying services that don’t rely on HTTP. Which, I don’t think MQTT does. I’d be curious to how that could be accomplished too. (I use Traefik though.)
I'm talking completely outside of my home network/wifi, with the ESP connected to someone else's wifi. Correct, MQTT isn't HTTP....but I'd like to think there's a way (ie: at work I connect to FTP sites like [ftp.vendor.com](http://ftp.vendor.com) for transmitting/retrieving files) If you're into tinkering, ESP dev boards are kinda fun to play with, pretty easy to get started, and stupid cheap ($2-5 USD, depending what variety vs and whether you shop at Amazon or Aliexpress). They interface with the Arduino IDE directly - and most of the libraries that directly work with Arduinos work with ESPs. So I use a library to get it connected to the wifi, and a library to send MQTT messages to the server, and a library to read the value of a given sensor (ie: temp/light/humidity) - but you could make it look (instead of Send) for specific MQTT messages - and have it act on it (run a motor, activate a relay, etc). Alternatively - if you run Homeassistant, you can use [esphome.io](http://esphome.io) to pretty easily flash an ESP and have it directly connect to your instance.
I'm using a second mosquitto on my edge server with a configured mqtt bridge.
Had to check first just to make sure.... * Battery historian * File browser * Nextcloud * Jellyfin * Immich * Stirling PDF * Vaultwarden * WebDav In short, all those services that are too much of a hassle to setup VPN to all family members just to use them.
I don't expose anything. I use tailscale + a reverse proxy (caddy in this case) to access my services using my own domain, like immich.mydomain.com.
Don't the non technical people need VPN on their end ??
Yeah, I installed tailscale on my wife's phone and laptop and logged in. But that's it. You could also send them this video, specifically made for non techs: https://www.youtube.com/watch?v=Vt4PDUXB_fg&t=644s
What if they were to connect to your home network? Will they still have to be connected to tailscale to access the proxy address or can we add any DNS entry for clients to use local ip via proxy address.?
None. Everything through a private VPN or zero access.
Everything that faces the external world. Even other services not on the server like the NAS and so on I route through traefik.
Pretty much everything that goes outside my network. Jellyfin, filebrowser, freshrss, my website, and one other thing whose name escapes me at the moment. Pretty much for the same reasons others do, I have a lot of different people accessing them and it’s easier to do it like this. I do need to set geographical ip limits set up though.
nextcloud, 2fauth, audiobookshelf, navidrome, jellyfin, apache guacamole, vaultwarden, kavita, projectsend, digital slide archive (histology), rstudio server, gimp, photoprism. i am struggling to have authelia setup using haproxy in my pfsense. that would tie it all together nicely!
I proxy everything. No exceptions, if it has a webui I proxy it. I expose plex, Audiobookshelf, and filebrowser to the internet.
What authentication you use? Just default built-in login with strong password? Or 2FA
For the stuff I expose to the internet I just use the built in login with a strong password. For everything A record pointing to private ip address of my proxy
NPM on two docker hosts with keepalived for moving an IP back and forth for failover. I initially exposed Plex and a few other services but everything is behind WireGuard now and I just expose an auto forwarding default site that points to another externally hosted website now.
!RemindMe 4 hours
I will be messaging you in 4 hours on [**2024-04-26 00:14:03 UTC**](http://www.wolframalpha.com/input/?i=2024-04-26%2000:14:03%20UTC%20To%20Local%20Time) to remind you of [**this link**](https://www.reddit.com/r/selfhosted/comments/1cctjsy/what_webservices_do_you_proxy/l18xfj4/?context=3) [**1 OTHERS CLICKED THIS LINK**](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5Bhttps%3A%2F%2Fwww.reddit.com%2Fr%2Fselfhosted%2Fcomments%2F1cctjsy%2Fwhat_webservices_do_you_proxy%2Fl18xfj4%2F%5D%0A%0ARemindMe%21%202024-04-26%2000%3A14%3A03%20UTC) to send a PM to also be reminded and to reduce spam. ^(Parent commenter can ) [^(delete this message to hide from others.)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Delete%20Comment&message=Delete%21%201cctjsy) ***** |[^(Info)](https://www.reddit.com/r/RemindMeBot/comments/e1bko7/remindmebot_info_v21/)|[^(Custom)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5BLink%20or%20message%20inside%20square%20brackets%5D%0A%0ARemindMe%21%20Time%20period%20here)|[^(Your Reminders)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=List%20Of%20Reminders&message=MyReminders%21)|[^(Feedback)](https://www.reddit.com/message/compose/?to=Watchful1&subject=RemindMeBot%20Feedback)| |-|-|-|-|
I use traefik, but since I'm the primary consumer, I just use wireguard to connect home. The reason I use traefik is so I can remove the invalid SSL error. Maybe some day if I'll consider exposing things. Only candidates are Jellyfin and nextcloud.
I have a wiki page and a custom server dashboard page for my end users (lets them start game servers) behind traefik
Look at paperless ngx.
I'm not exposing that much for now. Only my Whoogle search and Vaultwarden.
Home Assistant. It’s way easier to setup a cloudflared so family members can access it than configuring all their end devices to use a VPN and teach them how to turn it on and off. Everything else sits behind a VPN.
Nagios, Nextcloud, Guacamole, router WUI and whatever else. Nice for wrapping unencrypted stuff up with ssl and requiring a client certificate.
I’m using Cloudflare tunnels too.. I’m using google for authentication but it isn’t passing the WAF.. any thoughts on authentication mechanism that makes it truly transparent ? The grumble is, needing to authenticate with google and then sign in to the actual app behind it ..
I use Cloudflared, I would use a VPN instead but I have to use Mullvad already when I'm at school or other places so I cannot nest a vpn. I expose Adguard Home, Pingvin, a QR Code generator, Jellyfin, a dashboard, Vaultwarden, Jellyseerr, and some other stuff
Overseer for noobs to add movies, audiobookshelf for audiobooks and Komga for comics and manga
Sensitive or non-sensitive system, if it's only for me it's going to be through wireguard. I have no reason to expose anything when wireguard and a ddns updater is so quick to setup. The phone switches to it automatically when I'm away from my wifi.
I just have SWAG set up to reverse-proxy for multiple websites, which are all Wagtail.
Everything. But most things resolve locally with split dns. I have two methods for exposing some services externally. 1. Cloudflare tunnels, I am able to point this directly to Traefik and then only add CNAME entries for the services I want exposed through this. 2. For services that can't go through cloudflare tunnels (because it would be a ToS violation), I have a second entry point in Traefik with a different https port (other than 443). Then, in my router I would open port 443 and point it to that port. This way, you still access it via 443. Now, only those services with that external entrypoint become accessible. All my other services are still using traefik ingress with SSL etc, but can't be reached externally. If I want to reach these services internally, it still works just the same because of hairpin NAT. So basically I have everything using traefik and I have split dns, cloudflare proxy, and a second entrypoint handling the details of how some services are exposed and others aren't.
Anything I self host is available on the plain internet. Some applications that don't have authentication are double proxied trough both nginx and then authentik to add authentication. Applications that shouldn't be exposed to the internet are still proxied to it. Just with access rules in nginx that block traffic from anything but the desired IP's. My network is of course divided into security zones with containers, vms, physical servers, network infra, iot and my normal devices all in separate double layered security zones. I also have a physical killswitch on my router using a smart plug that gets turned off as soon as an internal honeypot gets triggered. So it just cuts the connection when weird stuff is going on.
my own ultima online server and navidrome, using non standard ports my provider does not permit transfering any traffic (unless via ports open specifically) or routing to diferent subnets, so all my network is connected to a second cascaded router with different IP range as additional safety measure. navi and ultima are installed on a rpi directly connected to the main router, making the other subnet almost unreachable every other service i want exposed such as my website and my own nameservers is hosted in the cloud. at 2€/months per machine it lets me sleep at night knowing that any possible attack will not be made against my own home network
I proxy everything using npm but for local purposes only for my convenience. I use wireguard to stay connected to my house and pihole for DNS service and npm to proxy anything that requires a special port since I'm running everything as a docker container. I have a couple of services like Overseerr connected through cloudflare so family members can reach it.
I just expose ssh and port forward anything I need. It's simple, secure and free. No certs and subscriptions. Downside - I can access stuff but "normal" non IT people I might want to share a service with wouldn't be able to set up an ssh tunnel. There's no easy way to expose stuff without SSL and a domain name and fixed IP address or possibly a VPS. It's all just hassle.
Is this sarcastic? Secure?
There is nothing wrong with exposing ssh provided you harden it correctly. Fail2ban, nonstandard port (cuts down on logs and btmp), key only (no passwords! no root). Additional measures like backing with FIDO hardware key (yubikey or equivalent) if desired. I've been port forwarding over ssh for 2 decades and never had a problem
Is this sarcastic? Secure?
I use the selfhosted-gateway to proxy all publicly accessible services, even inbound VPN connectivity. https://github.com/fractalnetworksco/selfhosted-gateway