Selfhosted

56856 readers

819 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago

MODERATORS

HybridSarcasm@lemmy.world

HybridSarcasm@lemmy.hybridsarcasm.xyz

How do I access my services from outside? (lemmy.world)

submitted 1 day ago by leaf_skeleton@lemmy.world to c/selfhosted@lemmy.world

38 comments fedilink hide all child comments

Hey all,

I'm setting up a homeserver and trying to figure out the best way to access it remotely. I've been looking at different solutions, but I’m a little stuck.

I’ve been looking at VPNs, but it feels weird, to route everything through my home IP when I’m also trying to use a commercial VPN for privacy / to combat services fingerprinting me based on my IP.

I'm currently considering a reverse proxy setup with an authentication provider like authentik or authelia, but as far as I understand, that wouldn't work well with accessing services through an app on my mobile device (like for jellyfin music for example.) I did think about just opening up the ports and using a DDNS with a reverse proxy, but is'nt that like a big security risk?

Keep in mind I am no network admin, but I don’t have anything against learning if someone can point me in the right direction.

Also I heard some people say that on proxmox you should use unprivileged containers instead of vms for your services, does that hold up?

Any recommendations for tools or approaches?

you are viewing a single comment's thread
view the rest of the comments

[–] ohshit604@sh.itjust.works 7 points 1 day ago* (last edited 1 day ago) (1 children)

I’ve been looking at VPNs, but it feels weird, to route everything through my home IP when I’m also trying to use a commercial VPN for privacy / to combat services fingerprinting me based on my IP.

My ASUS WRT router (running Merlin Firmware) forwards my Home WireGuard VPN server through one of my Proton VPN clients, I get all the added bonuses of being connected to my home network, utilizing my PiHole an such, while benefiting from appearing across the world.

I'm currently considering a reverse proxy setup with an authentication provider like authentik or authelia, but as far as I understand, that wouldn't work well with accessing services through an app on my mobile device (like for jellyfin music for example.)

This is correct, you cannot host an authentication service in front of Jellyfin’s proxy otherwise the Jellyfin Media Player will not connect to your server however, there is a Jellyfin SSO plugin for authentication which is what I use and I disabled the manual login form via CSS but be warned if you take this route that the CSS can be re-enabled on the login screen using your browsers element inspect, I wish you can disable it outright but it’s heavily baked into Jellyfin from what I’ve read.

I suggest setting up a IP-Blacklist for Jellyfin and only whitelisting the known IP’s.

[–] Scrollone@feddit.it 2 points 20 hours ago (1 children)

Sorry to burst your bubble, but removing the login form via CSS is just a cosmetic effect and it doesn't have any effect on your security, since bots will try to brute force the login directly using the login endpoint.

[–] ohshit604@sh.itjust.works 2 points 19 hours ago* (last edited 19 hours ago)

Oh I am fully aware it just cosmetic, that’s why I added this line In my original comment:

but be warned if you take this route that the CSS can be re-enabled on the login screen using your browsers element inspect

hence why I also suggest just outright blacklisting all IP’s and only whitelisting the known few at the reverse proxy level.