Looking for feedback on simplifying self hosting
https://lemmy.blahaj.zone/post/18332361
=> More informations about this toot | More toots from sem@lemmy.blahaj.zone
Thank you everyone for the suggestions, I learned a lot and I’ll continue to check back also.
=> More informations about this toot | More toots from sem@lemmy.blahaj.zone
I’d look at wireguard / tailscale / headscale and hide your services behind a vpn
=> More informations about this toot | More toots from anamethatisnt@lemmy.world
There’s a good document from the SWAG reverse proxy that explains it all. I reverse proxy everything on my unraid server through swag and have for years.
=> More informations about this toot | More toots from tyler@programming.dev
Yeah, what @anamethatisnt@lemmy.world suggested is definitely the easiest thing and super practical - I got family members on my tailnet for this purpose. I am however now also looking into some kind of tunneled, reverse proxied and authenticated way to expose a few of my services to other friends where I don’t want to have to put them on tailscale or potentially expose them to more than needed via that route.
I haven’t started yet, but I am updating my network set up soon to install a dedicated OPNsense router as the edge for my network. From there, the plan is to have a cloudflare tunnel that accesses some of these services via a caddy reverse proxy, with Authelia for authentication. That’s the part I have studied enough to feel confident I can do. I am a little weaker on the networking aspects of this, which is where I need to study some more - like isolating those services that are exposed in my network, while still giving them access to some other needed resources within it, etc.
=> More informations about this toot | More toots from redbr64@lemmy.world
Tailscale has the Funnel feature, which can funnel traffic into your Tailscale net for you.
=> More informations about this toot | More toots from BearOfaTime@lemm.ee
Ooooh that looks interesting. I haven’t messed around much with tailscale since I set it up a few years back and hadn’t noticed this. Funny, I was just the other day wondering if they might have something like that, but didn’t look it up. Thanks!
=> More informations about this toot | More toots from redbr64@lemmy.world
Check out yunohost.org (and similar projects) If you're in for a turnkey-solution.
But yes, a reverse proxy that does all the work and handles SSL is a nice solution. I also use that. It's relatively easy to set up, doesn't really slow down anything and makes a lot of stuff easier to manage.
=> More informations about this toot | More toots from hendrik@palaver.p3x.de
Im just new with yunohost.org but it does seem to make installing applications very simple.
Users, email, reverse proxy.
=> More informations about this toot | More toots from abeorch@lemmy.ml
Yes this is possible. I have a few hosted items with subdomains and I have it set up as follows:
All subdomains point to the same IP. Router port forwards all 80/8080 traffic to server. I use Caddy in Docker to forward the requests based on the subdomain to the appropriate docker container hosting the actual service.
This makes spinning up something new simple. You get a docker container of New Thing going, edit the CaddyFile to point to it too, set up new subdomain in cloudflare. No new open ports needed.
Hope this helps!
=> More informations about this toot | More toots from macstainless@discuss.tchncs.de
Thanks, this is definitely the way I would like to go!
=> More informations about this toot | More toots from sem@lemmy.blahaj.zone
=> More informations about this toot | More toots from macstainless@discuss.tchncs.de
You seem pretty focused on reverse proxies for some reason, but that isn’t security. An alternative is a VPN into your network. Simple solution that solves all of your asks if you don’t need many people accessing your services.
=> More informations about this toot | More toots from just_another_person@lemmy.world
I would like to use tailscale for some services, but the ones I access from public computers, like nextcloud or blog hosting, can’t be behind a VPN.
I would love the Synology to Synology backup to be behind the VPN, but I’m not sure I’ll be able to get it working, so that is lower down on my list.
Things like Jitsi would be cool to have behind the vpn, but then I’d have to get everyone to install tailscale on their phones and configure access, so that’s going to be too complicated for me and my family unfortunately.
=> More informations about this toot | More toots from sem@lemmy.blahaj.zone
Why wouldn’t you just use Nextcloud talk?
=> More informations about this toot | More toots from possiblylinux127@lemmy.zip
My nextcloud raspberry pi server used to crash when it tried to do anything difficult, like open too many photos in a row. I adjusted some settings to try and keep it from running out of memory, but I’m not a very skilled sysadmin, and I’m using nextcloudpi now which adds another later of abstraction in an attempt to have saner defaults.
=> More informations about this toot | More toots from sem@lemmy.blahaj.zone
Nextcloud needs enough ram to work correctly. I wouldn’t run it on a raspberry pi.
When Nextcloud is idling it doesn’t need much but as soon as you start heavily using it or does background maintenance you are going to want more ram. The latest version fixed a lot of the high ram usage for me but it still isn’t lightweight. Also for Jitsi you are going to have the same problem as it needs lots of ram as well.
For me personally I found Nextcloud Talk to be very good and I’ve used it for meetings. You need to be aware of performance considerations but other than that I would it straight forward and easy to use.
=> More informations about this toot | More toots from possiblylinux127@lemmy.zip
In an ideal world I’d host on an Intel nuc or similar, but for the time being a raspberry pi 4 is all I can afford.
I think you’re right, it was running out of ram before. It hasn’t done that since I’ve moved to nextcloudpi, thankfully.
I have a separate raspi 4 with yunohost that was slated for other experimental purposes, like Jitsi, but I’m still early in that process.
=> More informations about this toot | More toots from sem@lemmy.blahaj.zone
Obviously you can’t help it now but going forward old enterprise machines on eBay tend to be a better deal. About the same cost but better performance and upgradability.
The downside is that you are dealing with older hardware which could have problems if it is really beat up
=> More informations about this toot | More toots from possiblylinux127@lemmy.zip
Thanks for the recommendation! Are there eBay search terms I should know? Used PC workstation?
=> More informations about this toot | More toots from sem@lemmy.blahaj.zone
You can also run a free cloudflare tunnel. It’s what I us3 so I don’t have to open a port for my nextcloud but still want it to be able to sync to my phone while not on vpn
=> More informations about this toot | More toots from variants@possumpat.io
Interesting, I already use cloudflare DNS and had “proxy” turned on for nextcloud, but I still had to open 80 and 443 on my router, so I’ll look up how to set up the free tunnel sometime
=> More informations about this toot | More toots from sem@lemmy.blahaj.zone
If you decide to not got the YunoHost route, I like the way this guide did reverse proxies with Caddy: github.com/DoTheEvo/selfhosted-apps-docker.
=> More informations about this toot | More toots from k4j8@lemmy.world
Caddy is the answer. Makes running a reverse proxy with certs totally straight forward.
=> More informations about this toot | More toots from azron@lemmy.ml
Thank you, this looks like a great guide
=> More informations about this toot | More toots from sem@lemmy.blahaj.zone
Lots of options. Here’s what I do:
I have HAProxy running on my VPS (Hetzner), and it routes traffic over my WireGuard VPN to whatever physical device on my internal network handles that service (i.e. 2). This allows me to add devices to my network as needed, and TLS certs all live on that device.
This is probably overkill for your setup since it sounds like you can talk to your home router from the internet (I can’t because I’m behind CGNAT), so you could drop #1 and just use Caddy, assuming you’re okay with having all traffic handled by a single device. Or you can see if your router supports SNI-based routing to handle what I’m using HAProxy for.
If you don’t need to share your services w/ anyone, you can have everything live inside of a VPN and just access it via that VPN. You can look into Tailscale if you want something dead simple, and I think Cloudflare offers something similar. I started with that, but decided I wanted to share a number of services with family members, and I didn’t want to force each of them to configure my VPN.
=> More informations about this toot | More toots from sugar_in_your_tea@sh.itjust.works
Thanks for the information. I will have to look into SNI and see if my router can support it – if I move someday to an ISP behind a more restrictive firewall, this system looks pretty good. (Or if I get unhappy with one reverse proxy handling everything).
=> More informations about this toot | More toots from sem@lemmy.blahaj.zone
I would avoid exposing services to the internet especially in a home network. I would look into Tailscale.
=> More informations about this toot | More toots from possiblylinux127@lemmy.zip
In a perfect world I would do this, but for nextcloud at least, I have to be able to access it from public computers where I cannot install and configure tailscale.
Sometimes I want to share services with friends and family too
=> More informations about this toot | More toots from sem@lemmy.blahaj.zone
Don’t access Nextcloud from public computers as that is very bad for security.
If you must expose it to the internet I would strongly recommend all of the hardening stuff and isolating the deployment to its own vlan with limited access. Remember to follow least privilege and defense in depth. You can find more information on these two concepts online.
=> More informations about this toot | More toots from possiblylinux127@lemmy.zip This content has been proxied by September (3851b).Proxy Information
text/gemini