Looking for feedback on simplifying self hosting
from sem@lemmy.blahaj.zone to selfhosted@lemmy.world on 07 Nov 2024 15:10
https://lemmy.blahaj.zone/post/18332361

Hi all,

I started self hosting nextcloud only. Now I have a domain name and I would like to selfhost more services and websites on subdomains without having to open up more ports on my router.

  1. Is it reasonable to use a reverse proxy server to avoid opening up more ports?
  2. Can I use a reverse proxy manager that simplifies SSL certs, etc?
  3. Can I put the HTTP/HTTPS services behind a reverse proxy, behind a free cloudflare DNS proxy to mask my IP address?
  4. And put other non-http services on the real IP address.
  5. Will all of this be more prone to failure and slow compared to forwarding 443 and 80 directly to my nextcloud server?

The other services I would like to eventually host and have accessible externally are

I’m hoping to use Yunohost on a RPI to simplify hosting a lot of these things.

Here’s my plan where I’m looking for feedback. Am I missing any steps? Are my assumptions correct?

  1. Install reverse proxy on yunohost; configure cloudflare DNS and freedns.afraid.org to point towards the reverse DNS server.
  2. Configure the reverse DNS to redirect various subdomains to

I have not been able to find good documentation about how to configure the yunohost reverse proxy, or how to deal with HTTP headers, or have correct certificates on all the subdomains as well as the reverse proxy. Looking for advice on how to move forward and or simply this setup.

#selfhosted

threaded - newest

anamethatisnt@lemmy.world on 07 Nov 2024 15:38 next collapse

I’d look at wireguard / tailscale / headscale and hide your services behind a vpn

redbr64@lemmy.world on 07 Nov 2024 15:57 next collapse

Yeah, what @anamethatisnt@lemmy.world suggested is definitely the easiest thing and super practical - I got family members on my tailnet for this purpose. I am however now also looking into some kind of tunneled, reverse proxied and authenticated way to expose a few of my services to other friends where I don’t want to have to put them on tailscale or potentially expose them to more than needed via that route.

I haven’t started yet, but I am updating my network set up soon to install a dedicated OPNsense router as the edge for my network. From there, the plan is to have a cloudflare tunnel that accesses some of these services via a caddy reverse proxy, with Authelia for authentication. That’s the part I have studied enough to feel confident I can do. I am a little weaker on the networking aspects of this, which is where I need to study some more - like isolating those services that are exposed in my network, while still giving them access to some other needed resources within it, etc.

BearOfaTime@lemm.ee on 07 Nov 2024 16:27 collapse

Tailscale has the Funnel feature, which can funnel traffic into your Tailscale net for you.

redbr64@lemmy.world on 07 Nov 2024 16:35 collapse

Ooooh that looks interesting. I haven’t messed around much with tailscale since I set it up a few years back and hadn’t noticed this. Funny, I was just the other day wondering if they might have something like that, but didn’t look it up. Thanks!

tyler@programming.dev on 07 Nov 2024 15:57 next collapse

There’s a good document from the SWAG reverse proxy that explains it all. I reverse proxy everything on my unraid server through swag and have for years.

hendrik@palaver.p3x.de on 07 Nov 2024 16:12 next collapse

Check out yunohost.org (and similar projects) If you're in for a turnkey-solution.

But yes, a reverse proxy that does all the work and handles SSL is a nice solution. I also use that. It's relatively easy to set up, doesn't really slow down anything and makes a lot of stuff easier to manage.

I use NGinx, but Caddy or Traefik will do the same. And I don't use Cloudflare, so I can't comment on that.

And btw, Jitsi-Meet is going to require some more dedidated ports for the WebRTC, STUN, etc

abeorch@lemmy.ml on 07 Nov 2024 17:01 collapse

Im just new with yunohost.org but it does seem to make installing applications very simple. Users, email, reverse proxy.

macstainless@discuss.tchncs.de on 07 Nov 2024 16:24 next collapse

Yes this is possible. I have a few hosted items with subdomains and I have it set up as follows:

All subdomains point to the same IP. Router port forwards all 80/8080 traffic to server. I use Caddy in Docker to forward the requests based on the subdomain to the appropriate docker container hosting the actual service.

This makes spinning up something new simple. You get a docker container of New Thing going, edit the CaddyFile to point to it too, set up new subdomain in cloudflare. No new open ports needed.

Hope this helps!

sem@lemmy.blahaj.zone on 08 Nov 2024 12:31 collapse

Thanks, this is definitely the way I would like to go!

  1. Can Caddy forward requests to other machines on the LAN?
  2. Have you ever had to mess with HTTP headers?
  3. Do the docker containers have to get certificates from let’s encrypt, or is caddy the only part that needs to manage a wildcard certificate?
macstainless@discuss.tchncs.de on 08 Nov 2024 15:50 collapse
  1. I think it can, you just need to give it the machine’s name or local IP and the port.
  2. Nope!
  3. Caddy handles all certs from LE and renews them for you too. Nothing you need to do on your own.
just_another_person@lemmy.world on 07 Nov 2024 16:45 next collapse

You seem pretty focused on reverse proxies for some reason, but that isn’t security. An alternative is a VPN into your network. Simple solution that solves all of your asks if you don’t need many people accessing your services.

sem@lemmy.blahaj.zone on 08 Nov 2024 12:26 collapse

I would like to use tailscale for some services, but the ones I access from public computers, like nextcloud or blog hosting, can’t be behind a VPN.

I would love the Synology to Synology backup to be behind the VPN, but I’m not sure I’ll be able to get it working, so that is lower down on my list.

Things like Jitsi would be cool to have behind the vpn, but then I’d have to get everyone to install tailscale on their phones and configure access, so that’s going to be too complicated for me and my family unfortunately.

possiblylinux127@lemmy.zip on 08 Nov 2024 16:06 collapse

Why wouldn’t you just use Nextcloud talk?

At least with Nextcloud there is a free security scan you can use hosted by the Nextcloud company

sem@lemmy.blahaj.zone on 09 Nov 2024 12:09 collapse

My nextcloud raspberry pi server used to crash when it tried to do anything difficult, like open too many photos in a row. I adjusted some settings to try and keep it from running out of memory, but I’m not a very skilled sysadmin, and I’m using nextcloudpi now which adds another later of abstraction in an attempt to have saner defaults.

possiblylinux127@lemmy.zip on 09 Nov 2024 17:40 collapse

Nextcloud needs enough ram to work correctly. I wouldn’t run it on a raspberry pi.

When Nextcloud is idling it doesn’t need much but as soon as you start heavily using it or does background maintenance you are going to want more ram. The latest version fixed a lot of the high ram usage for me but it still isn’t lightweight. Also for Jitsi you are going to have the same problem as it needs lots of ram as well.

For me personally I found Nextcloud Talk to be very good and I’ve used it for meetings. You need to be aware of performance considerations but other than that I would it straight forward and easy to use.

sem@lemmy.blahaj.zone on 10 Nov 2024 11:26 collapse

In an ideal world I’d host on an Intel nuc or similar, but for the time being a raspberry pi 4 is all I can afford.

I think you’re right, it was running out of ram before. It hasn’t done that since I’ve moved to nextcloudpi, thankfully.

I have a separate raspi 4 with yunohost that was slated for other experimental purposes, like Jitsi, but I’m still early in that process.

possiblylinux127@lemmy.zip on 10 Nov 2024 16:47 collapse

Obviously you can’t help it now but going forward old enterprise machines on eBay tend to be a better deal. About the same cost but better performance and upgradability.

The downside is that you are dealing with older hardware which could have problems if it is really beat up

sem@lemmy.blahaj.zone on 10 Nov 2024 18:07 collapse

Thanks for the recommendation! Are there eBay search terms I should know? Used PC workstation?

variants@possumpat.io on 07 Nov 2024 18:03 next collapse

You can also run a free cloudflare tunnel. It’s what I us3 so I don’t have to open a port for my nextcloud but still want it to be able to sync to my phone while not on vpn

sem@lemmy.blahaj.zone on 08 Nov 2024 12:37 collapse

Interesting, I already use cloudflare DNS and had “proxy” turned on for nextcloud, but I still had to open 80 and 443 on my router, so I’ll look up how to set up the free tunnel sometime

k4j8@lemmy.world on 07 Nov 2024 19:16 next collapse

If you decide to not got the YunoHost route, I like the way this guide did reverse proxies with Caddy: github.com/DoTheEvo/selfhosted-apps-docker.

azron@lemmy.ml on 07 Nov 2024 20:48 next collapse

Caddy is the answer. Makes running a reverse proxy with certs totally straight forward.

sem@lemmy.blahaj.zone on 08 Nov 2024 12:32 collapse

Thank you, this looks like a great guide

sugar_in_your_tea@sh.itjust.works on 07 Nov 2024 21:10 next collapse

Lots of options. Here’s what I do:

  1. HAProxy - uses SNI to match an HTTPS request to a service, without decrypting the connection
  2. Caddy - manages TLS certificates, decrypts connections, and sends the request to the relevant service
  3. Docker - each service runs in a docker container on the host
  4. my router has static DNS entries for each of my subdomains, so I can do service.mydomain.com, and my traffic never leaves my LAN when I’m at home

I have HAProxy running on my VPS (Hetzner), and it routes traffic over my WireGuard VPN to whatever physical device on my internal network handles that service (i.e. 2). This allows me to add devices to my network as needed, and TLS certs all live on that device.

This is probably overkill for your setup since it sounds like you can talk to your home router from the internet (I can’t because I’m behind CGNAT), so you could drop #1 and just use Caddy, assuming you’re okay with having all traffic handled by a single device. Or you can see if your router supports SNI-based routing to handle what I’m using HAProxy for.

If you don’t need to share your services w/ anyone, you can have everything live inside of a VPN and just access it via that VPN. You can look into Tailscale if you want something dead simple, and I think Cloudflare offers something similar. I started with that, but decided I wanted to share a number of services with family members, and I didn’t want to force each of them to configure my VPN.

sem@lemmy.blahaj.zone on 08 Nov 2024 12:35 collapse

Thanks for the information. I will have to look into SNI and see if my router can support it – if I move someday to an ISP behind a more restrictive firewall, this system looks pretty good. (Or if I get unhappy with one reverse proxy handling everything).

possiblylinux127@lemmy.zip on 08 Nov 2024 16:05 next collapse

I would avoid exposing services to the internet especially in a home network. I would look into Tailscale.

sem@lemmy.blahaj.zone on 09 Nov 2024 12:04 collapse

In a perfect world I would do this, but for nextcloud at least, I have to be able to access it from public computers where I cannot install and configure tailscale.

Sometimes I want to share services with friends and family too.

And Synology support for tailscale sounds like it’s finicky unfortunately.

possiblylinux127@lemmy.zip on 09 Nov 2024 17:42 collapse

Don’t access Nextcloud from public computers as that is very bad for security.

If you must expose it to the internet I would strongly recommend all of the hardening stuff and isolating the deployment to its own vlan with limited access. Remember to follow least privilege and defense in depth. You can find more information on these two concepts online. Account for two pieces of software having serious security issues. (Thus have multiple layers an attacker needs to bypass plus monitoring)

sem@lemmy.blahaj.zone on 09 Nov 2024 12:11 collapse

Thank you everyone for the suggestions, I learned a lot and I’ll continue to check back also.