Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
view the rest of the comments
Reverse proxy with CrowdSec, which has setups specifically for Jellyfin. Docker for everything.
Now that's interesting, what is the purpose of the reverse proxy, don't you still need something exposed then?
The reverse proxy is the part that's exposed. CrowdSec watches the logs for intrusion attempts like fail2ban would.
A reverse proxy saves you from having to expose your services directly and acts as a go-between.
Internet <--> Reverse Proxy <--> ServiceRight, but what exactly does the reverse proxy do to stop intrusion?
Crowdsec is what stops the intrusion.
Crowdsec won't protect against a security vulnerability
It will if it detects the requests and blocks them
Only if it is from a known bad IP
Also the vulnerability may be in something needed for client functionality.
Think of it as more modular.
I personally used Traefik, but only because I'm a masochist and it would be useful to know in IT workplace.
Traefik + CrowdSec + CowdSec Traefik Bouncer.
Traefik handles the traffic, and said traffic has to get a green light from CrowdSec + Bouncer before it can go anywhere.
The concept of CrowdSec is honestly super awesome.
Is Taefik really that good? It seems crazy complex
It's designed to scale. Plus it's nifty to be able to add ~3 tags to a docker container and then it's instantly online and ready to be used.
It protects against vulnerabilities in layer 3 of the OSI model. It is the thing that gets hit from the outside while the back end is hidden away. This makes some attacks much harder.
Depending on how you setup your reverse proxy it can reduce random scanning/login attempts to basically zero. The point of a reverse proxy is to act as a proxy, as a sort of web router, and to validate that the http requests are correctly formatted.
For the routing depending on what DNS name/path the request comes in with it can route to different backends. So you can say that app1.yourdomain.com is routed to the internal IP address of your app1, and app2.yourdomain.com goes to app2. You can also do this with paths if the applications can handle it. Like yourdomain.com/app1.
When your client makes a request the reverse proxy uses the "Host" header or the SNI string that is part of the TLS connection to determine what certificate to use and what application to route to.
There is usually a "default" backend for any request that doesn't match any of the names for your backend services (like a scanner blindly trying to access your IP). If you disable the default backend or redirect default requests to something that you know is secure any attacker scanning your IP for vulnerabilities would get their requests rejected. The only way they can even try to hit your service is to know the correct DNS name of your service.
Some reverse proxies (Traefik, HAproxy) have options to reject the requests before the TLS negation has even completed. If the SNI string doesn't match the connection just drops it doesn't even bother to send a 404/5xx error. This can prevent an attacker from doing information gathering about the reverse proxy itself that might be helpful in attacking it.
This is security by obscurity which isn't really security, but it does reduce your risk because it significantly reduces the chances of an attacker being able to find your applications.
Reverse proxies also have a much narrower scope than most applications as well. Your services are running a web server with your application, but is Jellyfin's built in webserver secure? Could an attacker send invalid data in headers/requests to trigger a buffer overflow? A reverse proxy often does a much better job of preventing those kinds of attacks, rejecting invalid requests before they ever get to your application.