this post was submitted on 29 Jul 2024
41 points (91.8% liked)

Selfhosted

40211 readers
1420 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Hello all,

I have started experimenting again with a local server and I am facing a few issues, here is my case.

I run Debian o an old HP prebuilt without GUI. I do everything with ssh from my laptop (basic connection ssh user@addr)

I have installed docker. I have installed a few containers. I also installed portainer for easier management.

All good so far because everything is local.

I have purchased a domain with cloudflare and set up a tunnel as to avoid exposing any ports and having an easier time managing and deploying stuff.

I have set up jellyfin and vaultwarden but when I tried to install nextcloud AIO it was advised to add a local reverse proxy as to avoid many problems.

My questions are:

Is the tunnel solution appropriate for jellyfin?

I suppose it's OK for vaultwarden as there isnt much data being transfered?

Would it be better to run nginx proxy manager for everything or can I run both of the solutions?

Any general recommendations on the above and in general are appreciated!

top 17 comments
sorted by: hot top controversial new old
[–] OminousOrange@lemmy.ca 11 points 3 months ago (1 children)

I'm definitely not a network pro, but it sounds like you're looking to do something similar to what I have.

I've got nginx proxy manager as my reverse proxy with pi-hole for local DNS. All traffic goes through the pi-hole and anything going to mydomain.com has DNS entries pointing to nginx. I've set nginx up so service.lan.mydomain.com is for anything local and just service.mydomain.com for anything external with wildcard SSL certs for both (*.domain doesn't seem to cover *.lan.domain so add certs for both - probably because it's a sub-subdomain).

The Cloudflare tunnel can then just get directed to service.mydomain.com instead of the IP of the service.

[–] piracysails@lemm.ee 1 points 3 months ago (1 children)

I have read all comments and most of them provide useful information but I think this is what I need indeed.

Do you have any sources / guides on how to proceed with these configurations? :)

[–] OminousOrange@lemmy.ca 1 points 3 months ago

Unfortunately there isn't really an all-in-one guide. TechnoTim has info on the Pi-hole config side and wildcard certificates, but I think he uses it with traefik.

NPM is pretty straightforward. If you find a site isn't working, try turning on Web Socket support.

I'd say just search for guides on each part individually:

  1. Get all the services installed and up and running
  2. Get SSL certificates from Cloudflare for your domain.
  3. Set up NPM for the services you want to reverse proxy with your Cloudflare SSL certs (they wont work until the next step is done)
  4. Set up pi-hole to be your local DNS (there's also adblock lists to add) and configure it to send all service(.lan).mydomain.com to the ip of NPM.
  5. Set up the Cloudflare tunnel.

I can try to help if you run into any issues.

[–] tristan@aussie.zone 11 points 3 months ago (1 children)

first your questions

Is the tunnel solution appropriate for jellyfin?

Yes but also no. the tldr is It will work, but video streaming is against CloudFlare rules. I ran this way for about 2 years with Plex just for my own use, so for about 15 hours a week on 480p and I never got my service suspended, but I've heard stories of others getting suspended.... So just know it's a risk

I suppose it's OK for vaultwarden as there isnt much data being transfered?

That's a good use of tunnels

Would it be better to run nginx proxy manager for everything or can I run both of the solutions?

You can definitely run both solutions (tunnel points to npm, npm towards to all other services), and it saves you setting up tunnels for each service

Now for my 2 cents

As others have suggested, tailscale funnel is a valid option. A reverse proxy using a VPS is also a valid option. And as I pointed out, doing the CloudFlare tunnel is an option if you're willing to accept the risk.

My current setup is using a free Oracle VPS with a small nginx docker container forwarding all port 80 and 443 traffic through a tailscale. On the other end is a nginx proxy manager docker container that points to all my services across the network. I have my CloudFlare details configured in nginx proxy manager to generate a wildcard SSL certificate that I apply to all my local services

Inside the network, I use adguard to redirect the domain to the local LAN IP of the nginx proxy manager server to avoid traffic going through the internet.

Then all you need to do is point the domain on CloudFlare dns to the Oracle server, and you'll have several layers of separation between the internet and your local LAN , as well as SSL certs both internally and externally on any services you share

It might not be the most elegant setup, but I share my Plex server (as well as about 30 other things) with several other people and can handle multiple 1080p streams going through it without any issue and it's been nice and stable for over a year without any issues

[–] Dave@lemmy.nz 2 points 3 months ago* (last edited 3 months ago) (1 children)

Yes but also no. the tldr is It will work, but video streaming is against CloudFlare rules. I ran this way for about 2 years with Plex just for my own use, so for about 15 hours a week on 480p and I never got my service suspended, but I’ve heard stories of others getting suspended… So just know it’s a risk

My understanding is that this clause was quietly removed from the Ts and Cs, perhaps 1 or 2 years ago. I haven't heard of anyone getting banned for it since then.

Personally while I have Jellyfin set up through Cloudflare, it's almost entirely run local-network only (with a local DNS entry in Pihole to connect to the domain direct when on my network) so I haven't had any issues but probably wouldn't trigger any unusual activity alarms in Cloudflare.

[–] tristan@aussie.zone 3 points 3 months ago

I do vaguely remember something about it getting changed, but yeah, as you said unless you're sharing it with a bunch of people, it's probably not enough to trigger anything on their side anyway

I think theres a nice variety of methods out there now that there's no "one right way" to do it which I think is great compared to just a few years ago where your only real options were a reverse tunnel or CloudFlare tunnels

[–] Decronym@lemmy.decronym.xyz 7 points 3 months ago* (last edited 3 months ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
CF CloudFlare
DNS Domain Name Service/System
HTTP Hypertext Transfer Protocol, the Web
IP Internet Protocol
Plex Brand of media server package
SSL Secure Sockets Layer, for transparent encryption
TLS Transport Layer Security, supersedes SSL
VPN Virtual Private Network
VPS Virtual Private Server (opposed to shared hosting)
nginx Popular HTTP server

9 acronyms in this thread; the most compressed thread commented on today has 20 acronyms.

[Thread #894 for this sub, first seen 29th Jul 2024, 05:55] [FAQ] [Full list] [Contact] [Source code]

[–] xantoxis@lemmy.world 4 points 3 months ago* (last edited 3 months ago) (1 children)

I haven't deployed Cloudflare but I've deployed Tailscale, which has many similarities to the CF tunnel.

  • Is the tunnel solution appropriate for Jellyfin?

I assume you're talking about speed/performance here. The overhead added by establishing the connection is mostly just once at the connection phase, and it's not much. In the case of Tailscale there's additional wireguard encryption overhead for active connections, but it remains fast enough for high-bandwidth video streams. (I download torrents over wireguard, and they download much faster than realtime.) Cloudflare's solution is only adding encryption in the form of TLS to their edge. Everything these days uses TLS, you don't have to sweat that performance-wise.

(You might want to sweat a little over the fact that cloudflare terminates TLS itself, meaning your data is transiting its network without encryption. Depending on your use case that might be okay.)

  • I suppose it’s OK for vaultwarden as there isnt much data being transfered?

Performance wise, vaultwarden won't care at all. But please note the above caveat about cloudflare and be sure you really want your vaultwarden TLS terminated by Cloudflare.

  • Would it be better to run nginx proxy manager for everything or can I run both of the solutions?

There's no conflict between the two technologies. A reverse proxy like nginx or caddy can run quite happily inside your network, fronting all of your homelab applications; this is how I do it, with caddy. Think of a reverse proxy as just a special website that branches out to every other website. With that model in mind, the tunnel is providing access to the reverse proxy, which is providing access to everything else on its own. This is what I'm doing with tailscale and caddy.

  • General recs

Consider tailscale? Especially if you're using vaultwarden from outside your home network. There are ways to set it up like cloudflare, but the usual way is to install tailscale on the devices you are going to use to access your network. Either way it's fully encrypted in transit through tailscale's network.

[–] piracysails@lemm.ee 1 points 3 months ago* (last edited 3 months ago)

Thank you for all of this, but a vpn solution won't work for me as I run a VPN all the time on all my machines.

Edit: Upon looking a little on tailscale, I might consider it, seems interesting.

[–] Moonrise2473@feddit.it 2 points 3 months ago

The cloudflare tunnel is effectively a local reverse proxy

Create a docker network, place everything on the same docker network, then you can reach stuff by setting the tunnel at http://[container-name]

So you set the tunnel at http://nextcloud or http://jellyfin:8096 and so on

You'd think "but without a local proxy that does ssl encryption, cloudflare could read my communication" - no, if they really wanted they could read it anyway as they decrypt and reencrypt

[–] solrize@lemmy.world 2 points 3 months ago

This all sounds like too many levels of hair. If you really want to serve from home and have the upstream bandwidth for it, then reverse proxy to a cheap VPS seems like the easiest approach. I lost interest in that ages ago, partly because of crappy home internet. I have played with the idea of colo'ing a server at a data center but in the end, it's simpler to use VPS and/or rental dedicated servers, so I do that instead. Whether that counts as self hosting is up to you, I guess.

[–] DieserTypMatthias@lemmy.ml 2 points 3 months ago (1 children)

AFAIK, Tailscale has Funnel, which is better than CF tunnels since you can expose any machine you have without buying an expensive switch.

[–] tristan@aussie.zone 2 points 3 months ago

Why would you need an expensive switch for CF tunnels??

It bypasses the switch and forms a tunnel directly to the machine and you don't need to change any configuration on the switch

Both options can expose any service as long as the machine has internet

[–] gaylord_fartmaster@lemmy.world 1 points 3 months ago* (last edited 3 months ago)

I use Nextcloud with Nginx Proxy Manager and just use NPM to handle the reverse proxy, nothing in Nextcloud other than adding the domain to the config so it's trusted.

I use Plex instead of Jellyfin, but I stream it through NPM with no issues. I can't speak to the tunnel though, I prefer a simple wireguard tunnel for anything external so I've never tried it.

Edit: unless that's what you mean by tunnel, I was assuming you meant traefik or tailscale or one of the other solutions I see posted more often, but I think one or both of those use wireguard under the hood.

[–] jimmy90@lemmy.world 1 points 3 months ago (1 children)

if your service has to be public i would recommend getting a switch that can do VLANs and put your server inside it's own VLAN DMZ so if you get hacked they will be trapped inside the VLAN

[–] kylian0087@lemmy.dbzer0.com 2 points 3 months ago

Also need a router that allows for VLANS as well. Otherwise you can not access the other network when your home. As you need routing between the VLANS. Or you can use a L3 switch.

[–] TheBigBrother@lemmy.world -4 points 3 months ago