I’ve setup wireguard, because it’s only me and an employee using the services. But with that, externally I don’t even seem to have a port open. But wireguard is so fast to be online, that I’m just always connected as soon as I’m online - using a domain and an IP update script
Something like Wireguard, Tailscale (uses Wireguard but provides easier administration), Reverse Proxy, VPN, are the best approaches.
Since OP doesn’t need for anyone else to access, I’d use Tailscale (Wireguard if you want a little more effort). Tailscale has a full self-host option with Headscale, though I have no problem with letting them provide discovery.
With Tailscale, you don’t even need the client on devices to access your Tailscale network, by enabling the Funnel feature. This does something similar to Reverse Proxy, by having a Web-exposed service hosted by Tailscale which then routes traffic (encrypted) to your Tailscale network.
Yeah, but then I’ve a web exposed service and I want keep a low profile as possible with what I’m exposing. So I guess as long as there aren’t many users to manage, wireguard (or a tailscale configuration) could work out for OP
Are you taking about security for your homelab? It essentially comes down to good key hygiene, network security and keeping everything updated.
Don’t open ports, use a good firewall at the border of the network, use a seedbox for torrenting. Use ACLs alongside VLANs in your network. Understand DNS in terms of how your requests are forwarded and how they are processed.
What does using a good firewall mean exactly? As I understand it a port is either open or closed right? So what does a good firewall do that a bad one doesn’t?
Projects like OpenWRT and OPNsense take care to maintain their code and address security issues in firewall/router software that can be exploited. Perhaps firewall might not have been the best way to put it, but companies like TP-Link aren’t really the most scrupulous with their software
I use wireguard and nginx but I set my WG DNS as the server ip. I have adguardhome running on the server and have added the external domains to map to their LAN address so they resolved locally when using the vpn or the LAN. A similar setup should work for you.
I have personally been very happy with FreshRSS. Nowadays I use Nextcloud News (just a Nextcloud) app for it. So if you already have Nextcloud you don’t even need to selfhost something extra.
They both have WebApps. FreshRSS has a few themes to fit your taste and Nextcloud News will obviously follow your Nextcloud theming.
As far as apps go, FreshRSS has (probably) more than Nextcloud News. I personally like Feeder (only in PlayStore but worth it imo). For Nextcloud there is an App with the same name. Also good imo, but FreshRSS/Feeder has more customization options.
Lots of people contributed really good answers, so I don’t have anything valuable to add to their answers. But I wanted to point out for your detailed question, you include what you have done, what is your understanding and what are your shortcomings clearly. As opposed to a lot of posts with vague, detail-challenged narratives, that’s a top notch post.
And the community delivered by giving good answers, so go community!
Also, you didn’t just ghost after the initial post and interacted.with the people who graciously donated their time, so another bonus point there, as well.
I believe the UDP ports are for discovery on your local network so no need to handle them with your reverse proxy. If you’ve got them passed through docker your local devices should pick them up.
They’re also not required since you can always just enter the address manually. I don’t bother passing them into my container.
Check out the “Open Source Security Podcast” with Kurt Siegfried and Josh Bressers. It’s not about specifics so much as how to build a mindset around security for IOT and hosting, generally dealing with opensource offerings.
So far so good. The URL is correct, because its the external address. You also don’t need to publish both http and https ports. I only map external https to internal http but you can do https to https. No serious modern browser tries http first and because I always force https anyways, it doesn’t need to be public. Only the reverse proxy may need it, for Let’s Encrypt.
Both UDP aren’t needed for public access. I only have mapped 8096 to my reverse proxy and it works.
Don’t worry about the UDP ports, they’re only needed on the LAN and only in certain conditions. Basically Jellyfin uses them to “announce” things to the LAN.
On 7359 it announces clients where to connect; this can help you when first starting a client to let it connect automatically instead of you having to enter IP or jellyfin.mydomain.com.
On 1900 it advertises itself as a DLNA server. This is only relevant if you have other DLNA-capable devices. DLNA is a cool protocol that allows devices to act as server, controller or renderer and to cooperate to cast streams. For example you can use your phone as a DLNA controller to get media from Jellyfin acting as a DLNA server and cast it to a TV acting as a DLNA renderer. If your TV has DLNA capability then you may be interested in the BubbleUPnP phone app which can act as a controller, and that’s when you may be interested in enabling 1900.
Or you can comment out the “ports:” section in your config and say “network_mode: host” instead and all 4 ports will be mapped automatically and work as intended (it’s what I do).
Good to know. I thought there was some issue with those ports and the reverse-proxy because the DLNA function doesn’t seem to be working but from some googling this seems to be more of a docker problem in general when you are not using host mode for networking.
Do not try to host outbound mail on residential IP blocks, delivery will be really bad. Cheap VPS is same story. You best bet is VPS from some not well know provider, they may be avoid to be in blacklist in M$ and Google. Inbound mail is fine anywhere as so long as you can have port 25 open. DDNS works too.
selfhosted
Oldest
This magazine is from a federated server and may be incomplete. Browse more on the original instance.