Hi everybody.

How should I setup reverse proxy for my services? I’ve got things like jellyfin, immich a bitwarden running on my Debian server in docker. So should i install something like nginx for each of these also in docker? Or should I install it from repository and make configs for each of these docker services?

Btw I have no idea how to use something like nginx or caddy but i would still like to learn.

Also can you use nginx for multiple services on the same port like(443)?

  • Octavusss@lemm.eeOPEnglish
    1·
    1 day ago

    Well I already got static IP from my ISP and configured Wireguard on my directly on my router so I think I’m good.

    • ippocratis@lemmy.mlEnglish
      21·
      1 day ago

      The funnel exposes your local services to the public over https . Like what you want to accomplish with reverse proxy . Its just more straightforward for a beginner.

      Personally I closed my router ports and switched to tailscalr funnels after using caddy with mutual TLS for years.

      • WhyJiffie@sh.itjust.worksEnglish
        1·
        23 hours ago

        The funnel exposes your local services to the public over https . Like what you want to accomplish with reverse proxy .

        they did not say they want it public, and that’s an additional security burden they may not need

        • ippocratis@lemmy.mlEnglish
          1·
          13 hours ago

          He he didnt but thats what he meant

          I mean 99% of users use reverse proxy for https public access

          Also read the threat replies …

          That’s what this thread is about

          No?

          • WhyJiffie@sh.itjust.worksEnglish
            1·
            8 hours ago

            if that’s true, I assume it is because they don’t know about the security consequences, nor about more secure ways. and for 99% that is the worst solution, because they won’t tighten security with a read only filesystem, DMZ and whatnot, worse, they won’t be patching their systems on schedule, but maybe in a year.

            99% users should not expose any public services other than wireguard or something based on it. on a VPS the risk my be lower, but on a home network, hell no!

            • ippocratis@lemmy.mlEnglish
              1·
              7 hours ago

              Ok I’m not any networking expert but I think you are overestimating the risk here.

              Opening a port doesn’t mean you are opening your whole home network just the specific services you want. And those not directly but with a web server in front of them . Web servers talked in this tgread that sit in front of open ports are well audited . I think that measures like mtls a generic web server hardening are more than ok to not ever be compromised.

              But yeah I’m surely interested to listen if you could elaborate.

              Thanks

              • WhyJiffie@sh.itjust.worksEnglish
                1·
                6 hours ago

                Opening a port doesn’t mean you are opening your whole home network just the specific services you want.

                until a new high severity vulnerability gets discovered and some bot exploits it on your server, taking it over. and you won’t even know. if they were a bit smart, you won’t notice it ever either.

                but there’s more! its not only the reverse proxy that can be exploited! over the past few years, jellyfin has patched a dozen vulnerabilities, some of which allowed execution of arbitrary system commands. one of the maintainers have expressed that nobody should be running those old versions anymore, because they are not safe even only on the LAN. and this was just jellyfin.

      • CapitalNumbers@lemm.eeEnglish
        1·
        23 hours ago

        maybe silly question but does tailscale tunnel operate in a similar fashion to a cloud flare tunnel? as in you can remotely access your internal service over https?