Running a TrueNAS Scale server with Jellyfin and planning to add Nextcloud. How would I be able to access these services from outside my network? I have heard portforwarding is unsafe and a VPN seems inconvenient to me.
Port forwarding is unsafe, but even crossing the road is unsafe. Do you cross the road without watching? In the same way, you just don’t let a published server online without doing regular updates. You set up docker, run nextcloud (docker) behind nginx proxy manager, and have watchtower update them regularly.
You can also setup 2fa in docker, and pair it with fail2ban.
Every port open widens the attack surface, but those services are made to be published, so there are mitigations against the risks.
I’ve said this many times before, but it seems relevant here, too. Using a reverse proxy is a good step for security, but you will still want to block certain incoming connections on your firewall. I block everything except for our cell phone provider, my partner’s employer, and my employer. We will never be accessing my network from any other source. At the very least, block everything and whitelist your own country; this will prevent a lot of illegitimate connections. If you’re using pfSense, the pfBlockerNG plugin makes this very easy to do.
Yeah, absolutely good point, it’s something that can be done in opnsense as well.
Certainly blocking any bloc outside your country (or region maybe in Europe) makes sense.
I block everything outside RIPE, and also China and Russia.
Internet-facing Jellyfin instance is a bit too risky for my taste (https://github.com/jellyfin/jellyfin/issues/5415), especially with those unauthenticated endpoints leaking contents of the server.
If VPN is not an option, I suggest using setting a restrictive <RemoteIPFilter> in /etc/jellyfin/network.xml and/or placing Jellyfin behind HTTP basic auth.
Internet-facing Nextcloud is fine in my experience, provided you harden the web server in the usual ways.
I’ve heard that steaming video is against ToS for tunnels, but I’ve not been able to confirm this.
But man, cloudflare tunnels are so cool. They are game changer if your behind a cgNAT or can’t port forward for some reason. And they are even useful if you can port forward. Cloudflare cacheing and ddos protection, and your IP is not exposed.
Well hosting a web server is against my isp’s terms of service so I’m playing dangerous either way lol. But I only use it for my nextcloud, I plan on either switching to FiOS or upgrading to business internet with my current provider so I can get rid of the cgnat.
Well hosting a web server is against my isp’s terms of service so I’m playing dangerous either way lol.
That is a fair point lol 😂
But I only use it for my nextcloud, I plan on either switching to FiOS or upgrading to business internet with my current provider so I can get rid of the cgnat.
Yeah, cgNAT is such a drag man.
It’s bad even for non tech people. They will be wondering why they cant connect to voice chat in their game system, or why they can’t connect to their VPN for work.
I’ll be honest with you, aside from the fact I can’t get a static IP or forward ports I’ve naver really had any issues with it. I use discord for voice chat and don’t play on consoles though.
I don’t think it is explicitly against the ToS any longer, although it used to be from what I can gather. There is no longer a section 2.8 here but it does state in section 2.7:
You agree not to…(b) post, transmit, store or link to any files, materials, data, text, audio, video, images or other content that infringe on any person’s intellectual property rights or that are otherwise unlawful
So as long as you either only host original content or your media server requires login and is not open to the public then I don’t think you’d have any issues.
I actually use a Cloudflare Tunnel in this way to serve a Jellyfin docker container and have not had any issues. I also disabled Cloudflare caching though for the subdomain that Jellyfin is served from, in order to be sure Cloudflare wasn’t caching that media either.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !selfhosted@lemmy.world
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.
Rules:
Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
Resources:
selfh.st Newsletter and index of selfhosted software and apps
Port forwarding is unsafe, but even crossing the road is unsafe. Do you cross the road without watching? In the same way, you just don’t let a published server online without doing regular updates. You set up docker, run nextcloud (docker) behind nginx proxy manager, and have watchtower update them regularly. You can also setup 2fa in docker, and pair it with fail2ban.
Every port open widens the attack surface, but those services are made to be published, so there are mitigations against the risks.
I’ve said this many times before, but it seems relevant here, too. Using a reverse proxy is a good step for security, but you will still want to block certain incoming connections on your firewall. I block everything except for our cell phone provider, my partner’s employer, and my employer. We will never be accessing my network from any other source. At the very least, block everything and whitelist your own country; this will prevent a lot of illegitimate connections. If you’re using pfSense, the pfBlockerNG plugin makes this very easy to do.
Yeah, absolutely good point, it’s something that can be done in opnsense as well. Certainly blocking any bloc outside your country (or region maybe in Europe) makes sense. I block everything outside RIPE, and also China and Russia.
deleted by creator
Internet-facing Jellyfin instance is a bit too risky for my taste (https://github.com/jellyfin/jellyfin/issues/5415), especially with those unauthenticated endpoints leaking contents of the server.
If VPN is not an option, I suggest using setting a restrictive
<RemoteIPFilter>in/etc/jellyfin/network.xmland/or placing Jellyfin behind HTTP basic auth.Internet-facing Nextcloud is fine in my experience, provided you harden the web server in the usual ways.
I use a cloudflare tunnel connected to a domain name but it can be slow sometimes.
I’ve heard that steaming video is against ToS for tunnels, but I’ve not been able to confirm this.
But man, cloudflare tunnels are so cool. They are game changer if your behind a cgNAT or can’t port forward for some reason. And they are even useful if you can port forward. Cloudflare cacheing and ddos protection, and your IP is not exposed.
Beautiful.
Well hosting a web server is against my isp’s terms of service so I’m playing dangerous either way lol. But I only use it for my nextcloud, I plan on either switching to FiOS or upgrading to business internet with my current provider so I can get rid of the cgnat.
That is a fair point lol 😂
Yeah, cgNAT is such a drag man.
It’s bad even for non tech people. They will be wondering why they cant connect to voice chat in their game system, or why they can’t connect to their VPN for work.
We need to rip the band-aid off and embrace ipv6.
I’ll be honest with you, aside from the fact I can’t get a static IP or forward ports I’ve naver really had any issues with it. I use discord for voice chat and don’t play on consoles though.
I don’t think it is explicitly against the ToS any longer, although it used to be from what I can gather. There is no longer a section 2.8 here but it does state in section 2.7:
So as long as you either only host original content or your media server requires login and is not open to the public then I don’t think you’d have any issues.
I actually use a Cloudflare Tunnel in this way to serve a Jellyfin docker container and have not had any issues. I also disabled Cloudflare caching though for the subdomain that Jellyfin is served from, in order to be sure Cloudflare wasn’t caching that media either.
That’s good to know, thanks!