Hi all. Noob question/s here. I want to be able to access my Immich server (docker) externally and maybe set up some others (e.g. Mealio). My understanding is that I need (should) use NGINX reverse proxy for this. My questions are:
Do I need to set up NGINX on a VPS (or similar cloud based server) to send the queries to my home box?
Do I need to purchase a domain (randomblahblah.xyz) to use as the main access route from outside my house?
Why keep giving cloudflare a monopoly of the internet traffic? Isn’t the whole self-hosting movement about breaking out of the tech giants’ shenanigans and promoting a healthy alternative with a decentralized and robust internet?
I honestly don’t care. I just self host as a way to not be locked into google specifically. So if I ever do decide to switch to something else outside of Cloudflare or Tailscale, I can. By the way, I tried to set up Wireguard and I felt like I had to have a degree in engineering to get it to work. Then I tried wg-easy and that didn’t work. Went to the github and seen it had like 300 issues. I like stuff that just works and I don’t have to spend hours tinkering with.
I’m still relatively new to NGINX Proxy Manager myself, but I’ll give your questions a shot.
It doesn’t matter how (or where) you host your proxy instance, what matters is that the requests can get to it so that it can forward them to the correct resources. So simple answer to question one is no you can host locally.
If you host it locally you need to make sure that you forward requests that come into your network on to the proxy to be routed correctly. This is where port forwarding comes into play. You’ll need to set your router to take any requests that come in on port 80 or 443 (HTTP and HTTPS) and send those to your proxy.
As for question two do you need to purchase a domain. You can use a free domain name or you can pay for one that part doesn’t matter. The domain isn’t a technical requirement until you want to start hardening your instances with SSL. To get a cert you’ll need a domain. But if you set up your port forwarding and a proxy you could send a request to some_subdomain.123.456.789.123:80 (your external IP) and the proxy server will take thar request and translate it to the local server mapped to some_subdomain.
Do I need to set up NGINX on a VPS (or similar cloud based server) to send the queries to my home box?
A proxy on a VPS is one way to do this, but not the only way and not necessarily the best one… depending on your goals.
You can also use port-forwarding and dyndns to just expose the port off your home-ip. If your ISP is sucky, this may not work though.
You can also use Cloudflare’s free tunneling product, which is basically a hosted proxy that acts like a super port-forward that bypasses sucky ISP restrictions.
If you want to access Immich yourself from your own devices but don’t need to make it available to (many) others on devices you don’t control, I like and use tailscale the best. The advantage of tailscale is that Immich remains on a private network, not directly scannable from the internet. If there’s a preauth exploit published and you don’t pay attention to update promptly, scanners WILL exploit your Immich instance with internet-exposed techniques… whereas tailscale allows you to access services that internet scanners cannot connect to, which is a nice safety net.
Do I need to purchase a domain (randomblahblah.xyz) to use as the main access route from outside my house?
Not for tailscale, and I don’t think for Cloudflare tunnel. Yes for a VPS proxy.
I’ve run a VPS for a long while and use multiple techniques for different services.
Some services I run directly on the VPS because it’s simple and I want them to be truly publicly accessible.
Other services I run on a bigger server at home and proxy through the VPS because although I want them to be publicly accessible, they require more resources than my VPS has available. When I get around to installing Immich, there’s a decent chance it will go into this category.
Still other services, I run wherever and attach them to my tailnet. These I access myself on my own devices (or maybe invite a handful of trusted people into my tailnet), but aren’t visible to the public internet. If I decide not to use immich’s shared gallery features (and so don’t need it publicly accessible) or decide I don’t trust it security-wise… it will go here instead of the proxy-by-vps category.
So for something like Jellyfin that you are sharing to multiple people you would suggest a VPS running a reverse proxy instead of using DDNS and port forwarding to expose your home IP?
What VPS would you recommend? I would prefer to self host, but if that is too large of a security concern I think there is a real argument for a VPS.
So for something like Jellyfin that you are sharing to multiple people you would suggest a VPS running a reverse proxy instead of using DDNS and port forwarding to expose your home IP?
I run my Jellyfin on Tailscale and don’t expose it directly to the internet. This limits remote access to my own devices, or the devices of those I’m willing to help install and configure tailscale on. I don’t really trust Jellyfin on the public internet though. It’s both a bit buggy, which doesn’t bode well for security posture… and also a misconfiguration that exposes your content could generate a lot of copyright liability even if it’s all legitimately licensed since you’re not allowed to redistribute it.
But if you do want it publicly accessible there isn’t a hoge difference between a VPS proxying and a dynamic DNS setup. I have a VPS and like it, but there’s nothing I do with it that couldn’t be done with Cloudflare tunnel or dyndns.
What VPS would you recommend? I would prefer to self host, but if that is too large of a security concern I think there is a real argument for a VPS.
I use linode, or what used to be linode before it was acquired by Akamai. Vultr and Digitalocean are probably what I’d look to if I got dissatisfied. There’s a lot of good options available. I don’t see a VPS proxy as a security improvement over Cloudflare tunnel or dyndns though. Tailscale is the security improvement that matters to me, by removing public internet access to a service entirely, while lettinge continue to use it from my devices.
Thanks a lot. Tailscale is out, unfortunately. Because the server also runs Plex and I need to use it with Chromecast on remote access (it’s an old CC, so can’t add tailscale to it). Looking into Cloudflare and port forwarding. I’ve just signed up to NextDNS though, so don’t want to add another layer of DNS stuff to my mix.
Tailscale is out, unfortunately. Because the server also runs Plex and I need to use it with Chromecast on remote access…
I rather suspect you already understand this, but for anyone following along… Tailscale can be combined with other networking techniques as well. So one could:
Access Plex from a Chromecast on your home network using your physical IP, and on your tailnet using the overlay IP.
Or one could have some services exposed publicly and others exposed on the tailnet. So Immich could be on the tailnet while Plex is exposed differently.
It’s not an all or nothing proposition, but of course the more networking components you have the more complicated everything gets. If one can simplify, it’s often well worth doing so.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !selfhosted@lemmy.world
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.
Rules:
Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
Resources:
selfh.st Newsletter and index of selfhosted software and apps
My recommendation for a free dynamic DNS service goes for https://freedns.afraid.org/
Thanks. Annoyingly, perhaps, I’ve just signed up for a year of NextDNS.
Thanks. I’m still a bit confused about the domain stuff, but I’m looking into it.
Thanks, I’m going to try this.
Just use Cloudflare Tunnels if you’re opening it up to the Internet.
Use tailscale if only using your own personal devices.
Both easy to setup in 5 minutes.
Why keep giving cloudflare a monopoly of the internet traffic? Isn’t the whole self-hosting movement about breaking out of the tech giants’ shenanigans and promoting a healthy alternative with a decentralized and robust internet?
I honestly don’t care. I just self host as a way to not be locked into google specifically. So if I ever do decide to switch to something else outside of Cloudflare or Tailscale, I can. By the way, I tried to set up Wireguard and I felt like I had to have a degree in engineering to get it to work. Then I tried wg-easy and that didn’t work. Went to the github and seen it had like 300 issues. I like stuff that just works and I don’t have to spend hours tinkering with.
I’m still relatively new to NGINX Proxy Manager myself, but I’ll give your questions a shot. It doesn’t matter how (or where) you host your proxy instance, what matters is that the requests can get to it so that it can forward them to the correct resources. So simple answer to question one is no you can host locally.
If you host it locally you need to make sure that you forward requests that come into your network on to the proxy to be routed correctly. This is where port forwarding comes into play. You’ll need to set your router to take any requests that come in on port 80 or 443 (HTTP and HTTPS) and send those to your proxy.
As for question two do you need to purchase a domain. You can use a free domain name or you can pay for one that part doesn’t matter. The domain isn’t a technical requirement until you want to start hardening your instances with SSL. To get a cert you’ll need a domain. But if you set up your port forwarding and a proxy you could send a request to some_subdomain.123.456.789.123:80 (your external IP) and the proxy server will take thar request and translate it to the local server mapped to some_subdomain.
Thanks, I’m going to try the port forwarding part. That seems like the simplest step. NPM looks very useful though.
Also for ease of use and management try out https://nginxproxymanager.com/
This looks really useful. Thanks!
A proxy on a VPS is one way to do this, but not the only way and not necessarily the best one… depending on your goals.
Not for tailscale, and I don’t think for Cloudflare tunnel. Yes for a VPS proxy.
I’ve run a VPS for a long while and use multiple techniques for different services.
So for something like Jellyfin that you are sharing to multiple people you would suggest a VPS running a reverse proxy instead of using DDNS and port forwarding to expose your home IP?
What VPS would you recommend? I would prefer to self host, but if that is too large of a security concern I think there is a real argument for a VPS.
I run my Jellyfin on Tailscale and don’t expose it directly to the internet. This limits remote access to my own devices, or the devices of those I’m willing to help install and configure tailscale on. I don’t really trust Jellyfin on the public internet though. It’s both a bit buggy, which doesn’t bode well for security posture… and also a misconfiguration that exposes your content could generate a lot of copyright liability even if it’s all legitimately licensed since you’re not allowed to redistribute it.
But if you do want it publicly accessible there isn’t a hoge difference between a VPS proxying and a dynamic DNS setup. I have a VPS and like it, but there’s nothing I do with it that couldn’t be done with Cloudflare tunnel or dyndns.
I use linode, or what used to be linode before it was acquired by Akamai. Vultr and Digitalocean are probably what I’d look to if I got dissatisfied. There’s a lot of good options available. I don’t see a VPS proxy as a security improvement over Cloudflare tunnel or dyndns though. Tailscale is the security improvement that matters to me, by removing public internet access to a service entirely, while lettinge continue to use it from my devices.
Thanks a lot. Tailscale is out, unfortunately. Because the server also runs Plex and I need to use it with Chromecast on remote access (it’s an old CC, so can’t add tailscale to it). Looking into Cloudflare and port forwarding. I’ve just signed up to NextDNS though, so don’t want to add another layer of DNS stuff to my mix.
I rather suspect you already understand this, but for anyone following along… Tailscale can be combined with other networking techniques as well. So one could:
It’s not an all or nothing proposition, but of course the more networking components you have the more complicated everything gets. If one can simplify, it’s often well worth doing so.
Good luck, however you approach it.
Ah, I very much did not know that! Ok, I’m off to investigate Tailscale a bit more.
Yay! We converted another one.
Replying to my own comment to say thanks again for all the tips and advice. I got it all sorted with Tailscale. The final piece of the puzzle!
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
7 acronyms in this thread; the most compressed thread commented on today has 3 acronyms.
[Thread #86 for this sub, first seen 28th Aug 2023, 12:15] [FAQ] [Full list] [Contact] [Source code]