- 0 Posts
- 29 Comments
It’s mostly so that I can have SSL handled by nginx (and not per-service), and also for ease of hosting multiple services accessible via subdomains. So every service is its own subdomain.
Additionally, my internal network (as in, my physical LAN) does not have any port forwarding enabled — everything is over WireGuard to my VPS.
My method:
VPS with reverse proxy to my public facing services. This holds SSL certs, and communicates with home network through WireGuard link configured on my router.
Local computer with reverse proxy for all services. This also has SSL certs, and handles the same services as the VPS, so I can have local/LAN speeds. Additionally, it serves as a reverse proxy for all my private services, such as my router/switches/access point config pages, Jellyfin, etc.
No complaints, it mostly just works. I also have my router override DNS entries for my FQDN to resolve locally, so I use the same URL for accessing public services on my LAN.
Yeah I don’t expose Jellyfin over the Internet, so it doesn’t matter for me, and wouldn’t work at all over WAN (unless VPN’d to home network).
Also, it’s all reverse proxied, and there’s nothing preventing having two Jellyfin hostnames, e.g., jf-local.mydomain.com and jf-public.mydomain.com.
Another fun trick you can play is to use a private IP on your public DNS records. This is useful for Jellyfin on Chromecast for instance — it uses 8.8.8.8 for DNS lookup (and ignores your router settings), so it wants a fully qualified domain name. But it has no problem accessing local hosts, so long as it’s from 8.8.8.8’s record.
I have set up local DNS entries (with Pi-Hole) to point to my srrver, but I don’t know if it possible to get certs for that, since it is not a real domain.
So long as your certs are for your fully qualified domain there’s no problem. I do this, as do many people — mydoman.com is fully qualified, but on my own network I override the DNS to the local address. Not a problem at all — DNS is tied to the hostname, not the IP.
Any chance you have a DMZ set up on your router?
On your router, are there any settings specific to any host (other than the server maybe)? For example, a static IP or a port forwarded rule.
Do you have a VPN on the phones? Can you traceroute from your phone to the server and post that? (I like PingTools for Android.) You should have 1 hop (you -> server, nothing in between).
Can you verify that you are on the same wifi including same wifi channel? Phone on 5GHz but Linux box on 2.4GHz, for example.
There are plenty of distributions without systemd — https://en.m.wikipedia.org/wiki/Category:Linux_distributions_without_systemd
Yeah, tenure definitely a double-edged sword. On the one hand, being able to voice potentially unpopular opinions is important. On the other, having dead weight occupying faculty positions which brilliant younger folk would kill for — folks who would be more productive, more engaged, and contribute more to the world — is…well, maybe not great.
I think this is the real question.
Did they quit and join a competitor who offered a better WFH option? Or did they get a taste of the good parts of white collar pandemic life — no commute, flexible hours, work from anywhere — and decide that actually, their entire identity is not just their professional life, and maybe they should retire to see the world/spend time with family?
There are definitely some high profile rage quits over return to office, but I think there are a lot more of the “hey this was fun but time to take care of myself” quits.
This suggests nginx options to use re: hostname. Unsure of your nginx config…
https://forum.syncthing.net/t/web-gui-over-nginx-proxy-only/13767
403 Forbidden doesn’t necessarily mean a bad login attempt. Are you sure that’s the error? My troubleshooting steps would be to access directly (no nginx), and look at the logs for a successful login. Then, look try to login with nginx, and look at those logs (both access.log and error.log on nginx, and any/all logs from syncthing). Find out where the two cases diverge and go from there.
Does syncthing have a domain name specified? If it doesn’t know its domain name it may work from IP directly but not via reverse proxy. Just a hunch.
Can you post the syncthing logs, as well as the nginx logs?
I assume you’ve seen this: https://stackoverflow.com/questions/48626459/refused-to-execute-script-because-strict-mime-type-checking-is-enabled
Can you post your nginx config? Is it just this one with different variables? https://docs.syncthing.net/users/reverseproxy.html
Some false premises in this thread — corporations are not required to maximize profits. Even if maximizing profit was mandatory, this is a pretty subjective topic — is short term profit while pissing off your customers “maximizing profit,” or is sacrificing short term gains for long term customer loyalty “maximizing profit”? It’s not a rhetorical question, and I think you can find examples of both.
Corporations are also not all pursuing endless growth; in addition to “growth stocks” there are “dividend stocks.” Some companies aren’t aggressively pursuing growth, but are making profit, and the stock reflects this. It feels almost antiquated in the “to the moon” era, but these companies do exist.
As others have said, it’s a bit outdated. Being slow is one thing, but having limited software support can be very frustrating.
If possible I would try for a raspberry pi instead, as those have very strong ecosystems (yes, there are problems, but still — it’s a big community). A 5 with 8GB would be ideal, but something lower spec (even a 3) would probably still be more capable.
I think parent is hosting on their own physical hardware, just using a VPS for a public IP. I do the same (I use WireGuard instead, but similar idea). The VPS is doing the same thing as Cloud flare in your setup. I’m a proponent of this setup because the only reliance is on a totally generic VPS, of which there are many providers.
Not sure how reverse proxy is avoided this way — do you enter port numbers for your services when you access them, or have one service per machine?
I have a few publicly accessible services, and a bunch of private services, but everything is reverse proxy’d — I find it very convenient, as for example I can go to https://wap.mydomain.net for my access point admin page, or photos.mydomain.net for my Immich instance. I have a reverse proxy on my VPS for public services, and another one on my lan for private services; WireGuard between VPS, LAN, and my personal devices. Possibly have huge security holes of course…
https://www.wsj.com/articles/the-facebook-files-11631713039 NYT not the only big outlet doing “actual journalism” — not sure about WSJ’s profitability quarter to quarter, but I don’t think they are actively sinking.
And of course: opinion side of any paper is NOT news, regardless of your alignment.
Does the raspberry pi have a wifi adapter, and is it unused for your project?
If so, you can use your pi as an access point — no need for cables, you just connect your laptop to the pi’s SSID.
Downside is that now your laptop doesn’t have Internet access, which may be a deal breaker (unless you can plug your pi into a router and get access through it). You could just get a cheap USB wifi dongle for your laptop and use one interface for Internet, one for pi.
Hostapd is probably how you would go about this of you’re interested ( https://learn.adafruit.com/setting-up-a-raspberry-pi-as-a-wifi-access-point/install-software )
Add to that photo editing (as much as GIMP is great…). I would guess DAW and video editing would fall under that category, too…and good luck finding many AAA open source games.