Safely exposing services to the Internet
from Australis13@fedia.io to selfhosted@lemmy.world on 17 Jun 05:02
https://fedia.io/m/selfhosted@lemmy.world/t/4022473

Hi all,

I’m looking at exposing some self-hosted web-based services externally so that some relatives can access them and would appreciate some advice.

Vikunja is the starting point (mostly to facilitate my spouse and I using it when away from home) but in future I want to set up Immich or similar to replace Google Photos, and that in particular will need to be shared with friends and family (especially so that immediate family can have camera uploads on automatically).

I understand that ideally I’d use SSH, a VPN, or tailscale or similar (although I don’t have experience with tailscale), but that’s not going to be feasible. Most of the family will not be able to set up those connections themselves (which means I would need to) and several are far enough away that it is impractical for me to provide on-site support or do it myself. Even if I could get a VPN or similar deployed on all their devices, I suspect that they’re going to struggle with needing to connect to it just to upload or view photos, then disconnect afterwards to resume using the Internet – I really need this to “just work” for them.

So this brings me back to safely exposing these services to the outside world. My network architecture complicates this a little, so for context:

So my main questions are:

  1. Beyond fail2ban and my router’s firewall, what else can I do to protect my network once I open ports 80 and 443?

  2. How do I handle fail2ban configuration when the services are on different devices to the nginx proxy? I understand the best place to put fail2ban would be on the Pi running nginx (since it’s the access point to the outside world), but that it also needs to read the logs from Vikunja, etc. to be effective.

  3. Where would you put Immich in my network architecture?

Any other tips/recommendations for making this easy to use for my less tech-inclined friends and family would be much appreciated as well. Thanks.

#selfhosted

threaded - newest

hirihit640@sh.itjust.works on 17 Jun 05:21 next collapse

I recommend proxmox. One VM for sensitive private data and backups, one VM for stuff exposed to the internet

Jean_le_Flambeur@discuss.tchncs.de on 17 Jun 05:46 next collapse

I was going to build my system like that, but recently learned that host client isolation is not as strong as people make you believe.

just a few weeks ago we learned that copy fail (security vulnerability) was on major distros for years until it was fixed, it would allow containers and VMS to infect the host system. Xz utils could also lead to a broken host client separation, as proxmox uses ssh for clustering and the like.

So for really important stuff I am going to have a dedicated physical server or put it in cold storage altogether.

That said, I am by no means an expert so feel free to correct me if I got something wrong.

hirihit640@sh.itjust.works on 17 Jun 06:29 collapse

copy fail allows VMs to infect the host system? I thought it was a kernel vulnerability, not a hypervisor vulnerability. Containers and LXCs share the kernel with the host, full VMs do not. So a kernel exploit allows container escape but not VM escape.

Kernel exploits happen a few times a year. Hypervisor exploits and VM escapes are VERY rare.

Using SSH for clustering is optional. You can just use normal VMs. You don’t have to install SSH into the VM, you can view it through proxmox. The only difference between a VM and a separate physical machine is the hypervisor, so the only security difference is the security of the hypervisor. And as I mentioned, hypervisor exploits are very rare.

Edit: for a sense of perspective, think about this. Almost every major tech company in the world relies on hypervisors for security. Qubes OS, known in the privacy/security world as one of if not the most secure OSes, relies on the hypervisor for security. An easily exploitable hypervisor escape would be a vulnerability on the scale of the XZ utils backdoor (which was unsuccessful). I have not seen a vulnerability of that scale since heartbleed.

Edit2: a word

pmk@piefed.ca on 17 Jun 12:48 next collapse

Almost 20 years ago, Theo de Raadt (founder of OpenBSD) said: “you think that a worldwide collection of software engineers who can’t write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes.” I would like to think that we’ve figured out the security holes since then, but… you know..

hirihit640@sh.itjust.works on 17 Jun 15:26 collapse

Nobody believes virtualization is perfect, it’s just the best we got because:

  • smaller attack surface
  • security is the priority over adding new features (the opposite of most other development cycles)
  • in practice we have seen how secure it is relative to other systems like the kernel

And anyways, even a separate physical computer can be hacked. If it has networking, there could be a vulnerability in the networking stack. Just making an outbound tcp connection can be enough to be pwned.

I think the closest thing we have to an “invincible” system is seL4, but I rarely hear about amybody using them

Jean_le_Flambeur@discuss.tchncs.de on 22 Jun 06:55 collapse

Why is a hypervisor the best we got? Why would better than a dedicated bare metal server? Why would the attack surface if a hypervisor be smaller than the attack surface without one?

Honest question

hirihit640@sh.itjust.works on 22 Jun 19:54 collapse

“best” is of course subjective. Bare metal could be better, but imo the marginally smaller attack surface isn’t worth it. If the Qubes project trusts that a hypervisor is secure enough, then I trust it as well.

I run 10+ VMs all the time, no way am I going to buy 10 bare metal servers. The ability to create new secure environments on-demand is unbeatable.

And bare metal does have security disadvantages too. It has a physical attack surface that a VM does not. For example, defending against usb attacks. Of course for a VM, the hypervisor/host can be attacked physically, but you only need to worry about securing that one. Securing 10 physical servers is a lot more work than securing just one, so you’re more likely to get lazy, slip up, etc.

Jean_le_Flambeur@discuss.tchncs.de on 23 Jun 08:28 collapse

Well, i never argued against the clearly powerfull capabilities, those are obviously huge, my point was that as a hobbyist you should consider having the important stuff (finances, official documents, biometrics) in cold storage or on a separate machine as well as stuff like security cameras or doorlocks if you do stuff like this out of it until you fully understand the risks, which are not that easy to grasp for people without experience.

Ofc proxmox and qubes are incredible useful tools of technology, but their high versatility and customizability gives you a lot of tools you need understand and use properly on top of what you are already doing. (More so with proxmox as with qubes, qubes is a little less industry focused IMHO)

dislabled@lemmy.ml on 17 Jun 13:09 next collapse

Good post. And i would like to add for anyone to be able to use hypervisor escape, you also need a vulnerability in the software presented to the internet. And even then, the chance that anyone would waste a zero day on a homelab is pretty slim…

Jean_le_Flambeur@discuss.tchncs.de on 22 Jun 06:49 collapse

Thanks for evaluating! The exploit was explained to me that an unpriviliged user/Programm could use it to get root access on the whole system, which I my mind included the hypervisor. Further reading seems to proof you right, while containers were broken VMs were not.

My point still remains, although weaker: If you know exactly what you are doing you can get a system quite secure, if you are a hobby server owner like me, its not that easy. I would have not know that the use of VMs instead of containers has sooo major security implications, that something so fundamental as ssh could be exploited in such large scales, and clustering would have been needed to avoid being unsafe.

Sure, noone would use an zero day on me targeted, the thing is: I am not working in the field, from publishing of the exploit till learned about it and had the time to patch, there were a few weeks. If in those few weeks someone deploys a tool going for mass and not for single targets, I would probably be infected and added to some botnet, cryptominer or whatever.

If I have a bare metal dedicated server, which has only access to IPs contained in my whitelist on a dedicated opnsense, I have less to wory about. Sure, someone could still find a openbsd/opnsense exploit and get me, but my point is: complex systems break in complex ways, the more complex systems you use, the more attack surface u have, need to know and understand to control and mitigate it.

Not that its impossible, but for a hobbyist who tries to self teach with man pages, tutorials and forums, you can get pwnd in unexpected ways (like because you used a container for dodgy Chinese smart home devices and expected that your production environment would be safe even if one of them was malicious, but in fact you were not, because that would have needed to be a VM. AND: before copy fail was published, users would have probably also told you that containers are safe.

hirihit640@sh.itjust.works on 22 Jun 20:30 collapse

If I have a bare metal dedicated server, which has only access to IPs contained in my whitelist on a dedicated opnsense, I have less to wory about.

Sure, someone could still find a openbsd/opnsense exploit and get me, but my point is: complex systems break in complex ways, the more complex systems you use, the more attack surface u have, need to know and understand to control and mitigate it.

The way I would frame it is: using complex systems that you are unfamiliar with is risky. In your case, you are familiar with OPNsense and firewalls. So that may be the more secure option for you. But for somebody who isn’t familiar with firewalls, there are a lot of ways to mess up. For example, IP and mac spoofing is very easy. OPNsense and firewalls often don’t have very good defense against IP spoofing, especially if the malware is already inside your LAN (for example, a malicious app running on a smartphone).

Using proxmox and other virtualization platforms has one big advantage: you can experiment and play around and learn, without much risk. With a physical server, if you mess up and get infected, you may have to throw away the whole server. You can’t just re-install the OS, because the malware could have installed a rootkit or infected the bios or other firmware. But with a VM, if the VM gets infected you can just delete the VM and create a new one. One of the main goals of a hypervisor is to sandbox the VM, so that malware is contained.

Jean_le_Flambeur@discuss.tchncs.de on 23 Jun 07:56 collapse

Valuable insight, thanks :)

Australis13@fedia.io on 17 Jun 05:50 collapse

Thanks for the recommendation. I have no experience with Proxmox, so this might be part of a longer-term project once I've got the Vikunja access working (at least that's on a separate Pi and so would be similar to a distinct VM in that regard).

surewhynotlem@lemmy.world on 17 Jun 05:39 next collapse

You’re going to be sending a url to your family to put into vikunja. That url could contain a port. You’ll dodge a LOT of hassle if you don’t use 80, 443, or any other well known port.

Australis13@fedia.io on 17 Jun 05:47 collapse

Good call. I'll have to play around with certbot using DNS validation (only ever tried with HTTP validation), but certainly worth including in my plan. Thanks.

[deleted] on 17 Jun 06:31 next collapse

.

dieTasse@feddit.org on 17 Jun 07:29 next collapse

  1. I would recommend a VPS for publicly facing services, you simply don’t want to open your home network, one mistake is enough, old router software, one small misunderstanding or a bit of bad luck. If someone gets into your VPS, few services will be hurt, if someone gets into your home network its game over.
  2. There is nice little app called immich proxy, I didn’t yet try it myslef (but I plan to), but basically if you want to just share some albums or photos, you can make the proxy accessible publicly but your Immich stays safe.
Australis13@fedia.io on 17 Jun 22:01 collapse

Thanks, didn't know about Immich proxy. Sounds useful.

On the VPS point - beyond protection against DoS, I assume the main benefits only arise if you host the services on it? My understanding is that, if I open a port and forward it to nginx, then the largest attack surface would be nginx itself and the services it is acting as a reverse proxy for (e.g. Vikunja). nginx is well-established and I think most of the risk is from the plugins rather than nginx vulnerabilities itself, which leaves Vikunja and any other services I'd want to expose as the main attack surface. If I'm using a VPS as a gateway (e.g. hosting nginx there and still keeping Vikunja and Immich within my LAN), then that doesn't seem like it's much of a risk reduction. What am I missing?

dieTasse@feddit.org on 18 Jun 06:46 collapse

Yes, the best option is to deploy your services on it. That Nginx is well established doesn’t mean its secure. A) popular software is preferred target for hackers and B) Nothing is safe, especially now, when LLMs are getting good at finding holes in software.

chrash0@lemmy.world on 17 Jun 07:31 next collapse

i have a VPS offsite to act as a gateway. it’s just a small piece of a machine somewhere in my region that routes requests to my home network via Tailscale. this has a few benefits:

  • i don’t have to worry about my ISP changing my IP. my VPS has more stable IPs.
  • i don’t have to expose ports directly to the internet. Tailscale authenticates the connection. plus i have Caddy routing the whole system. i use subdomains like foundry.chrash.net, jellyfin.chrash.net, etc.
  • another benefit of Tailscale to point out is that you don’t need local IPs to be static either; Tailscale will allow you to access your machines by hostname or another static IP. this helps to decouple your local topology from your service network.
Australis13@fedia.io on 17 Jun 21:53 collapse

Thanks. So, just to make sure I've understood correctly, your recommendation would be a VPS that hosts nginx (or Caddy) as the reverse proxy and uses tailscale (or equivalent) to access my home LAN and make services (e.g. Vikunja) available?

Vittelius@feddit.org on 18 Jun 04:41 next collapse

There are even solutions that automate a lot of the configuration for such a setup. I’m using Pangolin for example:github.com/fosrl/pangolin

But you could set up something like this manually if you want more flexibility (pangolin is based on traefic rather than Nginx)

chrash0@lemmy.world on 18 Jun 09:46 collapse

the key is just an offsite machine with a stable IP plus a VPN. that way you can route all public traffic to that stable IP and send it where it needs to go regardless of its physical destination.

jeena@piefed.jeena.net on 17 Jun 07:37 next collapse

I have a raspberry pie with Home assistant on it and I run Nginx Proxy Manager on it. It does the whole HTTPS thing and exposes specific services from my internal network for easy access for me and my family.

wltr@discuss.tchncs.de on 17 Jun 07:40 next collapse

I’d suggest you to investigate either Tailscale or similar solutions. I’m using Tailscale, and it’s really easy to set up. It can automatically connect to the VPN when you access their resource, and the internet works as well. So technically, they can be connected all the time. That’s much safer than the alternative of just opening a port, and dealing with things like CGNAT.

The alternatives to Tailscale I know about are Headscale (which you need self-hosting), Netbird, WireGuard. At least, but there are more.

And search for tunnels as well. You could utilise Cloudflare Tunnel, but I wouldn’t go that way.

I’d suggest testing waters with Tailscale as it’s the easiest, and tweak from there. They have a YouTube channel which helps at starting, I found it just recently. (I use them for a year or two now.)

ItsNotImportant24@lemmy.ml on 17 Jun 10:32 next collapse

+1 for tailscale. Its very easy to setup and very secure.

Australis13@fedia.io on 17 Jun 22:10 collapse

Thanks. My main concern is needing to have the tailscale client set up on my relatives' devices, so it'd need to be easy to do and the configuration straightforward.

If I wanted to route just traffic to Vikunja and Immich through it, so all their other apps (if on a phone) or web browsing (on a PC) didn't go through tailscale, is that straightforward to do and is it something that has to be done in the client-side configuration?

wltr@discuss.tchncs.de on 18 Jun 03:41 next collapse

If you don’t setup or activate exit node, no traffic is routed through any of your nodes. All you have is the access to the nodes. Which is what you need. I tested exit nodes only recently, they’re very easy to setup as well, but I found no practical need for my use case.

I think installing and logging in should be trivial remotely. Like hey mum, install this app, and log in (trivial with Google or Apple accounts). The rest is on you. Just test the waters yourself first, you’ll get the idea, it’s pretty straightforward. Even if it’s not what you’re looking for, you’d have more information and skills to move to the next thing.

Australis13@fedia.io on 18 Jun 03:55 collapse

Thanks, sounds like a potential option. I'll add to the list of things to look into and test out.

DJDarren@thelemmy.club on 18 Jun 04:45 collapse

I also use Tailscale.

It’s fair to say that I don’t really know what I’m doing, so am picking my way through the world of self-hosting one lesson at a time, but even with that in mind, I’ve found Tailscale an absolute breeze to set up, even if I still don’t fully understand how it all works, and what it can all do.

In short, I have my server at home as part of my tailnet. I’ve also installed it on my Hetzner VPS, which is running YunoHost. Within YunoHost I’ve set up a bunch of redirects which take the Tailscale ips of my various services and turn them into URLs.

So in essence, my Navidrome server goes from being 100.111.11.1:4533 to navidrome.mysite.co.ck.

I’ve got Navidrome, Immich, Home Assistant, Invidious, and Jellyfin running like that, and as far as I can tell I’ve not had any security issues at all.

early_riser@lemmy.world on 17 Jun 08:23 next collapse

Since you’re just sharing things within a small group, I think it’s safe to give out your IP or a domain pointing to it. However, you need to put your services behind a DMZ. Make a separate VLAN on your network and put the Pis behind it. Make sure traffic from your private LAN can enter the DMZ but nothing from the DMZ can go to your LAN unless it’s return traffic for a session started in your LAN. If a machine in your DMZ is compromised, it shouldn’t affect your LAN.

Australis13@fedia.io on 17 Jun 22:06 collapse

Thanks. I had forgotten about setting up a DMZ and appreciate the reminder!

irmadlad@lemmy.world on 17 Jun 08:55 next collapse

This is how my network is set up just as an example. Not to imply that this is the gold standard by any stretch of the imagination. It has served me well over the years, so I figured I’d drop it here and maybe you could get a few ideas.

lemmy.world/post/43533409

ClownStatue@piefed.social on 17 Jun 17:01 next collapse

I used swag, dockerproxy, and cloudflare in the past. That allowed me to run things without exposing ports on my home router.

I recently moved to Pangolin cloud. Still not exposing any ports on my home server. Also repositioned my VPS to use pangolin as well. Haven’t hashed out the details, but the idea will be to allow port 443 on public IP, and anything else over tailnet.

Moral of the story: look very hard for ways to do what you want to do without having to expose ports on your router. Unless you want your hobby to become your second job. I enjoy self hosting. I don’t enjoy being paranoid about some script kiddie pummeling my setup with some AI-generated attacks while I’m asleep.

Australis13@fedia.io on 17 Jun 22:15 collapse

Yeah, I don't like the thought of worrying about vulnerabilities either, hence my asking this question!

I haven't heard of Pangolin cloud before -- I'm assuming this is a competitor to tailscale. Are you self-hosting it or using one of their paid plans, and if you're self-hosting, how hard was it to set up?

ClownStatue@piefed.social on 18 Jun 03:44 collapse

Pangolin handles proxying (it runs traefik under the hood) and cloudflare-like protection (crowdsec). I did self-host it, but the free tier does what I need.

It does set up a wireguard tunnel between itself and the Newt resources you set up. That’s hard for proxy traffic. I have Tailscale set up for any other traffic between my resources.

I asked a similar question as you a few months ago (I think in this community), and one of the responses kind of put the fear in me. I went forward anyway, and never really did anything with my VPS. I’m still setting this new arrangement up, but so far really happy with it.

Australis13@fedia.io on 18 Jun 04:02 collapse

Thanks. I think I'll need to do a bit more reading - I have no experience with any of the wireguard technologies (my VPN experience is with OpenVPN and enterprise-grade networking hardware that uses IPsec tunnels), but Pangolin's abilities do sound useful.

I guess I need to work out if something like tailscale (as per one of the other comments) set up on just the small group I want to share with will do the job, or whether I really need to expose services to the Internet and hence would benefit from a VPS with something like Pangolin.

ClownStatue@piefed.social on 18 Jun 21:28 collapse

If you’re not going the VPS route it’s even easier. Pangolin handles the wireguard tunnel for you with a docket container running newt. Very straightforward.

My goals have been:

  1. Avoid opening ports on my home network.
  2. Don’t require people using my services to join my Tailnet (or some other VPN).
  3. Require 2FA/passkeys (via Authentik for the moment) on anything that’s publicly accessible.

There’s plenty of YT stuff out there for Pangolin, but I haven’t seen a lot for their cloud service. Personally, I prefer it to self-hosting it. Similar to tailscale, the free tier meets my needs, and their security team is (hopefully) more competent and better staffed than… me.

Of course, you get what you pay for, but I see this as a similar position as Tailscale & Cloudflare. With my free account, I’m piggy-backing off the security infrastructure of their enterprise offerings. Obviously I don’t get all the fine-grained controls of those tiers, but like the other two companies, they have a reputation to uphold, and from that perspective a breech is a breech. Even if it only affects free tier users, it makes them look bad.

Australis13@fedia.io on 19 Jun 01:46 collapse

That sounds like it may be a good fit for my use case, then. Thanks again and I'll definitely look into it!

Decronym@lemmy.decronym.xyz on 18 Jun 04:00 next collapse

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

Fewer Letters More Letters
CGNAT Carrier-Grade NAT
DNS Domain Name Service/System
ISP Internet Service Provider
LXC Linux Containers
NAT Network Address Translation
SSH Secure Shell for remote terminal access
SSO Single Sign-On
VPN Virtual Private Network
VPS Virtual Private Server (opposed to shared hosting)
nginx Popular HTTP server

9 acronyms in this thread; the most compressed thread commented on today has 7 acronyms.

[Thread #17 for this comm, first seen 18th Jun 2026, 11:00] [FAQ] [Full list] [Contact] [Source code]

phoenixz@lemmy.ca on 18 Jun 08:24 next collapse

Make sure everything is behind a VPN, like tailscale. Then you setup your router to only forward the tailscale ports, and that will be the only possible attack vector

As long as tailscale is safe, you should be safe

undefinedTruth@lemmy.zip on 19 Jun 13:27 collapse

Tailscale also has Funnel.

Australis13@fedia.io on 19 Jun 23:20 collapse

Good to know, thanks.

dil@piefed.zip on 18 Jun 11:31 next collapse

Make a new gmail or something everyone can access and then have them login through tailscale, its automati after doing it once, then they copy your devices ip, go http:ip:port eveytime and if your app is exposed over local networks it should work. Just safer than actually exposing over the web. Downside is shared gmail account ofc.

Australis13@fedia.io on 19 Jun 01:21 collapse

Thanks for the suggestion. I'm trying to move away from Google, but the idea of a shared account for tailscale (which seems to support a lot of different SSO options) may be useful.

nexttech@lemmy.world on 19 Jun 15:41 collapse

You can also use github so sign up for tailscale! if i remember correctly

Australis13@fedia.io on 19 Jun 23:20 collapse
portnull@lemmy.dbzer0.com on 18 Jun 13:52 next collapse

Going to throw myhat in the ring. I used to use Cloudflare tunnels which are super easy to use and work well. Issue: it’s cloudflare and cloudfalre bad, and works best if you also have your domain registered there.

Anyways, I now use docs.pangolin.net which does a very similar job. It works great and IMO is easier to admin than tunnels, especially with auth and such.

I run pangolin on a racknerd cheapo server and traffic in forwarded to the box in my cupboard. Pangolin have some refetal links to hosting that give you some discounts.

Australis13@fedia.io on 19 Jun 01:17 collapse

Good to know, thanks. Not keen on Cloudflare, so it's good to see that there's now multiple recommendations for Pangolin and Tailscale in this thread.

Noggog@programming.dev on 18 Jun 16:18 next collapse

Posted in a similar thread

My baseline is a public VPS with Pangolin/Crowdsec installed. I have authentik as a login system. Pangolin let’s me put authentik in front of any service so they have to log into it before it gets to the service in question whatsoever. This is different than the app itself just using Authentik as the OIDC provider. Helps give a bit of peace of mind with the services which themselves might not be security focused. Also, these pangolin routes are able to block anything outside my country by rules, so that trims a good portion of attacks as well.

Some things don’t like that authentik layer in front though. Audiobookshelf’s phone app for example cant handle it. For that, I route those domains through cloudflare tunnels. Their tunnels do a good job blocking lots of attacks, so not having authentik in front is more acceptable.

But then there’s jellyfin that doesnt want to be on cloudflare tunnels and doesnt want authentik in front. For that, I just have it on my pangolin side with only crowdsec helping. Not ideal, but best I can do without making my grandma install a VPN on a raspberry pi in so her TV can connect or some shit.

And lastly, I have some private services like forgejo that don’t like authentik in front and only I myself care about. I tailscale to those rather than exposing sometimes.

Australis13@fedia.io on 19 Jun 01:16 collapse

Thanks - appreciate another recommendation for Pangolin + crowdsec, plus I didn't know about authentik (which sounds super useful if the services behind it are compatible). I'm thinking I need to have a play around with tailscale and then Pangolin to see how they work and whether either will be appropriate for my use case.

benoegen@discuss.tchncs.de on 22 Jun 13:46 next collapse

I have several services exposed and I am using cloudflare since I have starlink and traefik as reverse proxy paired with crowdsec via a plugin. Works nice. I have not tried exposing immich yet though, that can only be reached via VPN.

trilobite@lemmy.ml on 26 Jun 19:59 collapse

This is an interesting thread. Seems to make remote access easy. But are you not putting the trust on those that run that pangolin infrastructure? I suspect the answer is to go VPS if you dont trust? Also, are there workable step by step guides to help you set this all up? I find YT giudes a bit fustrating. Prefer reading :-)