this post was submitted on 08 Nov 2024
40 points (95.5% liked)

Selfhosted

40730 readers
664 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

Currently, I use dockerproxy + swag and Cloudflare for externally-facing services. I really like that I don't have to open any ports on my router for this to work, and I don't need to create any routes for new services. When a new service is started, I simply include a label to call swag and the subdomain & TLS cert are registered with Cloudflare. About the only complaint I have is Cloudflare's 100MG upload limit, but I can easily work around that, and it's not a limit I see myself hitting too often.

What's not clear to me is what I'm missing by not using Traefik or Caddy. Currently, the only thing I don't have in my setup is central authentication. I'm leaning towards Authentik for that, and I might look at putting it on a VPS, but that's the only thing I have planned. Other than that, almost everything's running on a single Beelink S12. If I had to, I could probably stand up a failover pretty quickly, though.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 8 points 1 month ago (3 children)

I’ve recently introduced CrowdSec and crowdsec-bouncer-traefik-plugin into my setup and it’s really great to see it block all those spam bots and brute force attempts.

[–] [email protected] 1 points 1 month ago (1 children)

Which crowdsec lists did you use? I'm on the free plan and can only subscribe to three of them and most of everything on the free tier looks like is useless since my Suricata can sync its rules with Proofpoint ET Open rulesets which are significantly more robust

[–] [email protected] 1 points 1 month ago* (last edited 1 month ago)

I’ve only subscribed to the “Free proxies” blocklist. But these are only additional blocklists. The main attraction of CrowdSec is their “CAPI” (Central API) which has all the current malicious actors detected in the network of CrowdSec instances and is used automatically.

[–] [email protected] 1 points 1 month ago (1 children)

Do you have a guide on how to do his? I couldn't get the middleware to work to actually bounce connections

[–] [email protected] 3 points 1 month ago* (last edited 1 month ago)

You have to actually add the middleware into the (default) chain for your https entrypoint (I think in most tutorials it’s called websecure) - in my static conf I have this:

entryPoints:
  https:                                                           
    address: :443                                                  
    http:                                                          
      middlewares:                                                 
        - crowdsec-bouncer@file                                    
        - secure-headers@file 

And in my dynamic conf I have this:

http:
  middlewares:
    crowdsec-bouncer:
      plugin:
        crowdsec-bouncer-traefik-plugin:
          CrowdsecLapiKey: "### Enter your LAPI Key here ###"
          Enabled: true
[–] [email protected] 1 points 1 month ago

Thanks for the tip !! I will certainly give it a look, It's kinda annoying for my family members to always connect via wireguard.

For me it's fine though, I even route my traffic to ProtonVPN but my family is always nagging how they need to "do something" to get access to the hosted services or that it "doesn't work".