this post was submitted on 18 Jan 2024
7 points (81.8% liked)

Selfhosted

40938 readers
1089 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

I plan to selfhost nextcloud, for now just for bookmark sync. is there a point to installing a vpn on the computer running the instance? it shouldnt matter as long as i have https right? what about if i dont have a domain? i cant have https without a domain (ill buy one later just want everything to work first). or maybe use one of those free domain providers for now to get https? what do you guys think?

all 17 comments
sorted by: hot top controversial new old
[–] JonnyJaap 1 points 11 months ago* (last edited 11 months ago)

Dunno if you are still watching this post.

I have a few comment to your post and the other panic about security.

  1. Using nextcloud only for bookmarks if total over kill, but if you want to start and understand and later use it more, it's actually a good idea.

  2. Yes, exposing ports in your firewall is potentially dangerous, BUT if you only expose a port and not the complete PC the firewall deals with attacks (but your services still have to be up to date to ensure safety).

  3. Yes, using a VPN instead of exposing the service is saver that's for sure. You can do it they way for the start. But don't let you be frightened by some of the other commands. I have several services public on my network. 3.1. BUT I still evaluate if this service even have to be public and the risk of late patches. I have public services and local service (name.domain.com and name.local.domain.com). Any service that I don't need to access from a random PC/share with family/friends can only be accessed in local network /via vpn.

  4. Its good you are careful, try to search online for more information since this post didn't get a lot of comments.

Edit: 5. Don't know why people recommend tailscale where you need an account, instead of recommendatinh wireguard (tailscale is build on wirequard) or OpenVPN.

Edit 2: 6. Don't use UPnP! It enables your machines to automatically open ports, that's so bad.

[–] Telodzrum 0 points 11 months ago (1 children)

This is all going to depend on your risk tolerance, overall attack surface, and network topology.

[–] [email protected] 1 points 11 months ago (2 children)

whats attack surface and network topology?

[–] SGG 3 points 11 months ago

In very basic terms, and why you want to do them:

Attack surface is the ports and services you are exposing to the internet. Keep this as small as possible to reduce the ways your setup can be attacked.

Network topology is the layout of your home network. Do you have multiple vlans/subnets, firewalls that restrict traffic between internal networks, a DMZ is probably a simple enough approach that is available on some home grade routers. This is so if your server gets breached it minimises the amount of damage that can be done to other devices in the network.

[–] [email protected] 1 points 11 months ago* (last edited 11 months ago) (1 children)

If you don't understand these terms, you probably shouldn't be exposing any kind of port on your router. Seriously, not being snarky.

I used to teach multiple levels of Cisco classes, and I wouldn't expose a port these days, I don't know enough.

Instead, I'd recommend using Tailscale on a home machine and your mobile devices.

Using Tailscale, you can also selectively expose a service to the wider world (not just devices running Tailscale), using the Funnel feature.

I'd say it's your safest intro to accessing self-hosted resources from just about anywhere.

Edit: a couple years ago I opened a port helping a friend test something, I forget what. Within hours I was getting hammered with thousands of requests per hour, people trying to break in.

I wasn't worried because of the security we had, but it was annoying, and potentially a massive risk.

[–] [email protected] 2 points 11 months ago (1 children)

i would need to open a port even if i were to use a domain name correct? would hiding the ip behind a reverse proxy be enough? is nextclouds brute force protection not enough?

[–] [email protected] 0 points 11 months ago (1 children)

A reverse proxy helps, a LOT, like practically eliminating the issue because authentication happens at the proxy, not your port. I've never set one up, but I think your local system makes an outbound connection to the proxy, creating the tunnel. In this way no one ever knows what they're really connecting to - the proxy appears to be the endpoint.

Which is essentially what Tailscale Funnel does - they expose an interface, then encrypt a tunnel between your Tailscale network and that "proxy".

Same concept, just all rolled in to one thing, a check box and a little config info. TS Funnel will create the url to access your service. I suppose you could create another domain/url and have it redirect (or use a link shortener) to make it easier to share. I think by default it uses your Tailscale network name as the domain, and adds to it to define the service.

https://tailscale.dev/blog/funnel-serve-demo

[–] [email protected] 2 points 11 months ago (2 children)

first I have to find out if my ISP will even let me open a port lol

thanks tho :)

[–] [email protected] 1 points 11 months ago (1 children)

Where do you live and whats your router?

[–] [email protected] 1 points 11 months ago (1 children)

Illinois, USA, the one xfinity gave me

[–] [email protected] 1 points 11 months ago (1 children)
[–] [email protected] 1 points 11 months ago (1 children)

ugh so I gotta use the app? ew

[–] [email protected] 1 points 11 months ago (1 children)

Does the thing not have a web interface? Usually 192.168.178.1 should get you there

[–] [email protected] 2 points 11 months ago

yea it does, couldn't log in tho, idk. maybe I messed up user or something

I'll try some stuff when i get home

[–] [email protected] -1 points 11 months ago (1 children)

When you do something like Reverse Proxy or Tailscale, your devices make an outbound connection to the Reverse proxy (or with Tailscale it goes to their auth/directory service) using UPnP.

UPnP is standard protocol these days, and how pretty much any communication or gaming app works. The port opening is performed dynamically by the router, the port number is different every time an outbound connection is made, and it's ephemeral (both in the range and that the port closes after the session is complete). This isn't something that's typically blocked or disabled, as it would break all sorts of things.

https://en.m.wikipedia.org/wiki/Universal_Plug_and_Play

I may have misstated exactly how it works - I studied it when it was released, it became ubiquitous and always works, so I haven't stayed current or reread anything for a while. It just works (and man has it saved me a ton of manual port config).

[–] [email protected] 1 points 11 months ago

The fact, that I have to enable it on a device by device basis on my router speaks to the opposite. You shouldn't let some app open random ports on your router and you didn't need to do so for years