this post was submitted on 28 Jan 2024
62 points (89.7% liked)

Selfhosted

40220 readers
1226 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Please can someone show off how smart and sexy they are by answering these questions. I don't mind if you just link me to a video or guide explaining it (like I'm 5?) instead of typing it out - but please don't just send me stuff that says something like "To forward to ports correctly, simply forward the correct ports - but be sure to reverse-p the goeanity-2.0 exposed server flange via qPack*7_bingb (IMPORTANT put 1=2 in /conf!!!)" - which is what all the help documents read like to me right now.

Here's what I think I know, but I have probably got wrong, and would be delighted if you could not only tell me how wrong I am but what is the right answer instead:

-> I have a raspberry pi 4 running raspbian/debian bookworm, all software up to date.

-> I have installed docker and docker compose. Docker lets you run apps/programs in separate little cages so if they crash or do something insecure they don't crash or expose the whole computer (the Raspberry Pi), the operating system (Raspbian), or the other apps running in other containers. Docker compose allows you to fine-tune the settings of these apps from outside the container by changing a text file. Each docker container, controlled by a compose yml has a port, e.g. Jellyfin's is :8096

-> I can set up and configure radarr sonarr qbittorrent to download movies, for this I need a VPN. I paid for and installed mullvad (app) but it crashes a lot (for over a minute every 20 seconds), so it looks like I need to configure something like gluetun to do it instead. For this reason I want to stick with mullvad as I paid for it, gluetun is really confusing.

-> However, downloading is only half the battle - assuming I can get a VPN to work without crashing every 20 seconds so it takes less than 5 hours to download a single movie in 1080p(!!!) - I can only watch stuff by plugging an HDMI cable into my raspberrypi and a monitor and using a mouse and keyboard to navigate to the UI and click "play"

-> If I want to watch them on my TV I need to connect something to my TV that talks to the raspberry pi, so I have an NVIDIA shield with Jellyfin installed on it - but in order for the NVIDIA-Jellyfin to connect to the RaspberryPi-Jellyfin it needs to go through the internet (if this is not the case, how does one point the NVIDIA-Jellyfin at the Raspberry Pi jellyfin?)

-> Because it's going through the internet I need to hide my activities from prying eyes, and because it's on the internet it will have a web address (I bought the cheapest domain for a few bucks on namecheap), so a proxy and reverse proxy are neccessary to hide my activity on my end (proxy) and the activity on the internet (reverse proxy) from said prying eyes while allowing me to watch my stuff in peace.

-> I can set up my domain to point to Jellyfin, this means I configure mysubdomain.mydomain.com to point to Cloudflare on the internet. Then I set up Cloudflare to point to NGINX on my raspberry pi. But I really don't know what this entails or how to do it. I changed my nameservers to Cloudflare's on namecheap and that's where I stopped because I didn't understand any further.

-> So, in practical terms, I'm on my sofa and I want to watch a movie in my Jellyfin on my raspberry pi, I open the NIVIDA sheild, I open the jellyfin app and I tell the jellyfin app to go to mysubdomain.mydomain.com

-> I think I'm correct in saying that mysubdomain.mydomain.com is actually an IP address and a public port, so something like 123.456.7.8:443, then Cloudflare - which is the reverse proxy - gets involved (somehow? how?) to say "ah, 123.456.7.8:443, you obviously want to go to funkless.raspberry.pi:NGINX (or rather something like 987.654.3.2:443)" and then NGINX - which is the proxy-proxy, not a reverse-proxy - goes (somehow? how?) "ah, 987.654.3.2:443, you obviously want to go to 987.654.3.2:8096 which is jellyfin")

-> At some point in that last step SSL certificate(s?) need to be issued and used on Cloudflare and/or NGINX - but I don't know how or why - and/or a public and private key

Here's where the questions start:

  • First of all, is that all correct or have I misunderstood something?
  • How does mysubdomain.mydomain.com know it's me and not some random or bot?
  • How do I tell Cloudflare to switch from web:443 to local:443 (assuming I've understood this correctly)
  • Is this step "port forwarding" or "opening ports" or "exposing ports" or either or both? (I don't understand these terms)
  • If my browser when accessing mysubdomain.mydomain.com is always going to port 80/443, does it need to be told it's going to talk to cloudflare - if so how? - and does cloudflare need to be told it's going to talk to NGINX on my local machine - if so how?
  • How do I tell NGINX to switch from local:443 to local:8096 (assuming I've understood this correctly)
  • Is there a difference between an SSL cert and a public and private key - are they three things, two things or one thing?
  • Doesn't a VPN add an extra step of fuckery to this and how do I tell the VPN to allow all this traffic switching without blocking it and without showing the world what I'm doing?
  • Gluetun just looks like a text document to me (compose.yml) - how do I know it's actually protecting me?
  • From https://nginxproxymanager.com/ : "Add port forwarding for port 80 and 443 to the server hosting this project. I assume this means to tell NGINX that traffic is coming in on port 80 and 443 and it should take that traffic and send it to 8096 (Jellyfin) and 5000 (ombi) - but how?
  • Also from that site: "Configure your domain name details to point to your home, either with a static ip or a service like DuckDNS or Amazon Route53" - I assume this is what Cloudflare is for instead of Duck or Amazon? I also assume it means "tell Cloudflare to take traffic on port 80 and 443 and send it to NGINX's 80 and 443 as per the previous bullet) - but how?

If your reaction is "Asking how how to set up port forwarding from Cloudflare to NGINX is a cowardly question - just figure it out!" Please could you at least link me to something that will help me figure it out if all those words just look like gibberish to me?

Thank you so much for your help and time in advance.

top 37 comments
sorted by: hot top controversial new old
[–] [email protected] 26 points 9 months ago (2 children)

If you're only trying to use Jellyfin at home, you don't need any reverse proxy or domain. All you need is for both devices to be on the same network, and for the Raspberry Pi to have a fixed internal IP address (through your router settings).

On the Shield, you just give the Jellyfin app that IP address and port number (10.0.0.X:8096) to connect and you're good to go.

[–] [email protected] 6 points 9 months ago (1 children)

Even if they are in separate rooms, they just have to be on the same network?

[–] [email protected] 19 points 9 months ago (2 children)

Exactly. Doesn't matter if they're wired or wifi, or where they are, as long as they're on the same network you're fine.

[–] [email protected] 8 points 9 months ago (1 children)

Whether a device is wired or on wifi matters on some routers, because some routers have wifi and wired devices on different subnets by default. It's unlikely, so I wouldn't worry, unless you notice accessing it only works wired.

@[email protected]

[–] [email protected] 2 points 9 months ago (2 children)

yes, wlan vs eth, right? And then in some providers, tun for the vpn?

[–] [email protected] 7 points 9 months ago (1 children)

wlan and eth are network adapters in your raspberry Pi probably. Not subnets. Subnet is a range of IP addresses the router can use to give out IP addresses to devices. Basically, let’s assume that the router/the local network has only one subnet 192.168.1.0/24. This number means, the router can give out IP addresses from 192.168.1.0 to 192.168.1.254. If the router had two subnets, let’s say A: 192.168.1.0/24 B: 192.168.2.0/24 device on subnet A, would be able to talk to the device on subnet B.

Either way, in my opinion you’re overcomplicating things a lot for yourself. If you only wish to watch from home, on your couch, you don’t need reverse proxies, cloudflare and all that jazz. Docker and raspberry pi is enough. I can walk you through it if you want :)

[–] [email protected] 2 points 9 months ago* (last edited 9 months ago) (1 children)

that's a helpful explanation of subnets thank you

In the paradigm of

111.222.3.4:5/22

if "3" is subnet and "5" is port - what are the names of "4", "222", "111", and "22"?

And is there ever a 000.111.222.3.4:5/22 or another add on?

[–] [email protected] 3 points 9 months ago* (last edited 9 months ago) (1 children)

Oh boy we’re going deep I guess haha.

So an IP address is divided into four section separated by dots. 123.123.123.123. Each of those section can go from 0 to 255, so 0.0.0.0 to 255.255.255.255. Why this number? There is 256 numbers from 0 to 255, and 256 is the biggest number you can make out of 8 bits. (If you’re interested in binary, please look it up, this is already long haha) If every number between the . can be made out of 8 bits that means the whole IP address is 32 bits. It’s 32 bits cos that’s what was convenient when it was decided basically. Makes sense?

Now, the subnets. Each network can be divided into sub networks or subnets. Subnets fall into 5 classes: ABCDE. D and E aren’t used as much so I don’t know much about them.

Class A: Subnet mask is 255.0.0.0 Class B: Subnet mask is 255.255.0.0 Class C: Subnet mask is 255.255.255.0

A subnet mask determines how many bits are reserved for the network, and how many bits are used for hosts (devices). Basically, each IP address is divided into a network part and a host part. Network part is used for identifying networks and how many you can make, while host part is used for identifying hosts/devices like your phone or PC or whatever and how many can be connected.

In class A, with 255.0.0.0, the first number is reserved for the network, and the other 3 for the devices for example.

In class A you have a small amount of possible subnets but a big number of devices, and the opposite in class C.

The 24 after the slash is just a different way of saying 255.255.255.0, called CIDR notation. 255.0.0.0 is /8 and 255.255.255.0 is /16.

So depending on the subnet class, what the numbers mean differs. Well except the port and CIDR subnet mask.

All in all, all you need to know is that your router most likely has one subnet lol

[–] [email protected] 2 points 9 months ago (1 children)

yes - grew up in the 80s so witticisms like "4 bits is a nybble" are stuck in the brain.

Although it doesn't seem relevant it's actually pretty illuminating in what IP addresses are and do so thank you for that

[–] [email protected] 1 points 9 months ago (1 children)

You’re welcome! Did you manage to set up arr apps? :)

[–] [email protected] 1 points 9 months ago (1 children)

I fucked something up and installed pihole and adguard at the same time both in a container and bare metal and received a massive load of error messages that after 2 hours of trying to unstick just formatted the SD card and started over. So then, installing and configuring ssh, fstab the external drive, set a static IP address on the pi took up all of my time so far.

[–] [email protected] 1 points 9 months ago (1 children)

Why not install pihole in docker?

[–] [email protected] 2 points 9 months ago

I was trying to test to see how it worked inside and outside of docker.

[–] [email protected] 4 points 9 months ago

Those are usually the prefixes for interfaces which are not quite the same thing as networks. An interface is the surface that connects some device to a network. For example if your router treats its WLAN and its wired network as a single network (i.e. each thing on WLAN can see everything on wired and vice versa) then a specific device might still have a wlan1 and eth1 interface, each one reaching the respective physical network device, while being in the same network.

"One network" here really only means "something can successfully route between all the devices".

[–] [email protected] 0 points 9 months ago (1 children)

ok. I would still like to learn this stuff, so hopefully someone can come in and answer some of the questions - but it seems like, then, the challenge is just gluetun for now.

[–] [email protected] 2 points 9 months ago

So just an FYI Mullvad isn't a good option for torrenting anymore as they removed port forwarding from their service. You need port forwarding in order to seed files to others in most cases. I switched to AirVPN after Mullvad removed this option and have been satisfied.

[–] [email protected] 3 points 9 months ago

This is what I was coming to say

[–] [email protected] 14 points 9 months ago (2 children)

First of all, is that all correct or have I misunderstood something?

There's a couple things you've got a bit wrong:

I think I’m correct in saying that mysubdomain.mydomain.com is actually an IP address and a public port, so something like 123.456.7.8:443, then Cloudflare - which is the reverse proxy - gets involved (somehow? how?) to say “ah, 123.456.7.8:443, you obviously want to go to funkless.raspberry.pi:NGINX (or rather something like 987.654.3.2:443)” and then NGINX - which is the proxy-proxy, not a reverse-proxy - goes (somehow? how?) “ah, 987.654.3.2:443, you obviously want to go to 987.654.3.2:8096 which is jellyfin”)

I'm not sure what Cloudflare product you're using, but I use it as a DNS server for my domain. If you're doing the same thing - you'll have configured A records and such if so - then what's happening is this:

  1. You request subdomain.mydomain.com. Your device needs the IP to connect to, so it asks Cloudflare for the IP address. Think of this like calling information to find a phone number.
  2. Then your device initiates a request to the IP address it gets back. This is where TLS gets used, and encrypts your connection to that IP address. It also includes the domain requested in a header for the request.
  3. Nginx (which is a reverse proxy, meaning it handles incoming rather than outgoing connections) receives the connection and looks at the domain header. Then it looks in its configuration for the IP and port it should connect to, and forwards the request

However, if you're using some other thing at Cloudflare to make a VPN this might be entirely wrong.

How does mysubdomain.mydomain.com know it’s me and not some random or bot?

Unless you've implemented some kind of filtering or authentication in Nginx, it doesn't. I got around this by configuring HAProxy - which is like Nginx - to only allow requests from my local network except for specific domains that I want to be public.

Is this step “port forwarding” or “opening ports” or “exposing ports” or either or both? (I don’t understand these terms)

Exposing or opening ports is something you do with a firewall. The purpose of Nginx is to make it so you only have to open 1-2 ports, and Nginx will handle redirecting traffic based on its configuration.

If my browser when accessing mysubdomain.mydomain.com is always going to port 80/443, does it need to be told it’s going to talk to cloudflare - if so how? - and does cloudflare need to be told it’s going to talk to NGINX on my local machine - if so how?

If you're using Cloudflare like I described above, you will only need to tell Cloudflare the public IP address of your Nginx server. Generally you do this by telling your domain registrar (where you buy domain.com) to use Cloudflare's "nameservers" and then configure Cloudflare to point to your public IP address.

How do I tell NGINX to switch from local:443 to local:8096 (assuming I’ve understood this correctly)

You edit the Nginx config to add something like this:

server {
    server_name subdomain1.example.com;
    location / {
        proxy_pass       http://hostname1:port1;
    }
 }

Then, when Nginx receives a connection request for subdomain1.example.com for any location, it will proxy it to the configured hostname (or IP address) and port.

Is there a difference between an SSL cert and a public and private key - are they three things, two things or one thing?

There are two parts to an SSL cert: A public key and a private key. How SSL works is... complicated, but suffice to say the public key is shared with the connection, and the private key is hidden on the server. You can encrypt data with either one, and only the matching key can decrypt it. This allows both sides to trust the connection and for nobody else to see the data.

Doesn’t a VPN add an extra step of fuckery to this and how do I tell the VPN to allow all this traffic switching without blocking it and without showing the world what I’m doing?

The Internet is like an ogre: It has layers. HTTP and DNS are on one layer, VPNs are a different layer. HTTP and DNS traffic can travel over the Internet, or your local network or over the VPN.

If you're just setting up a local Jellyfin server, you technically don't need Cloudflare. Your home router will probably let you hard-code a DNS entry for a local IP address, which will keep all of that traffic on your local network. And if you do that right you won't even need SSL.

Gluetun just looks like a text document to me (compose.yml) - how do I know it’s actually protecting me?

I'm not familiar with how Gluetun works, but it's not just compose.yml. When you start it with docker-compose run it will download and extract the code to run Gluetun, and configure networking and other things.

[–] [email protected] 3 points 9 months ago (1 children)

Thank you, this was really helpful.

I don't know if I've configured the A records correctly - but someone else I was asking says that all this is against CloudFlare's TOS so maybe I need to abandon CloudFlare completely.

The NGINX example will help when I start digging into that, thank you.

Yes, perhaps I over-simplified my gluetun example, I know it's doing something in the container, but when I run the mullvad app it shows in green when it's connected, and red when it's not, and when the kill switch is engaged it shows "blocking internet" - how do I understand this same level of protection is active with a docker container? I think I read somewhere that I download something, then I docker pause gluetun and the download rate in qBittorrent should drop to near-zero to show it's paused? Does that sound correct?

[–] [email protected] 1 points 9 months ago

Pausing Gluetun might do that, or it might route the Torrent traffic over the regular network, in which case you might see a blip in the download rate before it goes up again.

Personally I prefere this docker-ized torrent client, since it's got the VPN built right in, and I don't need a VPN to do anything other than torrents.

[–] [email protected] 2 points 9 months ago

Also from that site: “Configure your domain name details to point to your home, either with a static ip or a service like DuckDNS or Amazon Route53” - I assume this is what Cloudflare is for instead of Duck or Amazon? I also assume it means "tell Cloudflare to take traffic on port 80 and 443 and send it to NGINX’s 80 and 443 as per the previous bullet) - but how?

Yes, this is configuring Cloudflare's DNS to point to your home IP address. You shouldn't need to tell it which port, because that's on a different layer.

[–] [email protected] 10 points 9 months ago

Lots of people contributed really good answers, so I don't have anything valuable to add to their answers. But I wanted to point out for your detailed question, you include what you have done, what is your understanding and what are your shortcomings clearly. As opposed to a lot of posts with vague, detail-challenged narratives, that's a top notch post.

And the community delivered by giving good answers, so go community!

Also, you didn't just ghost after the initial post and interacted.with the people who graciously donated their time, so another bonus point there, as well.

[–] [email protected] 7 points 9 months ago (1 children)

As others have mentioned (and also explained in quite some detail) you're trying to bite off a lot at once. First, for Jellyfin locally you can ignore most of that.

And if you really want to learn the ins and outs of all that (and I can recommend it, it's useful), then I suggest you start with some simple web app. Something like note taking or maybe even something trivial like a whoami service, which basically just echos some information it was sent back to you. That's super useful because you know that it is unlikely to be broken, so you can focus on the networking/port forwarding issues. And once you've got that working and have a rough feeling how this all works you can go on to more complex setups that actually do something useful.

[–] [email protected] 2 points 9 months ago

that's a cool project, thank you for the suggestion

[–] False 7 points 9 months ago (1 children)

A lot of this is being complicated for you by not understanding networking fundamentals. I'd suggest looking into a Network+ certification which will cover all of these basics like DNS. You don't have to actually get the cert, just going through the motions on learning the material should help a lot.

You seem to be close on grokking the whole picture and just need some of the basics that are hard to pick up from just doing things at home. A lot of work has been done to try abstract that away from consumers in order to make things easier which is making it harder for you.

[–] [email protected] 2 points 9 months ago (1 children)

Yes, I agree. Do you have any recommendations on courses / sites to look at?

[–] False 3 points 9 months ago* (last edited 9 months ago) (1 children)

It's been a long time since I took it but these are two I recall being helpful. There is a ton of material out there on this cert. I think I recall the official book being helpful too.

https://www.professormesser.com/network-plus/n10-008/n10-008-video/n10-008-training-course/

https://youtu.be/_QBY29dmr-M?si=hmUo22xwjU6oa7Aj

Part 1 and part 5 look most applicable to you. You're unlikely to ever need or want to mess with dynamic routing unless you're doing networking for very large networks for example.

[–] [email protected] 1 points 9 months ago

Here is an alternative Piped link(s):

https://piped.video/_QBY29dmr-M?si=hmUo22xwjU6oa7Aj

Piped is a privacy-respecting open-source alternative frontend to YouTube.

I'm open-source; check me out at GitHub.

[–] [email protected] 6 points 9 months ago (2 children)

Look, this is a large puzzle you're trying to solve all at once. I'll try to answer at least some of it. I'd advise you take these things step by step. DM me if you need some more help, I may have time to help you figure things out.

I paid for and installed mullvad (app) but it crashes a lot (for over a minute every 20 seconds), so it looks like I need to configure something like gluetun to do it instead.

Check the error logs and see what's wrong with it instead. How is it crashing? Did you check stdout and stderr (use docker attach or check the compose logs)?

If I want to watch them on my TV I need to connect something to my TV that talks to the raspberry pi, so I have an NVIDIA shield with Jellyfin installed on it - but in order for the NVIDIA-Jellyfin to connect to the RaspberryPi-Jellyfin it needs to go through the internet (if this is not the case, how does one point the NVIDIA-Jellyfin at the Raspberry Pi jellyfin?)

Technically not. You can use the Jellyfin web UI to stream directly from the RPi. You may need the shield if the RPi does not have enough resources for streaming, but I'd try it out first. Try to get the IP the Raspberry is listening on on your local network and put that in a web browser on a computer first. IF you get the web UI and can watch stuff, then try a web browser on your TV, or cast your computer to the TV or something. As long as you have a web browser you should be fine.

First of all, is that all correct or have I misunderstood something?

You should look a bit into how the internet, DNS and IP addresses work on the public internet and private networks. You can absolutely set it up so that traffic from your local network hitting your domain never leaves your home, while if you try the same from somewhere else, you get an encrypted connection to your home. You're a bit all over the place with these terms so it's hard to give you a straight answer.

How does mysubdomain.mydomain.com know it’s me and not some random or bot?

If the question is whether how the domain routes to your IP, look up how DNS works. If you are asking how to make sure you can access your domain while others can't look up the topic of authentication (basically anything from a username/password to a VPN and network rules).

How do I tell Cloudflare to switch from web:443 to local:443 (assuming I’ve understood this correctly)

If I remember correctly, Cloudflare forwards HTTP/S traffic only, so don't worry about the ports, that's all it will do. About the domains, you need to have a fixed public IP address for that, and you have to give Cloudflare by setting a DNS A record for an IPv4 address and/or an AAAA record for an IPv6 address.

So something like this: A myhost.mydomain.com 123.234.312.45

Is this step “port forwarding” or “opening ports” or “exposing ports” or either or both?

Nope. Port forwarding is making sure that your router knows what machine should answer when something on the Internet comes knocking. So if the RPi port 8096 is "forwarded" to the router, then if something from the internet connects to the router's 8096 port, it will get to your RPi instead of something else. Opening ports has to deal with firewalls. Firewalls drop all connections on all ports that are not open, for security reasons. By opening a port you are telling the firewall what entities outside your device can connect to a service like Jellyfin listening on that port. Exposing ports is Docker terminology, it is the same as port forwarding except instead of "moving" a port from your machine to your router you "move" a port from a container to your machine.

If my browser when accessing mysubdomain.mydomain.com is always going to port 80/443, does it need to be told it’s going to talk to cloudflare - if so how? - and does cloudflare need to be told it’s going to talk to NGINX on my local machine - if so how?

The DNS server you are hosting the domain from will propagate that info through the DNS network. Look up how DNS works for more info. If your domain is managed by Cloudflare, it should "just work". Cloudflare knows it talks to your router by you setting up a DNS record in their UI that points to your router, where your RPi's port should be forwarded, which directs traffic to your RPi, on which your NGINX should be listening and directing traffic to your services.

How do I tell NGINX to switch from local:443 to local:8096 (assuming I’ve understood this correctly)

Look up NGINX virtual servers and config file syntax. You need to configure a virtual server listening on 443 with a proxy_pass block to 8096.

Is there a difference between an SSL cert and a public and private key - are they three things, two things or one thing?

Yes, SSL certs are the "public keys" of an X509 pair, while what you know as "public and private keys" are RSA or ED25519 key pairs. The former is usually used to make sure that the server you are accessing is indeed who it claims to be and not a fake copy, it's what drives HTTPS and the little lock icon in your browser. RSA or ED25519 keys are used for authentication as in instead of a username and password, you give a public key to a service, then you can use a private key to encrypt a message to auth yourself. One service you might know that it uses it is SSH.

Doesn’t a VPN add an extra step of fuckery to this and how do I tell the VPN to allow all this traffic switching without blocking it and without showing the world what I’m doing?

A VPN like Mullvad is used for your outgoing traffic. All traffic is encrypted, the reason you want a VPN is not so that others can't see your messages, it's so that your ISP and the other people forwarding your messages don't know who you're talking to (they'll only know you're talking to your VPN), and so that the people you're talking to don't know who you are (they are talking to your VPN). You need this so your ISP doesn't see you going to pirate sites, and so that other pirates, and copyright trolls acting as pirates don't know who you are when you talk to them and exchange files using torrents.

Gluetun just looks like a text document to me (compose.yml) - how do I know it’s actually protecting me?

I don't know shit about Gluetun, sorry.

From https://nginxproxymanager.com/ : "Add port forwarding for port 80 and 443 to the server hosting this project. I assume this means to tell NGINX that traffic is coming in on port 80 and 443 and it should take that traffic and send it to 8096 (Jellyfin) and 5000 (ombi) - but how?

Again, look up virtual servers in NGINX configuration. You need a virtual server listening on 80 and 443 proxying traffic to 8096 and 5000, separating on hostnames I guess.

Also from that site: “Configure your domain name details to point to your home, either with a static ip or a service like DuckDNS or Amazon Route53” - I assume this is what Cloudflare is for instead of Duck or Amazon? I also assume it means "tell Cloudflare to take traffic on port 80 and 443 and send it to NGINX’s 80 and 443 as per the previous bullet) - but how?

Add a DNS A record.

[–] [email protected] 1 points 9 months ago

thank you so much for this considered reply. I'm just stepping out now, but will check in later to go through this in depth

[–] [email protected] 1 points 9 months ago

Check the error logs and see what’s wrong with it instead. How is it crashing? Did you check stdout and stderr (use docker attach or check the compose logs)?

"Crash" is the wrong word. The app is running, it says "Connected" for about 15-20 seconds, then it says "Internet blocked" for about 20 seconds, then it says "Reconnecting" for 30-90 seconds, repeat indefinitely.

Using the CLI for logging, it says something along the lines of "Timeout... Hyper time out"

You should look a bit into how the internet, DNS and IP addresses work on the public internet and private networks.

Do you have any recommendations on how to learn this?

Also, thank you for explaining that "configuring a domain name" is adding an A record. I've added TXT records and similar for Google analytics and I've added mail records to set up my own domain's email before - but this is helpful, thanks.

[–] [email protected] 4 points 9 months ago* (last edited 9 months ago) (1 children)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
DNS Domain Name Service/System
HTTP Hypertext Transfer Protocol, the Web
HTTPS HTTP over SSL
IP Internet Protocol
RPi Raspberry Pi brand of SBC
SBC Single-Board Computer
SSH Secure Shell for remote terminal access
SSL Secure Sockets Layer, for transparent encryption
TLS Transport Layer Security, supersedes SSL
VPN Virtual Private Network
nginx Popular HTTP server

[Thread #458 for this sub, first seen 28th Jan 2024, 18:55] [FAQ] [Full list] [Contact] [Source code]

[–] [email protected] 1 points 9 months ago
[–] Fuzzypyro 4 points 9 months ago* (last edited 9 months ago)

Tons of good responses here. I’m surprised that nobody has brought up Tailscale though. It’s def the easiest vpn solution I have found. It’s got some great documentation and how to projects to get a home lab running and it’s got its own domain system baked in most of it being zero configuration. You can access mullvad vpn exit nodes straight from it, and set up those domains with ssl super easy e.g.

sudo tailscale serve —https=443 localhost:8096

That single command would allow any other devices connected to your Tailscale account to reach your Jellyfin using the domain “{serverhostname}.[tail-scale].ts.net” complete with a private reverse proxy and ssl cert.

There are a few things to click around in tailscale on but it’s a extremely easy to use free application that has made my self hosted life significantly easier due to my system living behind multiple firewalls that I sadly have no control over.

[–] Delphiantares 1 points 9 months ago (1 children)

If you get a reverse proxy setup all you need is port 80 and 443 and configure it it'll expose the services that you want to be exposed through the subdomain Personally I've got Traefik service sitting on my media server and anything I want to expose goes through it .it has the details for the connection to cloudflare and so long as I direct it properly both on the container side and Traefik it'll run as expected. The idea is if you go to say jellyfin.example.com cloudflare will direct that at at your reverse proxy(nginx in this case) which then redirects to the right machine/container because you entered from "jellyfin" .

The VPN gluten it is another container that will have the login details to your provider .

I'm still working my way through the self hosted rabbit hole myself, however I used a combination of Google and this sitehttps://www.smarthomebeginner.com/traefik-docker-compose-guide-2022/ The entire site not just the specific article linked . As well as https://trash-guides.info/

[–] [email protected] 1 points 9 months ago (1 children)

Traefik

I will look into this, thank you.