this post was submitted on 19 Jun 2023

11 points (92.3% liked)

Selfhosted

39242 readers

679 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago

MODERATORS

Router Port vs VPS Reverse Proxy (lemmy.primboard.de)

submitted 1 year ago by [email protected] to c/selfhosted

19 comments fedilink hide all child comments

„Inspired“ from https://lemmy.world/post/287146 and many related questions (also on reddit before).

Why don‘t people like opening Port 443 on their Homerouter? An open Port itself is not a vulnerability because nothing is listening on it, therefore there cannot be any connection established. When forwarding Port 443 From Router to e.g. The Homeservers LoadBalancer / Proxy, this Proxy is the final resolver anyways.

So why doing the more complex and more error prone Route via the VPS / Tailscale / CloudFlare?

I did that some years ago too, but just because i did not have an static IPv4 at home. But speeds were awful and i switched to Routerport + DynDNS and now everything is super performant.

top 18 comments

sorted by: hot top controversial new old

[–] [email protected] 4 points 1 year ago* (last edited 1 year ago) (2 children)

It's typically against the terms of service to open ports less than 1024 (well known ports) of most ISP's for personal internet. That, and there are bots that probe for insecure and misconfigured stuff constantly. Spin up a VPS and take a look at the SSH logs. What if a zero day vulnerability occurs? Are you going to be able to react quick enough to prevent someone from doing damage?

Cloudflare is nice because you no longer need to update your DNS A records, plus it caches data, automatically enables SSL, and absorbs bot traffic for you. Have also tried the Wireguard + VPS route, but that gets expensive because most charge ingress and egress.

[–] SheeEttin 2 points 1 year ago

It's typically against the terms of service to run any server.

[–] [email protected] 1 points 1 year ago

Well, those are fair reasons.

[–] [email protected] 3 points 1 year ago

If you are behind CGNAT, you don't have a lot more options. Also, some may not want to expose their home IP.

[–] [email protected] 2 points 1 year ago (1 children)

I don't like opening ports on my home router, because of the destination services behind the port forwarding. As long as those are secure there are no problems. But if a service has a vulnerability, someone could takeover my home network and creep around. That's scary.

When people use Cloudflare Tunnels to publish their stuff, they usually still have that problem. The idea is that Cloudflare is intrinsically safe and would block all attacks. I don't necessarily agree with that. But I assume it's safer than having no security layer between at all.

[–] [email protected] 2 points 1 year ago (1 children)

But whats the difference between having the reverse proxy on a VPS pointing to you homelab via a VPN or having this Reverse Proxy directly attached to a port? Just from „takeover perspektive“ there should be no no difference

[–] [email protected] 2 points 1 year ago

Yes, I agree. Security wise I also don't see a benefit in hosting the reverse proxy externally. I believe a dynamic DNS provider with a low TTL for the DNS records should work as good or perhaps even better. Not better security wise, but simpler setup, more reliable.

[–] sudneo 2 points 1 year ago

In general it's a matter of not exposing your home IP. There are some ISPs that won't give you a public IP either way, so in those cases something else is needed anyway.

Exposing your IP can lead to DDoS, mostly, which can or cannot be a big deal.

[–] [email protected] 1 points 1 year ago (1 children)

I think Cloudflare Tunnel is awesome for situations where you want to deploy one or two applications without getting a full reverse proxy like Traefik or Nginx handling everything especially if you’re dealing with CGNAT. Also, if you don’t want to manage your own authentication solution for locking down apps, Cloudflare makes these easy to apply to your applications.

So for users who once would have (and still do) open ports directly to each individual application with little to no authentication in between, these solutions offer a turnkey option to fix a lot of things that would otherwise have been out of reach.

[–] [email protected] 1 points 1 year ago (1 children)

OK, i did not think about people opening a port for every application - this would be stupid

[–] [email protected] 1 points 1 year ago

Especially when people get into things like Sonarr and Radarr as their first foray into self hosting it’s not hard to see why they might assume that there is security in obscurity and think that there is no risk to opening up those applications directly to the world!

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

Only one reason, i had a mail server previously. And buying a static ip from my isp was more expensive than renting a vps for 2$ a month.

Nowadays i just think its cool so that i can have a failover for critical services. (Only Vaultwarden for me) Also its nice to have your own full speed vpn.

And i also run rustdesk mirror server on it, to profit from the faster data connection on my vps.

[–] [email protected] -3 points 1 year ago (5 children)

do you know for sure that nothing is listening on it? Do you scan every device you connect to your network?

[–] [email protected] 6 points 1 year ago

Opening a port on consumer routers does not mean that all devices are open. Normally you forward a port to a host+port in the local network. In most cases some server which you control. All other devices are not affected by opening a port.

[–] [email protected] 4 points 1 year ago

I am confused by this question, if you forward a port then the only device you should be interested in is the device you are forwarding to surely? If you are worried about devices on your network, then surely since they are already on the network side of the router and so if they were going to do something nefarious then opening a port is the least of your worries.

Honestly trying to understand the point you were trying making.

[–] [email protected] 3 points 1 year ago

This doesn’t really apply if you’re port forwarding to a specific device. In that case you know that you have told your firewall to forward port 80 & 443 (for example) to your web server and you know what ports that has open. I would not be using UPNP on the other hand as that seems dangerous especially in the IOT era.

[–] [email protected] 3 points 1 year ago

I am Sure because the port forward is to a specific IP in my DMZ - therefor no one can just plug a device and open something

[–] [email protected] -1 points 1 year ago

and, even if you scan them, how do you know that a port knocker isn't there waiting to the secret knock?

load more comments