There's an addon for that (I haven't used it)
dinosaurdynasty
joined 2 years ago
Why not just attach a non shitty device over HDMI and use that?
Lots of people do that, the Nvidia shield is one I hear a lot about
Hint: you don't have to use ldap to use authelia (I haven't bothered). It's a bit awkward to use though, I'd only recommend it for single-user setups (I wish they would just add support for SQLite, they already use it for 2fa and stuff)
That's surprising, considering CGNAT would break it as well and is meaningfully common.
Potentially stability improvements as well (for the same reasons as the security improvements), especially for lesser used drivers and stuff.
Probably, unless they have a static delegation or do prefix delegation properly, which if they did they probably don't suck enough to require double NAT^ lol
^single NAT for IPv6, assuming they don't NAT it themselves
You could always do double NAT (put your own router behind theirs) as last resort. It's not that bad, I've done it a lot.
Do authentication in the reverse proxy if you can (e.g., basic auth or forward auth like Authelia, the second also has the benefit of SSO).
CAA can also be used to disable http verification, meaning you would have to have control of DNS to be able to get a certificate (which the VPS ideally wouldn't have).
I use Caddy as a reverse proxy, but most of this should carry over to nginx. I used to use basic_auth at the proxy level, which worked fine(-ish) though it broke Kavita (because websockets don't work with basic auth, go figure). I've since migrated to putting everything behind forward_auth/Authelia which is even more secure in some ways (2FA!) and even more painless, especially on my phone/tablet.
Sadly reverse proxy authentication doesn't work with most apps (though it works with PWAs, even if they're awkward about it sometimes), so I have an exception that allows Jellyfin through if it's on a VPN/local network (I don't have it installed on my phone anyway):
@notapp {
not {
header User-Agent *Jellyfin*
remote_ip 192.160.0.0/24 192.168.1.0/24
}
}
forward_auth @notapp authelia:9091 {
uri /api/verify?rd=https://authelia.example
}
It's nice being able to access everything from everywhere without needing to deal with VPNs on Android^ and not having to worry too much about security patching everything timely (just have to worry about Caddy + Authelia basically). Single sign on for those apps that support it is also a really nice touch.
^You can't run multiple VPN tunnels at once without jailbreaking/rooting Android
Yup, there are many ways of doing that. Most reverse proxies should support basic auth (easy, but browser UX is terrible and it breaks websockets) or TLS client auth (even worse browser UX, phones are awful).
The best thing is do something like Caddy + Authelia (which is what I currently do with most things, with exceptions for specific user agents and IPs for apps that require it, aka non-browser stuff like Jellyfin),
Sounds like a pain to get non technical family members to use. If you're willing to break the non web app you could always put it behind an authenticating proxy (which is what I do for myself outside of VPN, setting up a VPN on a phone is obnoxious and I only look at metadata anyway on my phone)