Hello people, I recently rented a vps server from OVH and I want to start hosting my own piefed instance and a couple other services. I am running debian 13 with docker, and I have nginx proxy manager almost set up. I want to set up subdomains so when I do social.my.domain it will go to my piefed instance, but how do I tell the machine to send piefed traffic to this subdomain and joplin traffic (for example) to another domain? Can I use nginx/docker natively for that or do I have to install another program. Thanks for the advice.

  • a_person@piefed.socialOPEnglish
    1·
    6 hours ago

    What service would you recommenced for firewall. The firewall I use on my laptop is ufw, should I use that on the vps or is their a different service that works better?

    • kumi@feddit.onlineEnglish
      1·
      2 hours ago

      Firewalld

      sudo apt-get install firewalld  
systemctl enable --now firewalld # ssh on port 22 opened but otherwise most things blocked by default  
firewall-cmd --get-active-zones  
firewall-cmd --info-zone=public  
firewall-cmd --zone=public --add-port=1234/tcp  
firewall-cmd --runtime-to-permanent

      There are some decent guides online. Also take a look in /etc/firewalld/firewalld.conf and see if you want to change anything. Pay attention to the part about Docker.

      You need to know about zones, ports, and interfaces for the basics. Services are optional. Policies are more advanced.

    • deadcade@lemmy.deadca.deEnglish
      2·
      6 hours ago

      UFW works well, and is easy to configure. UFW is a great option if you don’t need the flexibility (and insane complexity) that manually managing iptables rules offers,

      • kumi@feddit.onlineEnglish
        1·
        2 hours ago

        The main problem with UFW, besides being based on legacy iptables (instead of the modern nftables which is easier to learn and manage), is the config format. Keeping track of your changes over track is hard, and even with tools like ansible it easily becomes a mess where things can fall out of sync with what you expect.

        Unless you need iptables for some legacy system or have a weird fetish for it, nobody needs to learn iptables today. On modern Linux systems, iptables isn’t a kernel module anymore but a CLI shim that actually interacts with the nft backend.

        Misconfigured UFW resulting in getting pwned is very common. For example, with default settings, Docker will bypass UFW completely for incoming traffic.

        I strongly recommend firewalld, or rawdogging nftables, instead of ufw.

        There used to be limitations with firewalld but policies maturing and replacing the deprecated “direct” rules together with other general improvements has made it a good default choice by now.