I want to start with self hosting something available from internet. Currently I have jellyfin, nas etc but everything is available in local network.

My biggest concern is securing local network. I thought i will run application on separate server, I will use small vps as proxy, but Im not sure if it will be enough

  • irmadlad@lemmy.worldEnglish
    3·
    7 hours ago

    Have you considered Cloudflare Tunnels/Zero Trust. When you use Cloudflare Tunnels/Zero Trust, you don’t need to fiddle with NAT, open any ports, in fact you don’t need any open ports. You just install Cloudflare Tunnels/Zero Trust on your server, connect to your Cloudflare Tunnels/Zero Trust account, and Cloudflare does the rest. To deploy Cloudflare Tunnels/Zero Trust you will need a domain name. Cloudflare will sell you a domain name but I think most get something cheap from NamesCheap or Pork Bun. When you have secured a domain name, switch the nameservers to the ones that Cloudflare assigns you. Jacks a doughnut, Bob’s your uncle.

    ETA: Obviously you’ll need port 22 for administration.

    sudo ufw default deny incoming

    sudo ufw default allow outgoing

    • commonmarmoset@reddthat.comEnglish
      2·
      7 hours ago

      I think this is an excellent suggestion. I used Cloudflare tunnels until recently, and it was very effective. However, I stopped because of a minor issue, which I’ll mention in case its a deal breaker for anyone.

      Technically, using Cloudflare tunnels for Jellyfin is a ToS violation. You’re only allowed to do so if you have an enterprise account, which is quite expensive.

      I heard from a “friend of a friend” that everyday users don’t need to worry about this. Cloudflare are aware of people using tunnels with Jellyfin and they aren’t fussed. The rule is supposedly there to combat large scale piracy.

      However, I have heard that cloudflare does decide to start caring if they can use jellyfin use as an extra excuse to kick anybody involved in other ToS violations.

      In all likelihood, this won’t be a problem for you. While I used tunnels, they worked perfectly. However, given that you are going to go to the effort of sorting out some level of infrastructure for yourself, its something to keep in mind.

      • irmadlad@lemmy.worldEnglish
        2·
        7 hours ago

        Technically, using Cloudflare tunnels for Jellyfin is a ToS violation. You’re only allowed to do so if you have an enterprise account, which is quite expensive.

        I’ve heard people say this, and I’ve heard people say you can’t stream music. Tho I do not run the 'arr stack or Jellyfin, I do run Navidrome almost 24/7/365. But it’s something to keep in mind.

        ETA: I am the sole user

    • Kkk2237pl@lemmy.worldOPEnglish
      2·
      7 hours ago

      Yeah, but if my server is in the local network, I have potential threat that someone will access my lan through public server

      • irmadlad@lemmy.worldEnglish
        3·
        7 hours ago

        Well, you could do network segmentation:

        • Put the server in a DMZ or separate VLAN if your router supports it. This isolates it from your main devices (computers, phones, IoT). I’m not sure what router you have buy many consumer routers have a “guest network” that can serve this purpose.

        Utilize UFW rules. Mine are:

        • sudo ufw default deny incoming

        • sudo ufw default allow outgoing

        • Anywhere ALLOW IN 192.168.1.0/24

        • 22 ALLOW IN 192.168.1.0/24

        • 22 on tailscale0 ALLOW IN Anywhere

        • 22 (v6) on tailscale0 ALLOW IN Anywhere (v6)

        Also:

        • sudo ufw allow out to 1.0.0.1 port 53 # DNS only
        • sudo ufw allow out to 1.1.1.1 port 53
        • sudo ufw deny out to 192.168.1.0/24 # Block LAN access except admin

        So now I have SSH capability locally and through Tailscale installed on the server and this prevents the server from initiating connections to other LAN devices. You can do alot with UFW and Fail2Ban in conjunction with Cloudflare Tunnels/Zero Trust.