Hi all,

I’m looking at exposing some self-hosted web-based services externally so that some relatives can access them and would appreciate some advice.

Vikunja is the starting point (mostly to facilitate my spouse and I using it when away from home) but in future I want to set up Immich or similar to replace Google Photos, and that in particular will need to be shared with friends and family (especially so that immediate family can have camera uploads on automatically).

I understand that ideally I’d use SSH, a VPN, or tailscale or similar (although I don’t have experience with tailscale), but that’s not going to be feasible. Most of the family will not be able to set up those connections themselves (which means I would need to) and several are far enough away that it is impractical for me to provide on-site support or do it myself. Even if I could get a VPN or similar deployed on all their devices, I suspect that they’re going to struggle with needing to connect to it just to upload or view photos, then disconnect afterwards to resume using the Internet – I really need this to “just work” for them.

So this brings me back to safely exposing these services to the outside world. My network architecture complicates this a little, so for context:

  • Modem/router has basic firewall and points to a Raspberry Pi for DHCP. I already have No-IP set up with a domain name so that I can SSH into my LAN when away from home.
  • RPi runs Pi-hole + dnscrypt, acting as DHCP and DNS server for the network.
  • I want to use nginx as a reverse proxy running on this RPi, as I have experience with it and it can add SSL using certbot. The router would be configured to use port forwarding to direct external traffic for ports 80 and 443 to the RPi.
  • Vikunja is hosted on a separate Raspberry Pi (with other things like Shiori)
  • I have not yet determined where Immich or similar is going to go. I have existing home server that I use for backups and important family stuff, but I really don’t want this to be vulnerable to the outside world. If I were to install Immich here, I’d need it to be well-isolated from the rest of the system. The other option is to get a NUC or similar, which is what I am leaning towards as the less stressful option.

So my main questions are:

  1. Beyond fail2ban and my router’s firewall, what else can I do to protect my network once I open ports 80 and 443?

  2. How do I handle fail2ban configuration when the services are on different devices to the nginx proxy? I understand the best place to put fail2ban would be on the Pi running nginx (since it’s the access point to the outside world), but that it also needs to read the logs from Vikunja, etc. to be effective.

  3. Where would you put Immich in my network architecture?

Any other tips/recommendations for making this easy to use for my less tech-inclined friends and family would be much appreciated as well. Thanks.

  • Australis13@fedia.ioOP
    3·
    11 hours ago

    Thanks. My main concern is needing to have the tailscale client set up on my relatives’ devices, so it’d need to be easy to do and the configuration straightforward.

    If I wanted to route just traffic to Vikunja and Immich through it, so all their other apps (if on a phone) or web browsing (on a PC) didn’t go through tailscale, is that straightforward to do and is it something that has to be done in the client-side configuration?

    • DJDarren@thelemmy.clubEnglish
      1·
      4 hours ago

      I also use Tailscale.

      It’s fair to say that I don’t really know what I’m doing, so am picking my way through the world of self-hosting one lesson at a time, but even with that in mind, I’ve found Tailscale an absolute breeze to set up, even if I still don’t fully understand how it all works, and what it can all do.

      In short, I have my server at home as part of my tailnet. I’ve also installed it on my Hetzner VPS, which is running YunoHost. Within YunoHost I’ve set up a bunch of redirects which take the Tailscale ips of my various services and turn them into URLs.

      So in essence, my Navidrome server goes from being http://100.111.11.1:4533/ to navidrome.mysite.co.ck.

      I’ve got Navidrome, Immich, Home Assistant, Invidious, and Jellyfin running like that, and as far as I can tell I’ve not had any security issues at all.

    • wltr@discuss.tchncs.deEnglish
      2·
      6 hours ago

      If you don’t setup or activate exit node, no traffic is routed through any of your nodes. All you have is the access to the nodes. Which is what you need. I tested exit nodes only recently, they’re very easy to setup as well, but I found no practical need for my use case.

      I think installing and logging in should be trivial remotely. Like hey mum, install this app, and log in (trivial with Google or Apple accounts). The rest is on you. Just test the waters yourself first, you’ll get the idea, it’s pretty straightforward. Even if it’s not what you’re looking for, you’d have more information and skills to move to the next thing.

      • Australis13@fedia.ioOP
        2·
        5 hours ago

        Thanks, sounds like a potential option. I’ll add to the list of things to look into and test out.