tldr: I’d like to set up a reverse proxy with a domain and an SSL cert so my partner and I can access a few selfhosted services on the internet but I’m not sure what the best/safest way to do it is. Asking my partner to use tailscale or wireguard is asking too much unfortunately. I was curious to know what you all recommend.

I have some services running on my LAN that I currently access via tailscale. Some of these services would see some benefit from being accessible on the internet (ex. Immich sharing via a link, switching over from Plex to Jellyfin without requiring my family to learn how to use a VPN, homeassistant voice stuff, etc.) but I’m kind of unsure what the best approach is. Hosting services on the internet has risk and I’d like to reduce that risk as much as possible.

  1. I know a reverse proxy would be beneficial here so I can put all the services on one box and access them via subdomains but where should I host that proxy? On my LAN using a dynamic DNS service? In the cloud? If in the cloud, should I avoid a plan where you share cpu resources with other users and get a dedicated box?

  2. Should I purchase a memorable domain or a domain with a random string of characters so no one could reasonably guess it? Does it matter?

  3. What’s the best way to geo-restrict access? Fail2ban? Realistically, the only people that I might give access to live within a couple hundred miles of me.

  4. Any other tips or info you care to share would be greatly appreciated.

  5. Feel free to talk me out of it as well.

EDIT:

If anyone comes across this and is interested, this is what I ended up going with. It took an evening to set all this up and was surprisingly easy.

  • domain from namecheap
  • cloudflare to handle DNS
  • Nginx Proxy Manager for reverse proxy (seemed easier than Traefik and I didn’t get around to looking at Caddy)
  • Cloudflare-ddns docker container to update my A records in cloudflare
  • authentik for 2 factor authentication on my immich server
  • teuto@lemmy.teuto.icu
    link
    fedilink
    English
    arrow-up
    6
    ·
    10 months ago

    I use a central nginx container to redirect to all my other services using a wildcard let’s encrypt cert for my internal domain from acme.sh and I access it all externally using a tailscale exit node. The only publicly accessible service that I run is my Lemmy instance. That uses a cloudflare tunnel and is isolated in it’s own vlan.

    TBH I’m still not really happy having any externally accessible service at all. I know enough about security to know that I don’t know enough to secure against much anything. I’ve been thinking about moving the Lemmy instance to a vps so it can be someone else’s problem if something bad leaks out.

    • foggy@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      10 months ago

      Don’t fret, not even Microsoft does.

      You’re not as valuable as a target as Microsoft.

      It’s just about risk tokerance. The only way to avoid risk is to not play the game.

    • a_fancy_kiwi@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      10 months ago

      wildcard let’s encrypt cert

      I know what “wildcard” and “let’s encrypt cert” are separately but not together. What’s going on with that?

      How do you have your tailscale stuff working with ssl? And why did you set up ssl if you were accessing via tailscale anyway? I’m not grilling you here, just interested.

      I know enough about security to know that I don’t know enough to secure against much anything

      I feel that. I keep meaning to set up something like nagios for monitoring and just haven’t gotten around to it yet.

      • teuto@lemmy.teuto.icu
        link
        fedilink
        English
        arrow-up
        4
        ·
        10 months ago

        So when I ask Let’s Encrypt for a cert, I ask for *.int.teuto.icu instead of specifically jellyfin.int.teuto.icu, that way I can use the same cert for any internally running service. Mostly I use SSL on everything to make browsers complain less. There isn’t much security benefit on a local network. I suppose it makes harder to spoof on an external network, but I don’t think that’s a serious threat for a home net. I used to use home.lan for all of my services, but that has the drawback of redirecting to a search by default on most browsers. I have my tailscale exit node running on my router and it just works with SSL like anything else.

        • a_fancy_kiwi@lemmy.worldOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          10 months ago

          Ok so I currently have a cert set up to work with:

          domain.com

          www.domain.com (some browsers seemingly didn’t like it if I didn’t have www)

          subdomain.domain.com

          Are you saying I could just configure it like this:

          domain.com

          *.domain.com

          The idea of not having to keep updating the cert with new subdomains (and potentially break something in the process) is really appealing

          • starshipwinepineapple@programming.dev
            link
            fedilink
            English
            arrow-up
            3
            ·
            edit-2
            10 months ago

            Yes. If you’re using lets encrypt then note that they do not support wildcard certs with the HTTP-01 challenge type. You will need to use the DNS-01 challenge type. To utilize it you would need a domain registrar that supports api dns updates like cloudflare and then you can use the acme.sh package. Here is an example guide i found.

            Note that you could still request multiple explicit subdomains in the same issue/renew commands so it’s not a huge deal either way but the wildcard will be more seamless in the future if you don’t know what other services you might want to selfhost.