Running a TrueNAS Scale server with Jellyfin and planning to add Nextcloud. How would I be able to access these services from outside my network? I have heard portforwarding is unsafe and a VPN seems inconvenient to me.

  • Im_old@lemmy.world
    link
    fedilink
    English
    arrow-up
    15
    ·
    1 year ago

    Port forwarding is unsafe, but even crossing the road is unsafe. Do you cross the road without watching? In the same way, you just don’t let a published server online without doing regular updates. You set up docker, run nextcloud (docker) behind nginx proxy manager, and have watchtower update them regularly. You can also setup 2fa in docker, and pair it with fail2ban.

    Every port open widens the attack surface, but those services are made to be published, so there are mitigations against the risks.

    • corroded@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      1
      ·
      1 year ago

      I’ve said this many times before, but it seems relevant here, too. Using a reverse proxy is a good step for security, but you will still want to block certain incoming connections on your firewall. I block everything except for our cell phone provider, my partner’s employer, and my employer. We will never be accessing my network from any other source. At the very least, block everything and whitelist your own country; this will prevent a lot of illegitimate connections. If you’re using pfSense, the pfBlockerNG plugin makes this very easy to do.

      • Im_old@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        Yeah, absolutely good point, it’s something that can be done in opnsense as well. Certainly blocking any bloc outside your country (or region maybe in Europe) makes sense. I block everything outside RIPE, and also China and Russia.

    • MaggiWuerze@feddit.de
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      How does watchtower work with compose stacks? Does it update the whole stack (docker compose pull && docker compose up) in one go or each container individually?

      • AES@lemmy.ronsmans.eu
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        Found out the hard way, it does not. Now I just run a script every week (pull and compose up)

      • Im_old@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        AFAIK one container at a time. Since the different parts of a stack (e.g. app and db) have different release cycles it’s not a problem (or it hasn’t been for me).

        Also, the important bit (from a security perspective) it’s the front end (i.e. the web app).

      • Im_old@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Now you make a good point, you also have to perform the update within the app in nextcloud. I use a custom image so I have to do it anyway, I haven’t realised that.

        But I guess npm is the one that needs to be updated automatically to avoid most of the attacks on the web

    • vegetaaaaaaa@lemmy.world
      link
      fedilink
      English
      arrow-up
      8
      arrow-down
      1
      ·
      1 year ago

      Internet-facing Jellyfin instance is a bit too risky for my taste (https://github.com/jellyfin/jellyfin/issues/5415), especially with those unauthenticated endpoints leaking contents of the server.

      If VPN is not an option, I suggest using setting a restrictive <RemoteIPFilter> in /etc/jellyfin/network.xml and/or placing Jellyfin behind HTTP basic auth.

      Internet-facing Nextcloud is fine in my experience, provided you harden the web server in the usual ways.

  • Jtee@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    arrow-down
    1
    ·
    edit-2
    1 year ago

    I’d suggest port forwarding. Opening a port on your firewall just says “there’s a service running on this port” but the software will have it’s own “risk mitigation” to prevent intrusion.

    Additionally, if you own a domain with someone such as GoDaddy, you can leverage their API to script IP updates (quick google search can walk you through options; cron, powershell, etc) so you can always access your nextcloud instance with a friendly name.

  • Chocrates@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    VPN is the best way but it is kind of a pain in the ass yeah. I had it set up that way for a while but I gave up, I just don’t use it enough outside of the home to justify it.

    • tuxprint@lemmy.tuxprint.com
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      I’ve heard that steaming video is against ToS for tunnels, but I’ve not been able to confirm this.

      But man, cloudflare tunnels are so cool. They are game changer if your behind a cgNAT or can’t port forward for some reason. And they are even useful if you can port forward. Cloudflare cacheing and ddos protection, and your IP is not exposed.

      Beautiful.

      • eric5949@lemmy.cloudaf.site
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        Well hosting a web server is against my isp’s terms of service so I’m playing dangerous either way lol. But I only use it for my nextcloud, I plan on either switching to FiOS or upgrading to business internet with my current provider so I can get rid of the cgnat.

        • tuxprint@lemmy.tuxprint.com
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Well hosting a web server is against my isp’s terms of service so I’m playing dangerous either way lol.

          That is a fair point lol 😂

          But I only use it for my nextcloud, I plan on either switching to FiOS or upgrading to business internet with my current provider so I can get rid of the cgnat.

          Yeah, cgNAT is such a drag man.

          It’s bad even for non tech people. They will be wondering why they cant connect to voice chat in their game system, or why they can’t connect to their VPN for work.

          We need to rip the band-aid off and embrace ipv6.

          • eric5949@lemmy.cloudaf.site
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            I’ll be honest with you, aside from the fact I can’t get a static IP or forward ports I’ve naver really had any issues with it. I use discord for voice chat and don’t play on consoles though.

      • starcrossed_hero@kbin.social
        link
        fedilink
        arrow-up
        2
        ·
        edit-2
        1 year ago

        I don’t think it is explicitly against the ToS any longer, although it used to be from what I can gather. There is no longer a section 2.8 here but it does state in section 2.7:

        You agree not to…(b) post, transmit, store or link to any files, materials, data, text, audio, video, images or other content that infringe on any person’s intellectual property rights or that are otherwise unlawful

        So as long as you either only host original content or your media server requires login and is not open to the public then I don’t think you’d have any issues.

        I actually use a Cloudflare Tunnel in this way to serve a Jellyfin docker container and have not had any issues. I also disabled Cloudflare caching though for the subdomain that Jellyfin is served from, in order to be sure Cloudflare wasn’t caching that media either.

      • Chocrates@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Setting up, configuring and maintaining it is kind of a pain. I am unware of a 2 click option. I put my whole network on a self hosted VPN so I was probably doing it in a more complicated way than I needed

          • hungover_pilot@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            That’s true. I only use my vpn when I’m out of the house. And the only devices I have with me are my phone/laptop which both have official apps.

        • hungover_pilot@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          In android, for the wireguard/openvpn apps, you can add a button to your swipe down menu (where you toggle on/off wifi, flashlight, etc).

  • Ward@sopuli.xyz
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    Either you need to expose those two services to the Internet or use a VPN. You mention vpns are inconvenient but have you checked out tailscale? The free account does your needs and it’s by far the easiest one I have set up. You can also look into a cloudflare tunnel but you would need a domain name for that

  • Meow.tar.gz@lemmy.goblackcat.com
    link
    fedilink
    English
    arrow-up
    4
    arrow-down
    3
    ·
    1 year ago

    The easiest solution is to look into using Tailscale or ZeroTier. Basically it’s a cloud-based, software-defined overlay network that won’t require you to setup port forwarding or anything of that nature. There is a free tier available for both.

  • doeknius_gloek@feddit.de
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I have heard portforwarding is unsafe and a VPN seems inconvenient to me.

    Well, those are pretty much the available options.

    People are talking about Tailscale a lot and although I’ve never used it, it might be easy to setup while not being too inconvenient for you.