The more I am selfhosting the more ports I do open to my reverse proxy.
I also have a VPN (wireguard) but there are also 3 family members that want to access some services.
Open ports are much easier to handle for them.
How many users do you have and how many ports are open?
My case: 4 users (family)/ 8 reversed proxy ports
How many users and open ports have you?
You must log in or register to comment.
Both. Some things are only resolvable internally or over wireguard. Some things are publicly accessible via a reverse proxy.
Overseerr, bitwarden, plex all have ports open or through the reverse proxy. Same with email and a few other services. All the *arrs are accessible only on my network or over VPN.
this is the way.
also fail2ban to ensure that nobody bruteforce it’s way in.
Curious why you keep the arrs internal only, when there are things like Authelia that could secure access to them?
Because no one needs access externally. Overseerr is public facing and passes the requests to the arrs.
It’s not about secure access, it’s that no one outside my house, me included, really needs access to them at all.
May I ask what do you guys have exposed to the internet?
I personally just have a wireguard VPN (single UDP port open) and everything is accessible through an internal reverse proxy. I just never felt the need to expose nothing ant least not web related.
I have Jellyfin and Jellyseerr open through cloudflare -> nginx over port 443 so i can share it with friends. Eventually I’ll do the same with NextCloud probably.
Video streaming is against Cloudflare policies, aren’t you worried that they’ll may block your account?
Hmm I thought if I set it up to not cache data it would be fine, but it turns out that was outdated data. I don’t see an option for paying for it unless I host media specifically on their servers which I won’t be doing.
I doubt I’ll be using a significant amount of data but if they give me a warning I’ll have to turn off the tunnel I suppose. Thanks for the question!
I expose self-hosted bitwarden for my family to access through cloudflared tunnels and only allowing US IP via cloudlfare rules. Only the webUI is exposed and traffic has to go through cloudflare and nginx to be able to do anything.
a lot of stuff:
- owncloud
- paperless
- immich
- jellyfin
- jellyseerr
- traefik
than i have stuff only accessible from local, like the *arr stack.
i’m not using cloudflare or anything, should I?
the only exposed ports i have are http / https and a random port for ssh.
i also don’t use any sso… maybe i should set one up.
Tailscale with reverse proxy, nothing publicly exposed
Do you even need a reverse proxy if you’re using Tailscale? What advantage does it give you over setting up your DHCP correctly such that you can access your services by hostname?
Because I have my own custom domain internally and don’t use tailscale while on I’m on my network physically. But I get the best of both worlds, however I do have Tailscale setup with DNsMasq to set to my domain name anyway instead of using the Tailscale domain
I’ve got a reverse proxy for stuff I want to be able to hit from the outside. It’s behind an SSO portal with 2fa (hardware token). Then for everything else I VPN in.
What are you using for SSO?
I’m not OP but Keycloak is pretty usable for SSO. I’ve configured about 8 different web apps to be integrated with it via OAuth2.
Anything that is exposed is done through nginx proxy manager and 2FA is enforced on those apps either through the app or through Authelia.
Some of the exposed apps are shared with friends and family so easier to expose securely than mess with VPN for them.
Anything else is only accessible via VPN on my router.
I need to look at tailscale.
I use Wireguard for everything except a couple of ports that are open directly to Internet for Traccar (fleet management) because the GPS trackers don’t support anything in the middle and I use Cloudflare Zero trust tunnel for Nextcloud (without any other security layer because the Android and Windows app don’t support them) because my family use it too. The Wireguard tunnel is always on both on my PCs and on my Android smartphone.
Reverse proxy and allowing connection only to IPs from my country.
Never open ports to the internet unless you want everybody to see it. Always use VPN to access your selfhosted stuff. If you’ve got a lot of VPN connections to set up, try generating a QR code for the connection. Makes it a bit faster to setup the client.
