this post was submitted on 14 Jun 2023
38 points (97.5% liked)

Selfhosted

40347 readers
349 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

When I see this sort of thing, and other people are trying to do it, a reverse proxy or vpn is always mentioned. Heres my question:

How Dangerous is it to just open the port for it on my router and access it like that?

Lets say i want to access jellyfin from Kodi on my xbox or something outside my network, the vpn solution wouldnt work for this i would think.

My issue with reverse proxies, and why im asking, is it seems less secure? I mean Im well aware that an IP is easy to get, i guess. But how likely is someone to look for something on my network specifically? With reverse proxies it seems like i would be broadcasting my server to the internet in a way its easier to happen across, than someone being interested in a random residential IP.

I run a minecraft server for friends on my main computer anyway, and i know tons of people do that, theoretically thats the same level of danger as opening my network for jellyfin specifically.

VPN isnt an option because of this xbox stuff i mentioned and people in my family who have 0 chance of understanding it regardless.

So what is the better option, going through this reverse proxy ( which im actually also unsure would work with kodi) or rawdog the server on my network. I guess leaving the server exposed? or every device even.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 4 points 1 year ago* (last edited 1 year ago)

How Dangerous is it to just open the port for it on my router and access it like that?

It would probably be fine

Lets say i want to access jellyfin from Kodi on my xbox or something outside my network, the vpn solution wouldnt work for this i would think.

Depending how you set things up it will. Connect your computer to your VPN and it will have access. Set up a router as a VPN gateway (basically it would connect to the public/untrusted network and makes another network that routes its traffic through the VPN, as a bonus this also prevents snooping on the part of the untrusted network operator). Something like this could also be done in a more permanent way on remote networks, a VPN gateway to an IP range elsewhere. Only issue there would likely be for family members when they travel.

My issue with reverse proxies, and why im asking, is it seems less secure? I mean Im well aware that an IP is easy to get, i guess. But how likely is someone to look for something on my network specifically? With reverse proxies it seems like i would be broadcasting my server to the internet in a way its easier to happen across, than someone being interested in a random residential IP.

You seem to not exactly understand what a reverse proxy is, and seem to be confusing it with a domain name or something, while also not fully understanding how those work either.

A reverse proxy is a piece of software designed to accept HTTP(s) requests and "proxy" that request to the proper server. Reverse proxies are usually hardened against attacks better than application servers, and it is usually a good idea to put one in front of any application you are exposing to the internet. There is no "broadcasting" involved, basically you would port forward to the proxy as a middle-man of sorts instead of to jellyfin directly. It is also easy to set up SSL on the reverse proxy, regardless of whether you choose to encrypt your internal traffic between the reverse proxy and backend service. Nginx, Traefik, and Caddy are all popular options for reverse proxies and relatively easy to get set up.

With a domain name you purchase some name and can have that point at your IP address so you can use a memorable name rather than some random numbers. It also lets you update where the domain points so that when your IP changes (which does happen on most residential connections, even if only after something like an extended power/router outage).

Domain names also doesn't involve announcing your IP anywhere other than your DNS provider, instead DNS is a convoluted system that basically lets someone querying for what the IP address associated with, say, example.com can figure out where your DNS server is and ask it what IP it should talk to.

When combined this a reverse proxy can be used to decide what to do with traffic based on which domain name (example.com vs jellyfin.example.com) someone is accessing, all on the same IP. You can do all sorts of neat things for every different domain your reverse proxy handles, like requiring authentication, using IP whitelists, and more.

I run a minecraft server for friends on my main computer anyway, and i know tons of people do that, theoretically thats the same level of danger as opening my network for jellyfin specifically.

Wouldn't it be nice to just be able to tell your friends to connect to minecraft.example.com, and not even have to worry about telling them a port or anything? That's another neat thing you can do when you have control over DNS. You can even make a page for your minecraft server that works in a web browser with instructions, links to things (mod downloads, discord, etc), a community forum, or whatever else you want.

VPN isnt an option because of this xbox stuff i mentioned and people in my family who have 0 chance of understanding it regardless.

So what is the better option, going through this reverse proxy ( which im actually also unsure would work with kodi) or rawdog the server on my network. I guess leaving the server exposed? or every device even.

I would absolutely run a reverse proxy. I would suggest buying a domain name (Usually like ~$15 a year or something, depending on the domain and registrar you go with. I am a fan of Cloudflare).

Regardless what you go with, best of luck in your self-hosing journey! LMK if you have any questions about reverse proxies or domains/DNS.

Edited to add: Attackers are totally interested in random residential IPs. They are constantly running port scans to find vulnerable software/devices/whatever that they can attack. Sometimes it's just to add them to a botnet, other times it can be a vector to scan and decide to further exploit your network. Some of the biggest DDoS attacks ever have been via insecure cameras or other devices that people have just port forwarded to put them on the internet. In some cases a reverse proxy could have saved them. Also, "security through obscurity" can work (just shouldn't be relied on). Unless someone specifically thinks to check whether your server responds to camera.example.com, they would never even know you are exposing a potentially vulnerable device.