Hi all,
I’m looking at exposing some self-hosted web-based services externally so that some relatives can access them and would appreciate some advice.
Vikunja is the starting point (mostly to facilitate my spouse and I using it when away from home) but in future I want to set up Immich or similar to replace Google Photos, and that in particular will need to be shared with friends and family (especially so that immediate family can have camera uploads on automatically).
I understand that ideally I’d use SSH, a VPN, or tailscale or similar (although I don’t have experience with tailscale), but that’s not going to be feasible. Most of the family will not be able to set up those connections themselves (which means I would need to) and several are far enough away that it is impractical for me to provide on-site support or do it myself. Even if I could get a VPN or similar deployed on all their devices, I suspect that they’re going to struggle with needing to connect to it just to upload or view photos, then disconnect afterwards to resume using the Internet – I really need this to “just work” for them.
So this brings me back to safely exposing these services to the outside world. My network architecture complicates this a little, so for context:
- Modem/router has basic firewall and points to a Raspberry Pi for DHCP. I already have No-IP set up with a domain name so that I can SSH into my LAN when away from home.
- RPi runs Pi-hole + dnscrypt, acting as DHCP and DNS server for the network.
- I want to use nginx as a reverse proxy running on this RPi, as I have experience with it and it can add SSL using certbot. The router would be configured to use port forwarding to direct external traffic for ports 80 and 443 to the RPi.
- Vikunja is hosted on a separate Raspberry Pi (with other things like Shiori)
- I have not yet determined where Immich or similar is going to go. I have existing home server that I use for backups and important family stuff, but I really don’t want this to be vulnerable to the outside world. If I were to install Immich here, I’d need it to be well-isolated from the rest of the system. The other option is to get a NUC or similar, which is what I am leaning towards as the less stressful option.
So my main questions are:
-
Beyond fail2ban and my router’s firewall, what else can I do to protect my network once I open ports 80 and 443?
-
How do I handle fail2ban configuration when the services are on different devices to the nginx proxy? I understand the best place to put fail2ban would be on the Pi running nginx (since it’s the access point to the outside world), but that it also needs to read the logs from Vikunja, etc. to be effective.
-
Where would you put Immich in my network architecture?
Any other tips/recommendations for making this easy to use for my less tech-inclined friends and family would be much appreciated as well. Thanks.
This is how my network is set up just as an example. Not to imply that this is the gold standard by any stretch of the imagination. It has served me well over the years, so I figured I’d drop it here and maybe you could get a few ideas.
i have a VPS offsite to act as a gateway. it’s just a small piece of a machine somewhere in my region that routes requests to my home network via Tailscale. this has a few benefits:
- i don’t have to worry about my ISP changing my IP. my VPS has more stable IPs.
- i don’t have to expose ports directly to the internet. Tailscale authenticates the connection. plus i have Caddy routing the whole system. i use subdomains like
foundry.chrash.net,jellyfin.chrash.net, etc. - another benefit of Tailscale to point out is that you don’t need local IPs to be static either; Tailscale will allow you to access your machines by hostname or another static IP. this helps to decouple your local topology from your service network.
- I would recommend a VPS for publicly facing services, you simply don’t want to open your home network, one mistake is enough, old router software, one small misunderstanding or a bit of bad luck. If someone gets into your VPS, few services will be hurt, if someone gets into your home network its game over.
- There is nice little app called immich proxy, I didn’t yet try it myslef (but I plan to), but basically if you want to just share some albums or photos, you can make the proxy accessible publicly but your Immich stays safe.
I’d suggest you to investigate either Tailscale or similar solutions. I’m using Tailscale, and it’s really easy to set up. It can automatically connect to the VPN when you access their resource, and the internet works as well. So technically, they can be connected all the time. That’s much safer than the alternative of just opening a port, and dealing with things like CGNAT.
The alternatives to Tailscale I know about are Headscale (which you need self-hosting), Netbird, WireGuard. At least, but there are more.
And search for tunnels as well. You could utilise Cloudflare Tunnel, but I wouldn’t go that way.
I’d suggest testing waters with Tailscale as it’s the easiest, and tweak from there. They have a YouTube channel which helps at starting, I found it just recently. (I use them for a year or two now.)
+1 for tailscale. Its very easy to setup and very secure.
Since you’re just sharing things within a small group, I think it’s safe to give out your IP or a domain pointing to it. However, you need to put your services behind a DMZ. Make a separate VLAN on your network and put the Pis behind it. Make sure traffic from your private LAN can enter the DMZ but nothing from the DMZ can go to your LAN unless it’s return traffic for a session started in your LAN. If a machine in your DMZ is compromised, it shouldn’t affect your LAN.
I recommend proxmox. One VM for sensitive private data and backups, one VM for stuff exposed to the internet
I was going to build my system like that, but recently learned that host client isolation is not as strong as people make you believe.
just a few weeks ago we learned that copy fail (security vulnerability) was on major distros for years until it was fixed, it would allow containers and VMS to infect the host system. Xz utils could also lead to a broken host client separation, as proxmox uses ssh for clustering and the like.
So for really important stuff I am going to have a dedicated physical server or put it in cold storage altogether.
That said, I am by no means an expert so feel free to correct me if I got something wrong.
copy fail allows VMs to infect the host system? I thought it was a kernel vulnerability, not a hypervisor vulnerability. Containers and LXCs share the kernel with the host, full VMs do not. So a kernel exploit allows container escape but not VM escape.
Kernel exploits happen a few times a year. Hypervisor exploits and VM escapes are VERY rare.
Using SSH for clustering is optional. You can just use normal VMs. You don’t have to install SSH into the VM, you can view it through proxmox. The only difference between a VM and a physical machine is the hypervisor, so the only security difference is the security of the hypervisor. And as I mentioned, hypervisor exploits are very rare.
Edit: for a sense of perspective, think about this. Almost every major tech company in the world relies on hypervisors for security. Qubes OS, known in the privacy/security world as one of if not the most secure OSes, relies on the hypervisor for security. An easily exploitable hypervisor escape would be a vulnerability on the scale of the XZ utils backdoor (which was unsuccessful). I have not seen a vulnerability of that scale since heartbleed.
Thanks for the recommendation. I have no experience with Proxmox, so this might be part of a longer-term project once I’ve got the Vikunja access working (at least that’s on a separate Pi and so would be similar to a distinct VM in that regard).
I have a raspberry pie with Home assistant on it and I run Nginx Proxy Manager on it. It does the whole HTTPS thing and exposes specific services from my internal network for easy access for me and my family.
deleted by creator
You’re going to be sending a url to your family to put into vikunja. That url could contain a port. You’ll dodge a LOT of hassle if you don’t use 80, 443, or any other well known port.
Good call. I’ll have to play around with certbot using DNS validation (only ever tried with HTTP validation), but certainly worth including in my plan. Thanks.
