I understand that people enter the world of self hosting for various reasons. I am trying to dip my toes in this ocean to try and get away from privacy-offending centralised services such as Google, Cloudflare, AWS, etc....
Put your reverse proxy in a DMZ, so that only it is directly facing the intergoogles
So what? I can still access your application through the rproxy. You're not protecting the application by doing that.
Install a single wildcard cert and easily cover any subdomains you set up
This is a way to do it but not a necessary way to do it. The rproxy has not improved security here. It's just convenient to have a single SSL endpoint.
There’s even nginx configuration files out there that will block URL’s based on regex pattern matches for suspicious strings. All of this (probably a lot more I’m missing) adds some level of layered security.
If you do that, sure. But that's not the advice given in this forum is it? It's "install an rproxy!" as though that alone has done anything useful.
For the most part people in this form seem to think that "direct access to my server" is unsafe but if you simply put a second hop in the chain that now you can sleep easily at night. And bonus points if that rproxy is a VPS or in a separate subnet!
The web browser doesn't care if the application is behind one, two or three rproxies. If I can still get to your application and guess your password or exploit a known vulnerability in your application then it's game over.
They may offer some sort of WAF (web application firewall) that inspects traffic for potentially malicious intent. Things like SQL injection. That's more than just a proxy though.
Dr. Amen seemingly is a very popular "ADHD influencer". Many of his claims surrounding ADHD, however, are scientifically dubious. His main claim to fame is his work with SPECT imaging as a tool for diagnosing mental disorders [11]. Specifically relevant to this community is his advocacy for its purported use in diagnosing ADHD...
Hi! I’m currently using navidrome, but eventually I will probably need support for multiple users (each user has access to different music or the same music) which isn’t supported in navidrome right now. I don’t really want to run two containers of the same thing if I can avoid it. Thanks
I don't have spare peripherals like a monitor and a keyboard. How do you suggest I do a bare-metal install of Debian on a computer (meant to be a server)?
Hello all! Yesterday I started hosting forgejo, and in order to clone repos outside my home network through ssh://, I seem to need to open a port for it in my router. Is that safe to do? I can't use a vpn because I am sharing this with a friend. Here's a sample docker compose file:...
I have come to the conclusion that, regardless of whether it is safe, it doesn't make sense to increase the attack surface when I can just use https and tokens, so that's what I am going to do.
Are you already exposing HTTPS? Because if not you would still be "increasing your attack surface".
This is both true and highly misleading. Paranoia isn't a replacement for good security.
I would recommend something like wireguard, you still need to open a port on your router, but as long as they don't have your private key, they can't bruteforce it.
The same is true of ssh when using keys to authenticate.
Wait, so you have the full website exposed to the Internet and you're concerned about enabling ssh access? Because of the two ssh would likely be the more secure.
But either are probably "fine" so long as you have only trusted users using the site.
You’re right, but only if you are an experienced IT guy in enteprise environnement. Most users (myself included) on Lemmy do not have the necessary skills/hardware to properly configure and protect their networking system, thats way I consider something like wireguard way more secure than opening an SSH port.
But it doesn't help to just tell newbs that "THAT'S INSECURE" without providing context. It 1) reinforces the idea that security "is a thing" rather than "something you do" and 2) doesn't give them any further reference for learning.
It's why some people in this community think that putting a nginx proxy in front of their webapp somehow increases their security posture. Because you don't have "direct access" to the webapp. It's ridiculous.
Sure SSH key based configuration is also doing a great job but there is way more error prone configuration with an SSH connection than a wireguard tunnel.
Docker compose has a default "feature" of prefixing the names of things it creates with the name of the directory the yml is in. It could be that the name of your volume changed as a result of you moving the yml to a new folder. The old one should still be there.
I've been interested in self-hosting for a while, but didn't really know where to start. I've never messed with Linux before and wanted to jump ship from Windows since Microsoft decided to start putting ads everywhere....
I'm duplicating my server hardware and moving the second set off site. I want to keep the data live since the whole system will be load balanced with my on site system. I've contemplated tools like syncthing to make a 1 to 1 copy of the data to NAS B but i know there has to be a better way. What have you used successfully?
My server (fedora) stops all podman containers after 2-3 hours since 3 days. I can start all containers again, and the same happens after a while. I do not know where to look for the problem....
If something you're running has a memory leak then it doesn't matter how much RAM you have.
You can try adding memory limits to your containers to see if that limits the splash damage. That's to say you would hopefully see only one container (the bad one) dying.
Tabs are 8 characters, and thus indentations are also 8 characters. There are heretic movements that try to make indentations 4 (or even 2!) characters deep, and that is akin to trying to define the value of PI to be 3....
sudo and friends allow you to gain root access while not enabling the root account. If the root account has no credentials then nobody is guessing your password and logging in as an admin.
On a multi-user system it allows for multiple admins without sharing a password. It also allows providing admin access for "some" things but not others.
I would like to have a central Calendar that I could sync everything to it, from my email calendars and my to do list, is there something like that selfhosted or not, that is FOSS?
For this scenario, are you imagining that a person may have physically entered the coffee shop who’s both tech savvy and malicious enough to run a malicious device there?
I mean.. Yeah. I've sat in a coffee shop or airport in the past and sniffed traffic out of mere curiosity. Why wouldn't a malicious actor be there?
You need to compare "everybody who has ever done anything malicious at a cafe" if you want to make a valid comparison to "all the ISPs in the world". In the US nobody would be using an ISP that would be doing anything malicious in a cafe. "has deals with the American government" paranoia notwithstanding.
I'm going to go ahead and say we just differ in what we consider to be "malicious behavior". Yes, the NSA spying is bad, but they're not "stealing credit cards bad".
See if it frees up any space. But it does seem like you're running containers (which makes sense given you're on an immutable distro) so I would expect to be using lots of temporary space for container images.
My guess is that you're using some other form of containers then, there are several. It's a common practice with immutable distros though I don't know much about bazzite itself.
Are these files large? Are they causing a problem? Growing without end? Or just "sitting there" and you're wondering why?
Those aren't the only containers. It could be containrd, lxc, etc.
One thing that might help track it down could be running sudo lsof | grep '/var/tmp'. If any of those files are currently opened it should list the process that hold the file handle.
"lsof" is "list open files". Run without parameters it just lists everything.
So - there are a few different types of resources podman manages.
containers - These are instances of an image and the thing that "runs". podman container ls
images - These are disk images (actually multiple but don't worry about that) that are used to run a container. podman image ls
volumes - These are persistent storage that can be used between runs for containers since they are often ephemeral. podman volume ls
When you do a "prune" it only removes resources that aren't in use. It could be that you have some container that references a volume that keeps it around. Maybe there's a process that spins up and runs the container on a schedule, dunno. The above podman commands might help find a name of something that can be helpful.
I'm not terribly familiar with distrobox unfortunately. If it's a front end for podman then you can probably use the podman commands to clean up after it? Not sure if that's the "correct" way to do it though.
I'm using Debian 12, Ryzen 7 5700X processor, and Radeon HD 5450 graphics card. I have tried uninstalling and reinstalling VLC but it didn't resolve the issue. Here's an excerpt from the VLC's log file:...
The reverse proxy is going to have a config that says "for hostname 'foo' I should forward traffic to foo.example.com:port".
If you setup the rproxy at home then ssh just needs to forward all port 443 traffic to the rproxy. It doesn't care about hostnames. The rproxy will then get a request with the hostname in the data and forward it to the appropriate target on behalf of the requester.
If you setup the rproxy at the vps then yes - you would need to forward different ports to each backend target. This is because the rproxy would need to direct traffic to each target individually. And if your target is "localhost" (because that's where the ssh endpoint is) then you would differentiate each backend by port.
To provide a bit more detail then - you would setup your proxy with DNS entries "foo.example.com" as well as "bar.example.com" and whatever other sub-domains you want pointing to it. So your single IP address has multiple domain names.
Then your web browser connects to the proxy and makes a request to that server that looks like this:
GET / HTTP/1.1
Host: foo.example.com
nginx (or apache, or other reverse proxies) will then know that the request is specifically for "foo.example.com" even though they all point to the same computer. It then forwards the request to whatever you want on your own network and acts as a go-between between the browser and your service. This is often called something like host-based routing or virtual-hosts.
In this scenario the proxy is also the SSL endpoint and would be configured with HTTPS and a certificate that verifies that it is the source for foo.example.com, bar.example.com, etc.
How the amazingly burly ‘Buffalo Bicycle’ offers affordable transport to developing countries ( yt.artemislena.eu )
Alternative Youtube Link...
Server for a boat
Good day, friends. Since catching the self-hosting bug, I've set up a couple of Proxmox home servers with a bunch of services I enjoy....
Is it practically impossible for a newcomer selfhost without using centralised services, and get DDOSed or hacked?
I understand that people enter the world of self hosting for various reasons. I am trying to dip my toes in this ocean to try and get away from privacy-offending centralised services such as Google, Cloudflare, AWS, etc....
Beware: Dr. Daniel Amen may be a grifter
Dr. Amen seemingly is a very popular "ADHD influencer". Many of his claims surrounding ADHD, however, are scientifically dubious. His main claim to fame is his work with SPECT imaging as a tool for diagnosing mental disorders [11]. Specifically relevant to this community is his advocacy for its purported use in diagnosing ADHD...
Looking for a music server
Hi! I’m currently using navidrome, but eventually I will probably need support for multiple users (each user has access to different music or the same music) which isn’t supported in navidrome right now. I don’t really want to run two containers of the same thing if I can avoid it. Thanks
How do I do a bare-metal install (Debian) without a monitor+keyboard?
I don't have spare peripherals like a monitor and a keyboard. How do you suggest I do a bare-metal install of Debian on a computer (meant to be a server)?
Is it safe to open a forgejo git ssh port in my router?
Hello all! Yesterday I started hosting forgejo, and in order to clone repos outside my home network through ssh://, I seem to need to open a port for it in my router. Is that safe to do? I can't use a vpn because I am sharing this with a friend. Here's a sample docker compose file:...
Immich help, please -- Am I boned now?
Ohboy. Tonight I:...
Generate document from templates and database
I'm looking for a solution to generate document (ideally docx but pdf is ok) from a database...
Beginner in need of real help!
I've been interested in self-hosting for a while, but didn't really know where to start. I've never messed with Linux before and wanted to jump ship from Windows since Microsoft decided to start putting ads everywhere....
Mirror all data on NAS A to NAS B
I'm duplicating my server hardware and moving the second set off site. I want to keep the data live since the whole system will be load balanced with my on site system. I've contemplated tools like syncthing to make a 1 to 1 copy of the data to NAS B but i know there has to be a better way. What have you used successfully?
superfile - A pretty fancy and modern terminal file manager ( raw.githubusercontent.com )
https://github.com/MHNightCat/superfile
How to detect problems on computer?
My server (fedora) stops all podman containers after 2-3 hours since 3 days. I can start all containers again, and the same happens after a while. I do not know where to look for the problem....
Linux kernel Rust coding guidelines are heretic.
Tabs are 8 characters, and thus indentations are also 8 characters. There are heretic movements that try to make indentations 4 (or even 2!) characters deep, and that is akin to trying to define the value of PI to be 3....
Systemd Looks to Replace sudo with run0 ( news.itsfoss.com )
Suggestions for filesystem.
Hello all,...
What Calendar and To Do solution do you recommend?
I would like to have a central Calendar that I could sync everything to it, from my email calendars and my to do list, is there something like that selfhosted or not, that is FOSS?
Novel attack against virtually all VPN apps neuters their entire purpose ( arstechnica.com )
My /var/tmp folder is endlessly stacking up on "container_images_storage_xxxxxxxxxx" folders? ( slrpnk.net )
The issue at hand:...
[Resolved] After updating through both APT and the Software Store, I can't play mp4 videos with VLC anymore. The screen goes blank for a second or two then the audio starts playing without the video..
I'm using Debian 12, Ryzen 7 5700X processor, and Radeon HD 5450 graphics card. I have tried uninstalling and reinstalling VLC but it didn't resolve the issue. Here's an excerpt from the VLC's log file:...
Reverse proxy
I have an openwrt router at home which also acts as my home server. It's running a bunch of services using docker (Jellyfin, Nextcloud, etc.)...
Dynamic DNS vs Dedicated VPN IP
Hi everyone!...
Switching from win 11
After convincing my employer to move away from MS office I can finally make the permanent switch away from windows....
XPipe 9 comes with VNC, RDP, and SSH X11 support, a better SSH integration, terminal improvements, and many bug fixes ( sh.itjust.works )
Hello there,...
Which file system do you recommend for Linux?
Just a simple question :...