|
Recently spun up a small Debian server and I have a few docker containers running on it. In the future I will probably want it to be accessible by friends and family, on devices where wireguard won't be usable. Reading this thread I can tell I will need to set up a domain and nginx reverse proxy with NPM. Beyond that, I like the idea of segregating this server from the rest of my network, but I don't like how my router would handle a DNS (allow all traffic to the server and separate it from the internal network, throwing it to the wolves). On the other hand, my router does have a packet filtering option. Would it be secure/wise to use that to block the server from initiating connections to any other local devices? In the event that the server is compromised, that is.
|
# ? Sep 28, 2023 16:56 |
|
|
# ? Jun 10, 2024 11:55 |
|
If your server isn't on a separate network (subnet) its not going to matter, traffic is gonna bypass it at layer 2 (unless it also acts as your switch), but otherwise thats how DMZs work yes.
|
# ? Sep 29, 2023 00:17 |
|
It is one of those all in one router/gateway type deals from my ISP, so I suppose it does act as a switch for my network? I may move the server to another unmanaged switch that is attached to the same router but overall it's a very simple network, nothing fancy.
dweepus fucked around with this message at 00:34 on Sep 29, 2023 |
# ? Sep 29, 2023 00:25 |
If you're doing all this in docker containers you can setup docker networks between your containers and NPM so they have seperate subnets from your LAN. It also has the benefit of letting the docker network act as a dns server so you can point NPM to an internal domain rather than an IP. An example couple of compose files would be: code:
code:
Nitrousoxide fucked around with this message at 00:49 on Sep 29, 2023 |
|
# ? Sep 29, 2023 00:43 |
|
Admittedly I am still learning about how to implement docker but something like that was definitely on my to-do list. My question was more about what if an attacker had already escaped the container and attempted to hop from my server to another device, but maybe I am just being paranoid at that point. At the least I plan to run each container with minimal and segregated privileges, only allow the containers that need to communicate with each other to do so, implement fail2ban, and probably set up some nftables rules to limit incoming connections. I suppose it's really a matter of finding where the line is between not enough and overkill for practical purposes.
|
# ? Sep 29, 2023 00:56 |
|
Nitrousoxide posted:If you're doing all this in docker containers you can setup docker networks between your containers and NPM so they have seperate subnets from your LAN. It also has the benefit of letting the docker network act as a dns server so you can point NPM to an internal domain rather than an IP. Pretty sure this doesnt do what you think it does, unless you're also doing some external firewall iptables magic you didn't list. Docker networks are basically just a NAT, the containers still have full RFC 1918 access. The host acts as a gateway.
|
# ? Sep 29, 2023 01:45 |
Mr. Crow posted:Pretty sure this doesnt do what you think it does, unless you're also doing some external firewall iptables magic you didn't list. Docker networks are basically just a NAT, the containers still have full RFC 1918 access. The host acts as a gateway. Yeah, I misunderstood what they wanted. This will separate the containers from each other, and they won't have access to a direct IP connection to another container except through the reverse proxy. However, they will still have access to the whole LAN. You'll want a separate DMZ that your services live on to get true network separation from the rest of your LAN.
|
|
# ? Sep 29, 2023 01:49 |
|
I guess my real question is: is putting this server in a DMZ "necessary" (to the extent of reasonable security, not exactly fort knox over here), or am I worrying too much and container hardening + locking down authentication is sufficient? I realize its kind of subjective but it's been a few years since my formal network security education and I'm a bit rusty on where the lines between theoretical and practical lie.
|
# ? Sep 29, 2023 02:22 |
|
Depends entirely what you're comfortable with and what the services are. I wouldn't with just what we've talked about so far but I probably wouldn't have much of a problem if I was running SELinux + Podman + configured the host to block local network access from the container network. Also making sure the containers are hardened sonewhat. I don't think docker can do that with any flags, podman might but you can just do it with your hosts firewall https://stackoverflow.com/questions/72037768/how-to-prevent-docker-containers-from-accessing-my-local-network Also I wouldn't trust some ISP or consumer router, they rarely patch out vulnerabilities and even when they do many have laughably short support cycles, but I'm also paranoid. See e.g. https://www.tomsguide.com/news/router-attack-netusb-flaw you can use something like opnsense or openwrt or pfsense and with some basic maintenance have a secure gateway basically for the life of the hardware. Mr. Crow fucked around with this message at 03:09 on Sep 29, 2023 |
# ? Sep 29, 2023 03:04 |
|
Mr. Crow posted:Also I wouldn't trust some ISP or consumer router, they rarely patch out vulnerabilities and even when they do many have laughably short support cycles, but I'm also paranoid. I agree with this and I don't consider myself paranoid. I did incident response for 15 years, though, and I have Seen Some poo poo.
|
# ? Sep 29, 2023 03:35 |
|
I think clarification is needed here too because I read a comment about an emby exploit.... I'd never expose a service directly to the Internet. Put a reverse proxy with authentication in front of it(or your choice of VPN etc)
Dyscrasia fucked around with this message at 04:19 on Sep 29, 2023 |
# ? Sep 29, 2023 04:16 |
|
So when you say authentication in front of the reverse proxy, do you mean Login Prompt > Nginx proxy > Jellyfin login prompt? So having an authentication layer on both sides of the reverse proxy? Also having done more research I do feel a bit more comfortable with putting the server in a DMZ. It seems to me that the stipulation with doing that is being very thorough with a firewall on the host itself.
|
# ? Sep 29, 2023 22:27 |
|
Dyscrasia posted:I think clarification is needed here too because I read a comment about an emby exploit.... I'd never expose a service directly to the Internet. Put a reverse proxy with authentication in front of it(or your choice of VPN etc) It looks like the Emby bug is basically: if you have "permit local network login without password" turned on (so users on the LAN can just click their username), and you have it configured for reverse proxy deployment (so it reads the X-Forwarded-For: header), and you don't actually have it behind a reverse proxy but instead directly facing the internet, any rando can just send it an HTTP request with X-Forwarded-For: 127.0.0.1 and get passwordless login.
|
# ? Sep 29, 2023 23:50 |
|
dweepus posted:So when you say authentication in front of the reverse proxy, do you mean Login Prompt > Nginx proxy > Jellyfin login prompt? So having an authentication layer on both sides of the reverse proxy? More or less. I'd probably turn off the emby authentication and force all traffic through the reverse proxy. I don't trust services like emby or the *arrs to properly implement authentication. I use emby myself, but only on the local network. I'd be doing tailscale if I needed remote access.
|
# ? Sep 30, 2023 15:10 |
|
Makes sense. Currently for what I want externally accessible (eventually) it's just jellyfin and navidrome. Internally I will want access to pihole, *arrs, Heimdall, etc. All of these are in containers on the same box. If I put auth in front of Nginx, how would that affect app clients connecting to those services, notably smart tv apps?
|
# ? Sep 30, 2023 19:54 |
|
Is there anyone here I can pick the brains on for Synology or regular networking nonsense? I recently started using IDrive for offsite backups and they provide a Syn native application that "just works". This is all well and good, but it is architected to run via a web portal using the Syn native webserver (Apache iirc) and lives as a subdomain, [nas domain]/IDrive. The issue here is that my Reverse Proxy (again, Syn native. NGX iirc) isn't having it when I try to access it via the domain and I have to use [NAS IP]/IDrive to go about my business. Not a major issue, but an annoying one. Does anyone have a notion as to what might be causing the issue? The web service has an alias set up so [domain]/subdirectory ought to work same as it would for the photo service.
|
# ? Sep 30, 2023 21:12 |
|
dweepus posted:Makes sense. Currently for what I want externally accessible (eventually) it's just jellyfin and navidrome. Internally I will want access to pihole, *arrs, Heimdall, etc. All of these are in containers on the same box. If I put auth in front of Nginx, how would that affect app clients connecting to those services, notably smart tv apps? Just use a VPN
|
# ? Sep 30, 2023 22:01 |
|
Auth in front of nginx, be it Authelia, Authentik, basicAuth, Cloudflare tunnel 2step, whatever will break smart tvs and mobile apps connecting to emby/jellyfin. Tailscale is available on apple TVs now, so it may be more practical to "just use a VPN" then it used to be for AppleTV/Android based set top boxes.
|
# ? Sep 30, 2023 23:02 |
|
THF13 posted:Auth in front of nginx, be it Authelia, Authentik, basicAuth, Cloudflare tunnel 2step, whatever will break smart tvs and mobile apps connecting to emby/jellyfin. HTTPS with basic auth is a heck of a lot easier to set up, and will get you a pretty decent bump in overall security stance. I don't even remember who asked about this, but HTTP basic isn't a bad move.
|
# ? Sep 30, 2023 23:06 |
|
I do like putting some kind of auth, even http basic auth in front of services, but it too will break Emby/Jellyfin smart tv/mobile apps. There's a couple of self hosted type services that will let you specify a basic auth user/password and their own user/password, but not these. Well afaik, not super up to date with Jellyfin's apps.
|
# ? Sep 30, 2023 23:11 |
|
Ah shoot, in that case it's VPN all the way from my opinion.
|
# ? Sep 30, 2023 23:41 |
|
I’m looking at getting a video doorbell and maybe a couple outdoor cameras that are preferably PoE so I don’t have to deal with batteries or snow blocking solar rechargers. I stumbled upon [url= https://github.com/blakeblackshear/frigate]Frigate[/url], which seems really cool + good. one big thing I’d really like is to integrate it with HomeKit, mostly so most of the annoyance is front loaded with the install + config/server shenanigans and I don’t have to deal with lovely apps and stuff like that. I’m assuming goons have probably hosed around with stuff like this, so any pointers would be super helpful
|
# ? Oct 4, 2023 05:05 |
|
Is there a SQL Server Management for Idiots out there? I have one doing things for a handful of services and I haven’t really touched it. I probably should do backups or the like.
|
# ? Oct 4, 2023 13:17 |
|
How are the self-hosted alternatives to Google Photos doing these days? I've been using it since it came with my Pixel phone but the free unlimited storage has long since expired, and I told myself that once I started getting close to the storage limit I'd finally get off of it and roll my own. The thing I like the most is being able to search "birds" and get all my pictures of birds using whatever ML algorithm they're using. With AI stuff becoming more widespread is that something alternatives are able to do these days? I'll probably be running it on my TrueNAS box.
|
# ? Oct 4, 2023 14:59 |
|
Coxswain Balls posted:How are the self-hosted alternatives to Google Photos doing these days? I've been using it since it came with my Pixel phone but the free unlimited storage has long since expired, and I told myself that once I started getting close to the storage limit I'd finally get off of it and roll my own. The thing I like the most is being able to search "birds" and get all my pictures of birds using whatever ML algorithm they're using. With AI stuff becoming more widespread is that something alternatives are able to do these days? I'll probably be running it on my TrueNAS box. I've heard immich is really really good but haven't tried installing it. In the process of trying to get my Google takeout photos into a place to import into a new platform (combining the json with the date and exif data) and am trying Memories in Nextcloud as a replacement. Will let you know how it goes.
|
# ? Oct 4, 2023 15:02 |
|
Coxswain Balls posted:How are the self-hosted alternatives to Google Photos doing these days? I've been using it since it came with my Pixel phone but the free unlimited storage has long since expired, and I told myself that once I started getting close to the storage limit I'd finally get off of it and roll my own. The thing I like the most is being able to search "birds" and get all my pictures of birds using whatever ML algorithm they're using. With AI stuff becoming more widespread is that something alternatives are able to do these days? I'll probably be running it on my TrueNAS box. I'm still using NextCloud and their terrible photo browser on a computer and "Les Pas" on my phone. It's not a great solution. I haven't tried immich in a while. It's very promising, but very incomplete. It's probably worth a try for you )(and for me to see how far they've gotten since the last time I tried it). The more mature one is PhotoPrism. Which bafflingly doesn't have any concept of "users". There were also some other annoyances that may have risen to the level of deal killer for me, but I don't recall them. It may very well work for you - we've all got different requirements.
|
# ? Oct 4, 2023 15:09 |
|
Motronic posted:I'm still using NextCloud and their terrible photo browser on a computer and "Les Pas" on my phone. It's not a great solution. Check out memories for NC, it's quite nice
|
# ? Oct 4, 2023 15:10 |
|
I still haven’t gotten around to figuring out how to dump iCloud Photos onto my nas as a physical backup. I’m extremely annoyed macOS requires the photos library to be stored on the local drive instead of a network drive, otherwise I’d be golden
|
# ? Oct 4, 2023 15:38 |
|
Coxswain Balls posted:How are the self-hosted alternatives to Google Photos doing these days? I've been using it since it came with my Pixel phone but the free unlimited storage has long since expired, and I told myself that once I started getting close to the storage limit I'd finally get off of it and roll my own. The thing I like the most is being able to search "birds" and get all my pictures of birds using whatever ML algorithm they're using. With AI stuff becoming more widespread is that something alternatives are able to do these days? I'll probably be running it on my TrueNAS box. I've been using Immich for a couple of months now. It does run local ML stuff in a sidecar to classify images. Two users, auth via OIDC, sync from phones. Had trouble with some of the initial uploads from iPhone an (like 3-4 photos IIRC) getting corrupted when the phone turned off its screen mid transfer, before I figured out how to disable that timeout, but it was a bit disappointing that Immich treated those uploads interrupted uploads as if they were successful and prevented reuploads because the (non-corrupted) file hashes are registered for those entries in its database. Definitely still some rough edges, but the project is coming along nicely. iPhone background syncing is not working great.
|
# ? Oct 4, 2023 15:41 |
Warbird posted:Is there a SQL Server Management for Idiots out there? I have one doing things for a handful of services and I haven’t really touched it. I probably should do backups or the like. If you're running the SQL server in a docker/podman container I'd just stop the container and back up the data volumes. It might be a bit bigger than it strictly needs to be from a proper sql dump, but you should never need to worry about learning the underlying sql tool. I run a bit more risky and do live backups of the database containers without stopping them. Hasn't failed me yet, but I imagine some day it will catch the database in the middle of a write and gently caress me over. I figure I can just roll back an extra day (since I do daily backups) and just deal with the day of data loss so I don't have to orchestrate shutting down and restarting the containers from my backup solution (dupliciti).
|
|
# ? Oct 4, 2023 15:51 |
|
TraderStav posted:Check out memories for NC, it's quite nice Wow, thanks! I did almost nothing other than install and index - it's using all the preview generation and face rec I already had. It's so much better than "Photos". How is this not the default photo app in NC?
|
# ? Oct 4, 2023 16:56 |
|
Nitrousoxide posted:If you're running the SQL server in a docker/podman container I'd just stop the container and back up the data volumes. It might be a bit bigger than it strictly needs to be from a proper sql dump, but you should never need to worry about learning the underlying sql tool. Oh huh, I hadn’t considered that. Iirc it’s just in some LXC setup from turnkey so I could likely automate that all in Proxmox. Hell, I should go see if Turnkey bundled some stuff in.
|
# ? Oct 4, 2023 17:44 |
|
Motronic posted:Wow, thanks! I did almost nothing other than install and index - it's using all the preview generation and face rec I already had. It's so much better than "Photos". How is this not the default photo app in NC? There's some other things to set up for handling places (geolocation) and some other things. But it's really solid. Save the bookmark to your desktop and it's basically an app
|
# ? Oct 4, 2023 17:53 |
|
TraderStav posted:There's some other things to set up for handling places (geolocation) and some other things. But it's really solid. Save the bookmark to your desktop and it's basically an app Yeah, I got the geolocation download thing too when I was indexing. Very painless, everything appears to Just Work(tm). E: I thought all those previews I'd been processing forever were supposed to make things scroll smoother, but it turns out the Photos app is just permanently broken. So far, that's the biggest upgrade with this Memories app......it scrolls just fine on a timeline like google photos. And has done a fine job of ripping off "1 year ago, 5 years ago" too. Motronic fucked around with this message at 18:34 on Oct 4, 2023 |
# ? Oct 4, 2023 18:27 |
Warbird posted:Oh huh, I hadn’t considered that. Iirc it’s just in some LXC setup from turnkey so I could likely automate that all in Proxmox. Hell, I should go see if Turnkey bundled some stuff in. If your VM's storage is on ZFS storage you can use the "snapshot" mode in a backup task (one of the options under your proxmox cluster's datacenter) which will only pause the VM for a second or two while it snapshots the storage's current state. Then it'll run the backup on that state while it keeps running. Otherwise if it's not on ZFS storage you can have it suspend or shut down the vm for the backup. This obviously takes it down longer.
|
|
# ? Oct 4, 2023 18:57 |
|
TraderStav posted:I've heard immich is really really good but haven't tried installing it. In the process of trying to get my Google takeout photos into a place to import into a new platform (combining the json with the date and exif data) and am trying Memories in Nextcloud as a replacement. Will let you know how it goes. What are you using to combing the json and exif data? Been wanting to do a Google Takeout of my photos to make a backup of them.
|
# ? Oct 4, 2023 19:09 |
|
Nitrousoxide posted:If your VM's storage is on ZFS storage you can use the "snapshot" mode in a backup task (one of the options under your proxmox cluster's datacenter) which will only pause the VM for a second or two while it snapshots the storage's current state. Then it'll run the backup on that state while it keeps running. Otherwise if it's not on ZFS storage you can have it suspend or shut down the vm for the backup. This obviously takes it down longer. You know, I don't honestly know. I set up this PMox instance years ago just to try it out and have been meaning to get around to wiping it out and resetting it up with intention.
|
# ? Oct 4, 2023 19:16 |
|
Motronic posted:I'm still using NextCloud and their terrible photo browser on a computer and "Les Pas" on my phone. It's not a great solution. NextCloud background upload of photos on iOS is really crap everytime I looked at it. Like it never finished the initial sync from an iPhone. I'd love something that 'just worked' I've taken to just having my wife on a spare Apple Mini that gets iCloud drive photos + time machine to my NAS but it still sucks.
|
# ? Oct 4, 2023 19:28 |
|
For those wanting a more barebones gallery, I've been shocked by how smooth PiGallery2 is. Unlike most of the other more featureful services, it doesn't need to take control of your photo uploads. Just give it read-only access to your pictures folder and it works, so you can replace it at any time. Upload your photos via whatever app you are already using to sync everything else (I use round-sync/rclone).
|
# ? Oct 4, 2023 19:36 |
|
|
# ? Jun 10, 2024 11:55 |
|
Hughlander posted:NextCloud background upload of photos on iOS is really crap everytime I looked at it. Like it never finished the initial sync from an iPhone. I'd love something that 'just worked' I've taken to just having my wife on a spare Apple Mini that gets iCloud drive photos + time machine to my NAS but it still sucks. It has had the same issues on android and they always come down to "the OS or app updated and now the background/power saving stuff is messed up AGAIN". I believe I mentioned this in the automation thread, but the way to fix ALL of this on android is to diable the very broken "doze" mode that has been added in the last year or few. "adb shell dumpsys deviceidle disable" And no, of course it doesn't persist a reboot.
|
# ? Oct 4, 2023 19:43 |