Scruff McGruff posted:Overseerr also led me to LunaSea which is basically a mobile app version of HOMER/Muximux that supports the *arr apps, Tautulli, and NZB. Pretty nice. Huh that's pretty cool.
|
|
# ? Nov 18, 2021 04:43 |
|
|
# ? Jun 10, 2024 11:34 |
|
Gay Retard posted:I ran into some issues years ago getting Lets Encrypt + DuckDNS setup for proper reverse proxy https forwarding and never bothered trying again, but I thought nginx proxy was pretty simple once I forwarded my domain's DNS to cloudflare and set all my DNS up in there, as well as SSL/TLS certs. It's free. From a security standpoint, I only expose things that support SSO or MFA. So for me it's just Overseerr (with only Plex login enabled). And yeah everything else sits behind wireguard. Please all, NPM/traefik are awesome but basic auth is not secure in any way even over SSL unless you've got some kind of IP ban mechanism in place.
|
# ? Nov 18, 2021 15:28 |
|
Scruff McGruff posted:Overseerr also led me to LunaSea which is basically a mobile app version of HOMER/Muximux that supports the *arr apps, Tautulli, and NZB. Pretty nice. TestFlight beta: https://testflight.apple.com/join/WWXaybra Corb3t fucked around with this message at 16:07 on Nov 18, 2021 |
# ? Nov 18, 2021 16:03 |
|
Matt Zerella posted:From a security standpoint, I only expose things that support SSO or MFA. So for me it's just Overseerr (with only Plex login enabled). And yeah everything else sits behind wireguard. Completely agree, the only things I have exposed are Overseerr (Plex OAuth), Tautulli (Plex OAuth), Nextcloud (MFA), and HomeAssistant (MFA). Everything else lives behind Wireguard. I always die a little inside when I see posts on the Unraid forums asking how to expose their server UI externally even after being told about Wireguard, which is insanely easy to set up on Unraid. Scruff McGruff fucked around with this message at 17:26 on Nov 18, 2021 |
# ? Nov 18, 2021 16:30 |
|
Scruff McGruff posted:Completely agree, the only things I have exposed are Overseerr (Plex OAuth), Tautulli (Plex OAuth), Nextcloud (MFA), and HomeAssistant (MFA). Everything else lives behind Wireguard. I always die a little inside when I see posts on the Unraid forums asking how to expose their server UI externally even after being told about Wireguard, which is insanely easy to set up on Unraid. I think I saw someone expose radarr and sonarr completely unprotected wondering why their server went apeshit with all these mysterious movie adds. Made me laugh in horror. I just wish services supported SSO for more than just opening up pages because Authelia is fantastic and Ibracorp have a few very good videos on it. Google even provides a good SSO service but a lot of these apps don't support it for auth.
|
# ? Nov 18, 2021 18:27 |
Matt Zerella posted:I think I saw someone expose radarr and sonarr completely unprotected wondering why their server went apeshit with all these mysterious movie adds. Made me laugh in horror. Christ.... "why am I being raided for child pornography?"
|
|
# ? Nov 18, 2021 18:34 |
|
Matt Zerella posted:I think I saw someone expose radarr and sonarr completely unprotected wondering why their server went apeshit with all these mysterious movie adds. Made me laugh in horror. I don't even think Sonarr and Radarr need to be publicly accessible if you already have Overseerr available. I just wish Sonarr and Radarr would just enable the option to prevent a user from logging in after X number of attempts.
|
# ? Nov 18, 2021 20:21 |
|
Any of y'all have a certain way you like to implement DNS to local non routable ips? Do you use a valid global tld like server.local.plsdonotpwnme.com or something like myserver.lan?
|
# ? Nov 18, 2021 21:12 |
|
server.local.domain is fine/good, just don't publish it on the public internet. Like you do hopefully split your DNS into public/private roles I hope and then forward queries from your private server to the public one if need be...
|
# ? Nov 18, 2021 21:54 |
CopperHound posted:Any of y'all have a certain way you like to implement DNS to local non routable ips? Do you use a valid global tld like server.local.plsdonotpwnme.com or something like myserver.lan?
|
|
# ? Nov 18, 2021 22:28 |
|
BlankSystemDaemon posted:The official standards exist and even mention .local and .workgroup - and while there used to be problems with it when combined with Apples zero-conf known as Bonjour, they're mostly fixed now so unless you have really old gear, you can use .local just fine. It really is just a mention though, not a standard nor a suggestion that they should be used. RFC8375 proposes that "home.arpa" be designated for this kind of use case in home networks.
|
# ? Nov 18, 2021 23:47 |
Keito posted:It really is just a mention though, not a standard nor a suggestion that they should be used. RFC8375 proposes that "home.arpa" be designated for this kind of use case in home networks. And like I said, the interoperability issues between Bonjour and use of .local for non-mDNS use have been fixed unless you're running decades-old software. Then again, there's absolutely nothing wrong with choosing .home even if you don't have decades-old Apple software.
|
|
# ? Nov 19, 2021 12:35 |
My Overseerr install is pretty slow. Like up to a full minute to load any of the movie posters even when I’m on my LAN. I installed it using docker-compose on a debian vm with 3 cores of a Ryzen 3600/4gb of RAM. Is that just not beefy enough or what? I tried adding more but it didn’t seem to matter.
|
|
# ? Nov 19, 2021 14:57 |
tuyop posted:My Overseerr install is pretty slow. Like up to a full minute to load any of the movie posters even when I’m on my LAN. Could it be bottlenecked by a drive you're using to store the images? I've got most of my files on a 5400rpm drive and you can tell when that thing isn't spun up.
|
|
# ? Nov 19, 2021 15:26 |
|
FireTora posted:Yup, works with a domain for albums. If you want to share just one photo then copying the link to the image has the api access baked into the URL so it van be viewed without logging in.
|
# ? Nov 19, 2021 21:18 |
cage-free egghead posted:Could it be bottlenecked by a drive you're using to store the images? I've got most of my files on a 5400rpm drive and you can tell when that thing isn't spun up. Good idea but it’s on NVMe and
|
|
# ? Nov 19, 2021 21:34 |
|
CopperHound posted:I was looking at this and for the life of me I can't find a way to revoke access to individual photo links like you can with albums. You can't at the moment since it isn't 'proper' sharing. https://github.com/photoprism/photoprism/issues/466#issuecomment-697231447 They're planning a real solution for a future release. FireTora fucked around with this message at 22:40 on Nov 19, 2021 |
# ? Nov 19, 2021 22:37 |
fletcher posted:Thanks for mentioning Navidrome! It looks really nice. Very subsonic-y but with the ability to work on metadata. I recently went through my collection and fixed all the tags with MusicBrainz so hopefully I'm in good shape. Definitely going to check this out! Got to play around with Navidrome last night. It was easy to setup and I'm liking it so far. I forgot that support for video files is something I like about Subsonic, so maybe I'll continue using Subsonic for video and Navidrome for music. I also forgot about a very large collection of bootlegs I have that do not have good ID3 tags, and Navidrome doesn't seem to have the ability to browse the music collection by filesystem folders.
|
|
# ? Nov 19, 2021 23:37 |
My ethernet adapter on my server seems to have died while I am 1000 miles away on vacation. Managed to log in to it through a vpn for a few minutes it was still accessable before it completely conked out and was getting a ton of resets and failure to write/read to that module in the logs. Impressive how it timed the hardware failure that would make it completely unusable for the first 24 hours of my only vacation I've had away from home since Covid started.
|
|
# ? Nov 23, 2021 18:49 |
Murphy works in mysterious ways.
|
|
# ? Nov 23, 2021 18:57 |
|
The thing I would recommend using a real subdomain that you own instead of e.g .local for is that you can get a wildcard cert from Letsencrypt and make ssl on local services a lot easier on yourself. I just recently switched to this from a cumbersome self-signed CA setup and it's
|
# ? Nov 24, 2021 18:36 |
That's absolutely the proper way to go about things, yeah.
|
|
# ? Nov 24, 2021 18:58 |
|
To explain that idea even more, you can set up Nginx Proxy Manager to grab your LetsEncrypt wildcard certs for your domain, create a proxy host that redirects subdomain.yourdomain.com to whatever internal service you are self-hosting, and then set your router to do a DNS host override to redirect traffic from subdomain.yourdomain.com to the host running Nginx Proxy Manager. Voilà - valid LetsEncrypt certs on any internal service you care to run.
|
# ? Nov 24, 2021 19:37 |
|
bobfather posted:To explain that idea even more, you can set up Nginx Proxy Manager to grab your LetsEncrypt wildcard certs for your domain, create a proxy host that redirects subdomain.yourdomain.com to whatever internal service you are self-hosting, and then set your router to do a DNS host override to redirect traffic from subdomain.yourdomain.com to the host running Nginx Proxy Manager. Voilà - valid LetsEncrypt certs on any internal service you care to run. I guess you could do that yeah. For my part I just have a wildcard cert for *.internal.mydomain.com that I use internally and then I just provision normal LE certs for anything external like https://www.mydomain.com.
|
# ? Nov 24, 2021 19:56 |
|
I'm looking into authentik to set up single sign on. It looks promising, but I can't wrap my brain around how to make it work. The documentation very much feels like it was written by the person doing the programming. I'm trying to follow the directions for nextcloud step by step, but I'm getting an error about the user not being provisioned. It probably doesn't help that I don't know the difference between my rear end and LDAP.
|
# ? Nov 24, 2021 20:07 |
|
Neslepaks posted:I guess you could do that yeah. For my part I just have a wildcard cert for *.internal.mydomain.com that I use internally and then I just provision normal LE certs for anything external like https://www.mydomain.com. I think we’re talking about the same thing. I merely described one way to use a wildcard LE cert to secure services that are only available on the LAN.
|
# ? Nov 24, 2021 20:14 |
|
Reminder for wild card certs: *.domain.com Does not cover: *.internal.domain.com So make sure you add both wildcards in your certbot/ngxpm/traefik/acme.sh request.
|
# ? Nov 24, 2021 20:27 |
|
bobfather posted:I think we’re talking about the same thing. I merely described one way to use a wildcard LE cert to secure services that are only available on the LAN. Sorry yeah. I dist it out with ansible
|
# ? Nov 24, 2021 20:36 |
|
I use certbot with Lets Encrypt and it has lots of plugins for alternative auth methods. I use the DNS challenge method and it will automatically add the record to my public host and validate the cert that way. Let's me use valid certs internally without having to expose anything to the internet for the challenge.Matt Zerella posted:Reminder for wild card certs: Unless I'm mistaken, its also worth noting that *.domain.com won't cover domain.com either. But SANs are free with and easy with Lets Encrypt so it's not a big hurdle.
|
# ? Nov 24, 2021 22:07 |
Potentially dumb question but if you're not opening anything up to the internet, do you still want to create certs for your internal stuff anyways? Or would you just configure that via DNS?
|
|
# ? Nov 24, 2021 22:15 |
|
I just don't like browser errors when I hit stuff but thats just personal preference.
|
# ? Nov 25, 2021 00:01 |
|
yeah new browsers don’t like http anymore. it’s not a big deal but it’s also not too hard to fix. also if you understand cert chains you can get a raise because hardly anyone does.
|
# ? Nov 25, 2021 05:36 |
|
I've been downloading sample packs recently (bought legally) for futzing around with in Ableton and a few samplers. I'm having the damndest time finding this but is there some kind of nice web gui I can feed a URL to and tell it where to download to? Preferably one with a nice adaptive webui that I can use on my phone or iPad? This would be on UnRAID so a docker is preferred.
|
# ? Nov 27, 2021 19:44 |
|
Its really trivial to either setup your own PKI these days and just install your root self-signed cert where its needed or use let's encrypt, no reason not to use HTTPS
|
# ? Nov 27, 2021 23:05 |
|
Matt Zerella posted:I've been downloading sample packs recently (bought legally) for futzing around with in Ableton and a few samplers. https://forums.unraid.net/topic/60117-support-aria2-webui/
|
# ? Nov 28, 2021 00:01 |
|
CopperHound posted:I haven't tried, but aria2+webui might be what you're looking for. That looks perfect. I'll check it out. Thanks!
|
# ? Nov 28, 2021 00:17 |
|
I'm looking for guidance on how to better execute on my self-hosted setup. It might be in the OP, but I'm too dumb to piece it together. What I have is a Windows box that is running a handful of services I want to be able to expose to the Internet. Those services are things like a MySQL database, a Minecraft Server, etc. Right now it's all running on bear metal and the way I'm doing this is just port forwarding and connecting via IPv4, but without a static address so things like my Minecraft Server has an ever-changing address and this is highly suboptimal. For some things, I've solved this with ngrok, but it doesn't seem to be able to do all the things (e.g. the Minecraft Server doesn't seem to play nice with ngrok for reasons I don't understand) If I can actually figure this out, what I want is a more robust box running Windows VMs, accessible via DNS. Before I put money into a bigger box though and setup slightly more real infrastructure though, I really need to figure out this external addressing poo poo. I'm not sure what the Right Way™ to access my services reliably and consistently from the Internet actually is. Maybe it lies somewhere with ngrok and I just need to get gud. A static address is ideal, but is not in the cards. So goons: How do I setup my box so I can talk to it from the Internet without static addressing?
|
# ? Dec 2, 2021 21:54 |
|
Canine Blues Arooo posted:I'm looking for guidance on how to better execute on my self-hosted setup. It might be in the OP, but I'm too dumb to piece it together. Dynamic DNS using duckdns. Then set up WireGuard or Tailscale and don't expose anything to the internet.
|
# ? Dec 2, 2021 21:57 |
Canine Blues Arooo posted:I'm looking for guidance on how to better execute on my self-hosted setup. It might be in the OP, but I'm too dumb to piece it together. You should absolutely run anything you're exposing to the internet through a reverse proxy. NGINX Proxy Manager is probably the easiest way for someone with less technical knowledge to implement it as its done through a GUI. You'll also want some dynamic dns which will update the domain provider with your IP if it changes. I personally do it in Docker with two containers: 1: My domain provider is cloudflare so I use this container to keep cloudflare updated on what my IP is. https://hub.docker.com/r/oznu/cloudflare-ddns/ 2: Then I use NGINX Proxy Manager (https://hub.docker.com/r/jlesage/nginx-proxy-manager#!) to direct the https traffic to the appropriate server on my network. everything exposed to the internet goes through port 443 and NGINX handles directing the traffic to the appropriate server. Duck DNS is a free domain provider (they provide you a subdomain at their website.) But I don't think it works with NGINX Proxy Manager, so if you want to simplify the reverse proxy setup process you'll need to pay for a proper domain for yourself and decide on a provider like cloudflare (or another) to handle the DNS updates. You don't need an expensive domain, you get get one that's like $2 for the year. Matt Zerella posted:Dynamic DNS using duckdns. Then set up WireGuard or Tailscale and don't expose anything to the internet. He has a minecraft server, which I assume will be used for people outside of his home. So I think he will need to use a reverse proxy to accomplish his goals, but OP if you are the only one ever using these services, than as Matt Zerella says, using wireguard, directed to your duckdns subdomain. And then run a DDNS (like this: https://github.com/linuxserver/docker-duckdns) on your end to keep duck DNS up to date on your current ip. This would be even more secure since you'd theoretically also want to implement fail2ban and other security layers on anything exposed to the internet to prevent brute force attacks on your services. Nitrousoxide fucked around with this message at 22:21 on Dec 2, 2021 |
|
# ? Dec 2, 2021 22:13 |
|
|
# ? Jun 10, 2024 11:34 |
|
Just a note, I think I've said it before but do not expose anything of it doesn't support Single Sign On or 2FA. Basic auth even over SSL is not enough.
|
# ? Dec 2, 2021 22:16 |