Hello all,

I have started experimenting again with a local server and I am facing a few issues, here is my case.

I run Debian o an old HP prebuilt without GUI. I do everything with ssh from my laptop (basic connection ssh user@addr)

I have installed docker. I have installed a few containers. I also installed portainer for easier management.

All good so far because everything is local.

I have purchased a domain with cloudflare and set up a tunnel as to avoid exposing any ports and having an easier time managing and deploying stuff.

I have set up jellyfin and vaultwarden but when I tried to install nextcloud AIO it was advised to add a local reverse proxy as to avoid many problems.

My questions are:

Is the tunnel solution appropriate for jellyfin?

I suppose it’s OK for vaultwarden as there isnt much data being transfered?

Would it be better to run nginx proxy manager for everything or can I run both of the solutions?

Any general recommendations on the above and in general are appreciated!

  • tristan@aussie.zone
    link
    fedilink
    English
    arrow-up
    1
    ·
    3 months ago

    first your questions

    Is the tunnel solution appropriate for jellyfin?

    Yes but also no. the tldr is It will work, but video streaming is against CloudFlare rules. I ran this way for about 2 years with Plex just for my own use, so for about 15 hours a week on 480p and I never got my service suspended, but I’ve heard stories of others getting suspended… So just know it’s a risk

    I suppose it’s OK for vaultwarden as there isnt much data being transfered?

    That’s a good use of tunnels

    Would it be better to run nginx proxy manager for everything or can I run both of the solutions?

    You can definitely run both solutions (tunnel points to npm, npm towards to all other services), and it saves you setting up tunnels for each service

    Now for my 2 cents

    As others have suggested, tailscale funnel is a valid option. A reverse proxy using a VPS is also a valid option. And as I pointed out, doing the CloudFlare tunnel is an option if you’re willing to accept the risk.

    My current setup is using a free Oracle VPS with a small nginx docker container forwarding all port 80 and 443 traffic through a tailscale. On the other end is a nginx proxy manager docker container that points to all my services across the network. I have my CloudFlare details configured in nginx proxy manager to generate a wildcard SSL certificate that I apply to all my local services

    Inside the network, I use adguard to redirect the domain to the local LAN IP of the nginx proxy manager server to avoid traffic going through the internet.

    Then all you need to do is point the domain on CloudFlare dns to the Oracle server, and you’ll have several layers of separation between the internet and your local LAN , as well as SSL certs both internally and externally on any services you share

    It might not be the most elegant setup, but I share my Plex server (as well as about 30 other things) with several other people and can handle multiple 1080p streams going through it without any issue and it’s been nice and stable for over a year without any issues

  • Matt@lemmy.ml
    link
    fedilink
    English
    arrow-up
    0
    ·
    3 months ago

    AFAIK, Tailscale has Funnel, which is better than CF tunnels since you can expose any machine you have without buying an expensive switch.

    • tristan@aussie.zone
      link
      fedilink
      English
      arrow-up
      0
      arrow-down
      1
      ·
      3 months ago

      Why would you need an expensive switch for CF tunnels??

      It bypasses the switch and forms a tunnel directly to the machine and you don’t need to change any configuration on the switch

      Both options can expose any service as long as the machine has internet

  • OminousOrange@lemmy.ca
    link
    fedilink
    English
    arrow-up
    0
    arrow-down
    1
    ·
    3 months ago

    I’m definitely not a network pro, but it sounds like you’re looking to do something similar to what I have.

    I’ve got nginx proxy manager as my reverse proxy with pi-hole for local DNS. All traffic goes through the pi-hole and anything going to mydomain.com has DNS entries pointing to nginx. I’ve set nginx up so service.lan.mydomain.com is for anything local and just service.mydomain.com for anything external with wildcard SSL certs for both (*.domain doesn’t seem to cover *.lan.domain so add certs for both - probably because it’s a sub-subdomain).

    The Cloudflare tunnel can then just get directed to service.mydomain.com instead of the IP of the service.

  • Moonrise2473@feddit.it
    link
    fedilink
    English
    arrow-up
    0
    arrow-down
    1
    ·
    3 months ago

    The cloudflare tunnel is effectively a local reverse proxy

    Create a docker network, place everything on the same docker network, then you can reach stuff by setting the tunnel at http://[container-name]

    So you set the tunnel at http://nextcloud or http://jellyfin:8096 and so on

    You’d think “but without a local proxy that does ssl encryption, cloudflare could read my communication” - no, if they really wanted they could read it anyway as they decrypt and reencrypt