Currently, I use dockerproxy + swag and Cloudflare for externally-facing services. I really like that I don’t have to open any ports on my router for this to work, and I don’t need to create any routes for new services. When a new service is started, I simply include a label to call swag and the subdomain & TLS cert are registered with Cloudflare. About the only complaint I have is Cloudflare’s 100MG upload limit, but I can easily work around that, and it’s not a limit I see myself hitting too often.

What’s not clear to me is what I’m missing by not using Traefik or Caddy. Currently, the only thing I don’t have in my setup is central authentication. I’m leaning towards Authentik for that, and I might look at putting it on a VPS, but that’s the only thing I have planned. Other than that, almost everything’s running on a single Beelink S12. If I had to, I could probably stand up a failover pretty quickly, though.

  • N0x0n@lemmy.ml
    link
    fedilink
    English
    arrow-up
    4
    ·
    edit-2
    2 months ago

    Except that everything is under your control and not managed by a third party, not much I think.

    If this setup works for you and you’re happy with it, just keep it going.

    If you have time to spare, want to learn new things, tinkerer arround with network security, certificates, DNS, reverse proxy and, and, and… You can give it a try in a virtual machine and docker containers. But keep in mind that’s not an easy way and involves a lot of personal time before you get a GOOD working self-hosted / exposed services.

    I wouldn’t recommend to open any port on your router except for a secured tunnel like wireguard and connect to your services through that tunnel. Opening port 443/80 on your router is bound to some heavy automated scanning and brute force by bots. If you don’t have the necessary knowledge/tool/hardware, this is just going to put you at risk of ddos and remote attacks.

    That’s way something like cloudflare is populare, they most of the time take care of that nuisance and also why something like wireguard is popular among the selfhosting community.

      • N0x0n@lemmy.ml
        link
        fedilink
        English
        arrow-up
        1
        ·
        2 months ago

        Thanks for the tip !! I will certainly give it a look, It’s kinda annoying for my family members to always connect via wireguard.

        For me it’s fine though, I even route my traffic to ProtonVPN but my family is always nagging how they need to “do something” to get access to the hosted services or that it “doesn’t work”.

      • Lem453@lemmy.ca
        link
        fedilink
        English
        arrow-up
        1
        ·
        2 months ago

        Do you have a guide on how to do his? I couldn’t get the middleware to work to actually bounce connections

        • mbirth@lemmy.ml
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          2 months ago

          You have to actually add the middleware into the (default) chain for your https entrypoint (I think in most tutorials it’s called websecure) - in my static conf I have this:

          entryPoints:
            https:                                                           
              address: :443                                                  
              http:                                                          
                middlewares:                                                 
                  - crowdsec-bouncer@file                                    
                  - secure-headers@file 
          

          And in my dynamic conf I have this:

          http:
            middlewares:
              crowdsec-bouncer:
                plugin:
                  crowdsec-bouncer-traefik-plugin:
                    CrowdsecLapiKey: "### Enter your LAPI Key here ###"
                    Enabled: true
          
      • BaroqueInMind@lemmy.one
        link
        fedilink
        English
        arrow-up
        1
        ·
        2 months ago

        Which crowdsec lists did you use? I’m on the free plan and can only subscribe to three of them and most of everything on the free tier looks like is useless since my Suricata can sync its rules with Proofpoint ET Open rulesets which are significantly more robust

        • mbirth@lemmy.ml
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          2 months ago

          I’ve only subscribed to the “Free proxies” blocklist. But these are only additional blocklists. The main attraction of CrowdSec is their “CAPI” (Central API) which has all the current malicious actors detected in the network of CrowdSec instances and is used automatically.