this post was submitted on 19 Jan 2024
12 points (87.5% liked)

Selfhosted

40173 readers
832 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

ive anabled a port forward on port 80 (TCP/UDP) to my server, but i still cant acess it. i know its unsafe to just open a port like that, this is temporary, just wanna see if it works. ill put a reverse proxt and https on it later

top 23 comments
sorted by: hot top controversial new old
[–] [email protected] 18 points 10 months ago* (last edited 9 months ago) (2 children)

I'm kinda weirded out by all the people suggesting a VPN here.

Like -- if you're hosting Nextcloud, Jellyfin, etc and you want friends/family to use it, having them VPN into shit is a hurdle that none of them are going to overcome.

You need to make sure you're not behind CGNAT first, if not, don't use Nextcloud on port 80, put it on another port, and then open that port to the outside world.

Just be aware, you REALLY want these things to be isolated from your home environment if you're going to host them, and you NEED to be on some sort of CVE notification list for the software you currently use. Not all CVEs are "YOU MUST UPGRADE NOW", but some of them can be pretty severe.

I've set up fail2ban on my isolated network, and it does a pretty good job of banning any IPs that are probing for things. So much so that I've accidentally locked myself out of my own network a few times, lol

IF you ARE behind a CGNAT - what you'll want to do is likely rent the cheapest VPS you can find, and then set up a VPN not on the VPS, but on your home network, and have the VPS be your public entry point to the network, as it will have a public facing IP and can mask your home IP address. -- https://github.com/fractalnetworksco/selfhosted-gateway

Edit: THEN - once you've accomplished all that, you'll probably want to buy a domain name, and reverse-proxy subdomains to forward to the services on specific ports.

[–] [email protected] 9 points 10 months ago (1 children)

A cheaper, albeit less secure alternative, is purchasing a domain and setting up a Cloudflare tunnel.

[–] [email protected] 3 points 9 months ago* (last edited 9 months ago)

I think opening a tunnel and forwarding the port through it and opening a port forward directly have about the same security implications. Both end up opening the same port and forwarding the same packets to the same computer. The only difference is with a tunnel there is an extra step in between that slows things down. In some edge cases it may be nice if people can't directly see your IP but just the one from the tunnel. But that doesn't matter if it's only for you and your friends. Might be a concern though if you're a big live-streamer and fear people DDoSing you. But then there are better alternatives. (for example paying $8 a month for a small VPS.) So I think a tunnel makes perfect sense if you can't get the port forward running. It just doesn't add anything to security.

Cloudflare might be a different deal though. They include DDoS protection and filter some attacks. I don't like cloudflare so I don't really know the specifics. I think it's bad for the internet that a good share of the overall traffic is tunneled over a single company's servers. And I myself don't need a middleman in my own services. But they certainly must have something to offer or they wouldn't be as popular as they are...

[–] [email protected] 1 points 9 months ago

having them VPN into shit is a hurdle that none of them are going to overcome.

If you have a lot of people connecting, then that's fair. But setting up a VPN for one or two households isn't hard. Even easier if you use Tailscale (apparently, never tried it myself).

[–] [email protected] 7 points 9 months ago (1 children)

Absolutely do not expose your server on port 80. Http is unencrypted, you'd be sending your login credentials in plaintext across the open internet. That is Very Bad™. If you own a domain name, you can set up a letsencypt cert fairly easily for free. Then you could expose 443 and at least your traffic will be encrypted in transit. It won't solve the other potential issues of exposing your instance like brute force or ddos attacks, but I'd consider it a bare minimum.

If you use a VPN like many others are suggesting it won't matter as much because the unencrypted traffic never leaves your local network.

[–] [email protected] 3 points 9 months ago (1 children)

As a side note: you not technically need a domain or a let's encrypt certificate to enable https. As a test you can create your own certificate, and use that for https (snake-oil certificate).

This is not appropriate for longer-term usage. If you want to run websites on the Internet long-term, you should buy a domain and get a lets-encrypt certificate.

[–] [email protected] 1 points 9 months ago (1 children)

Technically true but I wouldn't suggest using a self signed cert on the internet under any circumstances.

[–] [email protected] 5 points 10 months ago* (last edited 9 months ago) (1 children)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
CGNAT Carrier-Grade NAT
IP Internet Protocol
NAT Network Address Translation
TCP Transmission Control Protocol, most often over IP
VPN Virtual Private Network
VPS Virtual Private Server (opposed to shared hosting)

6 acronyms in this thread; the most compressed thread commented on today has 14 acronyms.

[Thread #441 for this sub, first seen 19th Jan 2024, 23:25] [FAQ] [Full list] [Contact] [Source code]

[–] [email protected] 1 points 9 months ago

You missed CVE -- Common Vulnerabilities and Exposures

[–] [email protected] 3 points 10 months ago

If you want to be very secure, host a VPN and don't open any ports besides the VPN port. Then access anything as though you're on LAN.

[–] [email protected] 2 points 10 months ago* (last edited 10 months ago)

Tailscale.

You can run clients on all your devices. Or if you want easier access, use the Funnel feature.

Tailscale Funnel lets you expose a local service, file, or directory to the entire internet, using what is effectively a VPN, except they don't have to use a VPN (TS hosts an endpoint they connect to, then encrypt that traffic into your Tailscale network).

https://tailscale.dev/blog/funnel-serve-demo

[–] [email protected] 2 points 9 months ago

Afik nextcloud runs only on https, so 443 would be more suitable. I use wiregurd tho

[–] [email protected] 2 points 10 months ago

To be honest, I would advise against opening your home network like that at all. A VPN would be much safer. If you use something like Tailscale it would be much easier as well and doesn't need opening any ports at all.

[–] [email protected] 2 points 10 months ago* (last edited 10 months ago) (1 children)

How have you tested this? You need to use the external IP address of your router (public ip) to open it. And you need to test that from another internet connection. Also make sure the browser is actually trying to open an http connection to port 80. Some modern browsers / addons try to prefer https on port 443 instead and that wouldn't be reachable. Does a ping work? What's the exact error message? The port forward could be wrong. Needs to be port 80 (TCP) towards the internal device where nextcloud runs, to the port where it runs on that machine (could be 80, too). It could also be blocked by your provider, or your specific provider doesn't allow port forwards. Or you ran into issues with the shift to IPv6 addresses. Maybe your provider has some strange setup. Try if you can ping your router from external first. And try the canyouseeme.org mentioned in the other comment. That's good advice.

[–] [email protected] 1 points 10 months ago (2 children)

10.x.x.x IS an external adres yes? how do I check?

[–] [email protected] 3 points 10 months ago* (last edited 9 months ago)

Sorry, 10.x.x.x is a private IP address range. That can't be reached from the internet.

Maybe try one of the services that display your IP like https://www.showmyip.com/ or the one mentioned earlier: canyouseeme.org , that one also shows your IP.

I have little info to work on. There are many different providers around the world with very different setups. Some are suitable for port forwarding, some arent. (You could sit behind a Carrier Grade NAT, which makes port forward difficult to impossible.) But you need to figure out your IP first.

All I can say, I run something like you describe... Nextcloud, a reverse proxy and a few other services. I did some port forwards, got a domain that points to my IP and it works fine.

Edit: I use YunoHost on my computer. Its a Linux distribution for selfhosting. I think its a good choice to get your feet warm or if you want a low maintenance setup. It includes Nextcloud and many other services.

But you have to figure out how to access your computer from outside. Either you get your IP and the port forward running, or you have to use a service like pagekite.net or you get a VPN running like almost everyone else here wants to convince you to use. I don't think a VPN is a good idea except if you only want to use it by yourself and not use all the collaborative features of nextcloud.

[–] [email protected] 2 points 10 months ago

I've not set up Nextcloud myself, so a basic question first: have you already tried canyouseeme.org to check for the running service on that port?

If the service is not available, then either your server or the router isn't configured correctly. If it is, then the problem is in the software.

[–] [email protected] 0 points 10 months ago (1 children)

Please set up Tailscale or a Wireguard VPN before you start forwarding ports on your router.

Your configuration as you have described it so far is setting yourself up for a world of hurt, in that you are going to be a target for hackers from literally the entire world.

[–] [email protected] 1 points 9 months ago* (last edited 9 months ago) (1 children)

before you start forwarding ports on your router

Don't you mean instead of? If all the OP wants to do is access next cloud, they can do it over the VPN without forwarding ports. What you're suggesting doesn't solve the problem of port 80 being an attack vector, and adds yet another attack vector (the VPN itself)

[–] [email protected] 1 points 9 months ago (1 children)

Realistically, yes. But it’s a phrase and it’s important that they start doing that first. Maybe it’s their intention to do it publicly.

Also, sure, but a Wireguard installation is going to be much more secure than a Nextcloud that you aren’t sure if it’s configured correctly. And Tailscale doubly so.

[–] [email protected] 2 points 9 months ago

Wireguard installation is going to be much more secure than a Nextcloud

I understand that, and it's a good suggestion and a better solution if it fits the OPs use case. I don't understand suggesting they do both. Either VPN or port forwarding solve the problem, doing both seems unnecessary.