Currently, I use dockerproxy + swag and Cloudflare for externally-facing services. I really like that I don’t have to open any ports on my router for this to work, and I don’t need to create any routes for new services. When a new service is started, I simply include a label to call swag and the subdomain & TLS cert are registered with Cloudflare. About the only complaint I have is Cloudflare’s 100MG upload limit, but I can easily work around that, and it’s not a limit I see myself hitting too often.

What’s not clear to me is what I’m missing by not using Traefik or Caddy. Currently, the only thing I don’t have in my setup is central authentication. I’m leaning towards Authentik for that, and I might look at putting it on a VPS, but that’s the only thing I have planned. Other than that, almost everything’s running on a single Beelink S12. If I had to, I could probably stand up a failover pretty quickly, though.

11 points
*

I was an avid nginx user but having caddy handle the ssl certificate creation and renewal is amazing.

I probably am outdated on nginx (maybe it supports it?) but caddy is what I use from here on out.

permalink
report
reply
5 points
*

Yeah it supports cert acquisition through let’s encrypt now.

permalink
report
parent
reply
2 points

Not depend on a specific corporation to access all your services for one.

A reverse proxy (I use nginx) will let you centralize certificates and allow the use of subdomains easily, without depending from a specific service provider like cloudflare.

Looks like you are are a lucky american with access to a real IP address, good for you, a luxury nowadays where CG-NAT is common place everywhere.

Opening a port is not even possible where I live.

permalink
report
reply
16 points
*

I switched from SWAG to Caddy. Its config file is much simpler, with many best practice settings being default resulting in each sites being like 3 lines of code. Implementing something like mTLS requires one line per site, just super nice to configure, and you’re not left without a template config for more obscure services.

That being said, SWAG does more than enough and Nginx is a powerful software so you really aren’t missing out on anything but more streamlined config.

Traefik is kind of just like, a nightmare that tries to sell you on it being “self configuring” but it takes some work to get to that point and the “self configuring” requires the same amount of time in a text editor as manually configuring Caddy does. I can see Traefik being powerful if you’re using it with actually clustered k8s and distributed workloads. If that’s not your use case it’s kinda just more work than it’s worth.

permalink
report
reply
5 points
*

Except that everything is under your control and not managed by a third party, not much I think.

If this setup works for you and you’re happy with it, just keep it going.

If you have time to spare, want to learn new things, tinkerer arround with network security, certificates, DNS, reverse proxy and, and, and… You can give it a try in a virtual machine and docker containers. But keep in mind that’s not an easy way and involves a lot of personal time before you get a GOOD working self-hosted / exposed services.

I wouldn’t recommend to open any port on your router except for a secured tunnel like wireguard and connect to your services through that tunnel. Opening port 443/80 on your router is bound to some heavy automated scanning and brute force by bots. If you don’t have the necessary knowledge/tool/hardware, this is just going to put you at risk of ddos and remote attacks.

That’s way something like cloudflare is populare, they most of the time take care of that nuisance and also why something like wireguard is popular among the selfhosting community.

permalink
report
reply
8 points

I’ve recently introduced CrowdSec and crowdsec-bouncer-traefik-plugin into my setup and it’s really great to see it block all those spam bots and brute force attempts.

permalink
report
parent
reply
1 point

Which crowdsec lists did you use? I’m on the free plan and can only subscribe to three of them and most of everything on the free tier looks like is useless since my Suricata can sync its rules with Proofpoint ET Open rulesets which are significantly more robust

permalink
report
parent
reply
1 point
*

I’ve only subscribed to the “Free proxies” blocklist. But these are only additional blocklists. The main attraction of CrowdSec is their “CAPI” (Central API) which has all the current malicious actors detected in the network of CrowdSec instances and is used automatically.

permalink
report
parent
reply
1 point

Thanks for the tip !! I will certainly give it a look, It’s kinda annoying for my family members to always connect via wireguard.

For me it’s fine though, I even route my traffic to ProtonVPN but my family is always nagging how they need to “do something” to get access to the hosted services or that it “doesn’t work”.

permalink
report
parent
reply
1 point

Do you have a guide on how to do his? I couldn’t get the middleware to work to actually bounce connections

permalink
report
parent
reply
2 points
*

You have to actually add the middleware into the (default) chain for your https entrypoint (I think in most tutorials it’s called websecure) - in my static conf I have this:

entryPoints:
  https:                                                           
    address: :443                                                  
    http:                                                          
      middlewares:                                                 
        - crowdsec-bouncer@file                                    
        - secure-headers@file 

And in my dynamic conf I have this:

http:
  middlewares:
    crowdsec-bouncer:
      plugin:
        crowdsec-bouncer-traefik-plugin:
          CrowdsecLapiKey: "### Enter your LAPI Key here ###"
          Enabled: true
permalink
report
parent
reply
26 points

Well, not using Cloudflare would make us all rely a bit less on a single company that already dominates the internet. And it’d make them unable to theoretically mess with your traffic and snoop on your data. Other than that… I don’t think you’re missing out on features.

permalink
report
reply
3 points

What would you recommend as an alternative? Right now I’m just using them for DNS.

permalink
report
parent
reply
2 points
*

desec.io is also a good option

permalink
report
parent
reply
1 point

That actually seems like a solid option. Do you happen to know how well it integrates with Traefik and the like for setting up reverse proxies?

permalink
report
parent
reply
2 points

1984.hosting has a freely available to use DNS service for domains. They’re a good company that does what Njalla say they do but without the bullshit of stealing peoples domains.

permalink
report
parent
reply
1 point

How is cloudflare stealing domains?

permalink
report
parent
reply
3 points

I really don’t know what to recommend to other people. I use opennic.org for DNS. And I don’t use any tunnels, I just do port forwarding on my router. I have an internet connection that allows that.

permalink
report
parent
reply

Selfhosted

!selfhosted@lemmy.world

Create post

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.

Rules:

  1. Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

Community stats

  • 5.2K

    Monthly active users

  • 3.5K

    Posts

  • 76K

    Comments