ive anabled a port forward on port 80 (TCP/UDP) to my server, but i still cant acess it. i know its unsafe to just open a port like that, this is temporary, just wanna see if it works. ill put a reverse proxt and https on it later
I’m kinda weirded out by all the people suggesting a VPN here.
Like – if you’re hosting Nextcloud, Jellyfin, etc and you want friends/family to use it, having them VPN into shit is a hurdle that none of them are going to overcome.
You need to make sure you’re not behind CGNAT first, if not, don’t use Nextcloud on port 80, put it on another port, and then open that port to the outside world.
Just be aware, you REALLY want these things to be isolated from your home environment if you’re going to host them, and you NEED to be on some sort of CVE notification list for the software you currently use. Not all CVEs are “YOU MUST UPGRADE NOW”, but some of them can be pretty severe.
I’ve set up fail2ban on my isolated network, and it does a pretty good job of banning any IPs that are probing for things. So much so that I’ve accidentally locked myself out of my own network a few times, lol
IF you ARE behind a CGNAT - what you’ll want to do is likely rent the cheapest VPS you can find, and then set up a VPN not on the VPS, but on your home network, and have the VPS be your public entry point to the network, as it will have a public facing IP and can mask your home IP address. – https://github.com/fractalnetworksco/selfhosted-gateway
Edit: THEN - once you’ve accomplished all that, you’ll probably want to buy a domain name, and reverse-proxy subdomains to forward to the services on specific ports.
A cheaper, albeit less secure alternative, is purchasing a domain and setting up a Cloudflare tunnel.
I think opening a tunnel and forwarding the port through it and opening a port forward directly have about the same security implications. Both end up opening the same port and forwarding the same packets to the same computer. The only difference is with a tunnel there is an extra step in between that slows things down. In some edge cases it may be nice if people can’t directly see your IP but just the one from the tunnel. But that doesn’t matter if it’s only for you and your friends. Might be a concern though if you’re a big live-streamer and fear people DDoSing you. But then there are better alternatives. (for example paying $8 a month for a small VPS.) So I think a tunnel makes perfect sense if you can’t get the port forward running. It just doesn’t add anything to security.
Cloudflare might be a different deal though. They include DDoS protection and filter some attacks. I don’t like cloudflare so I don’t really know the specifics. I think it’s bad for the internet that a good share of the overall traffic is tunneled over a single company’s servers. And I myself don’t need a middleman in my own services. But they certainly must have something to offer or they wouldn’t be as popular as they are…
Absolutely do not expose your server on port 80. Http is unencrypted, you’d be sending your login credentials in plaintext across the open internet. That is Very Bad™. If you own a domain name, you can set up a letsencypt cert fairly easily for free. Then you could expose 443 and at least your traffic will be encrypted in transit. It won’t solve the other potential issues of exposing your instance like brute force or ddos attacks, but I’d consider it a bare minimum.
If you use a VPN like many others are suggesting it won’t matter as much because the unencrypted traffic never leaves your local network.
As a side note: you not technically need a domain or a let’s encrypt certificate to enable https. As a test you can create your own certificate, and use that for https (snake-oil certificate).
This is not appropriate for longer-term usage. If you want to run websites on the Internet long-term, you should buy a domain and get a lets-encrypt certificate.
Technically true but I wouldn’t suggest using a self signed cert on the internet under any circumstances.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
| Fewer Letters | More Letters |
|---|---|
| CGNAT | Carrier-Grade NAT |
| IP | Internet Protocol |
| NAT | Network Address Translation |
| TCP | Transmission Control Protocol, most often over IP |
| VPN | Virtual Private Network |
| VPS | Virtual Private Server (opposed to shared hosting) |
6 acronyms in this thread; the most compressed thread commented on today has 14 acronyms.
[Thread #441 for this sub, first seen 19th Jan 2024, 23:25] [FAQ] [Full list] [Contact] [Source code]
If you want to be very secure, host a VPN and don’t open any ports besides the VPN port. Then access anything as though you’re on LAN.
Afik nextcloud runs only on https, so 443 would be more suitable. I use wiregurd tho
