I currently have a server that I use for plex, torrents, kodi, smb, etc. Pretty much everything runs in docker. My router offers a dynamic dns service but I’d like to migrate away from it in case I ever get a different router.

The way it currently works, when I spin up a new service or docker container I go into the router and go to NAT Forwarding -> Virtual Servers and put in the external port and internal IP/Port. I don’t know of any other port forwarding settings on my router.

I’m concerned about the security of my setup because at present I don’t have SSL on any of my services. I also am concerned that this machine is pretty much directly exposed to the internet. What is the best way to migrate this to a more router-neutral config that’s more secure?

Do I use Traefik? Nginx Proxy Manager? Authentik? A different dynamic DNS? Cloudflare tunnels? Getting everything up and running with docker was a challenge when I started but I feel pretty comfortable with it now. This part with the networking and security is what I’m still struggling with. Appreciate your help

  • Jwiggins0123456789@alien.topB
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    So there is the HOSTED solution which is Nginx Proxy Manager, Traefik, Swag, etc. Once setup then you forward the 443/80 ports to that “app” or server address. From there it securely routes traffic to your “hosted applications”. They can use SSL encryption with Lets Encrypt certificates so that your hosted sites are secured. You can add Authelia to setup Security Access so that you dont have to use the built in application security if you dont want to.

    Then there is Cloudflare Tunnels and its Zero Trust solution. It is hosted by them but in order to use it you will need to host a container in docker that connects securely to their services. You setup your site with them, then you setup the container to connect to it securely and once connected you can then add you hosted applications to their hosted solution and they will handle the traffic routing from their site back to your hosted application via your container. It is all SSL encrypted and they use their certificates. You can use an existing domain that you might have (free or paid) with NPM, Traefik, SWAG, or other hosted reverse proxy, or you can just purchase a domain from them and use it (fairly cheap). Once setup you can then go into their Zero Trust side and add the Security. It is a little bit of a learning curve to work with but once setup you can be using something your Github Signon as your SSO for all you hosted applications. You can also set it up so that you only have to reauthenticate every XX number of days. You can opt for their WARP client and a token based authentication, however I am not big on peoples clients on all my devices so I setup a known existing supported provider to be my SSO. Google, Github, and many more can be used.

    Documentation for using the Reverse Proxys is immense and support on Reddit and the Facebook groups is huge as it is a long used and trusted solution.

    Documentation for using the Cloudflare Zero Trust solution is more scarce and harder to find. I recently setup mine up over a weekend and found it to be decently complicated as a Senior Virtualization Engineer and Architect who specializes not just in the virtualized machines and operating systems, but also the virtualized networking and security. The Zero Trust was the part that got me for a bit, but once I got it working it has been a dream to use. I love it way more than I ever did my Nginx Reverse Proxy as it operates and responds a lot faster being hosted by them and not you, although where you put the container could be a bottleneck as your traffic will go in and out of it. Also solves any and all double NAT issues presented if you have home routers behind AT&T routers and other setups.

      • Jwiggins0123456789@alien.topB
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Completely true… you should attempt to do streaming over the Cloudflare solution as you will get banned. I would also guess performance might not be great since again the bottleneck is the Cloudflared/Cloudflared container on your network sending and allowing all the data to and from Cloudflare. Fine and dandy for normal work but I would think streaming media and even trying to do something like high end remote video editing is not going to fair well over it unless you give that a lot of good resources and that device itself has a really good network adapter connected to a good switch.

        I mean you will still have a bottleneck local hosting and streaming through your reverse proxy anyways since it goes through the SSL encrypted hosted site and if it is Plex it is totally pointless to do other than for hiding purposes like your server is cloud hosted. You are essentially SSL encrypting the SSL encrypted traffic. You might as well add an additional Wireguard VPN around all of it and then attempt to stream something and watch it all buffer and come back and ask everyone for help.