Yeah, I’m not gonna tell the 50 users of my plex server to set up wireguard on their devices so they can request movies and TV series on my overseer, when I can instead just use NPM to make it publically accessible with a password prompt
Comment on How do you all handle security and monitoring for your publicly accessible services?
Xanza@lemm.ee 1 week ago
By not making them publicly accessible. With Wireguard there’s really no reason.
Setup service to be active on a subnet, enable Wireguard to VPN into the subnet and use the services.
Anivia@feddit.org 1 week ago
Xanza@lemm.ee 1 week ago
Your use case, and OPs, are completely different scenarios. I can’t tell if you’re being purposefully disingenuous or just flippantly stupid.
Slax@sh.itjust.works 1 week ago
I agree with WG however I need https for a few locally hosted items like actual budget so I have that through nginx proxy manager. I was debating adding Authelia in front with some of my others (audiobook shelf, home assistant and music assistant) as sometimes I disconnect from my home network and forget to reconnect.
peregus@lemmy.world 1 week ago
Just out of curiosity, why do you disconnect from your home VPN?
Xanza@lemm.ee 1 week ago
Why not swap from nginx-proxy-manager to Caddy2, which can handle everything? SSL and reverse_proxy?
ikidd@lemmy.world 1 week ago
There should be an option in your phone VPN setup to reconnect if app X is being used.
Xanza@lemm.ee 1 week ago
There is. It’s called VPN Split Tunneling.
If you want to proxify your connection between you and a service, you enable the split. If you don’t care, or want to not use the VPN, then disable it for that application. So it’s effectively “proxify all connections to this app,” which is the same as your use case.
peregus@lemmy.world 1 week ago
Well, that’s kinda of a personal choice. If somebody needs to have services accessible by someone else besides him, that service can’t be behind a VPN (let’s face the truth: we know that we can’t ask all out relatives and friends to use a VPN).
KairuByte@lemmy.dbzer0.com 1 week ago
There’s also something to be said about some services being cordoned off in a VPN while leaving some public with security. I don’t necessarily want everyone within my full network if all I want is to share one service with them.
peregus@lemmy.world 1 week ago
For that, you can restrict access to a single service with iptables.
Xanza@lemm.ee 1 week ago
This is effectively the same damn thing with a single exception. If your VPN is down, there’s no access to your server. If for whatever reason your firewall is down, there’s unrestricted access to your server…
VPN is unquestionably the correct choice 100 times out of 100.
Xanza@lemm.ee 1 week ago
Again, this is the reason VPS’ exist. If that person needs access, then setup Wireguard…
It’s like saying you don’t need a front gate with an access code because then you would have to give out your own access code. But I mean, the lock has the ability to setup more access codes. And you’re saying the only viable option is the leave the gate open and hire a guard to manage access. It’s just… Weird and wrong.
peregus@lemmy.world 1 week ago
What? What’s the difference between a VPS and your home server? You may say that’s a good practice to separate things, so maybe have a a VM with public facing services and another with more private stuff reachable only with a VPN. But for something like Nextcloud, it needs to be public (if you’re not the only one using it), but it contains personal stuff and then comes the OP request!
Xanza@lemm.ee 1 week ago
You’re missing the point. VPS isn’t about separating anything… I’m not even sure what you mean by that. VPS is the accepted practice here. Unquestionably. You create private services, and for security you only expose them to the least amount of people possible. You authenticate via VPS connections. You only have to maintain a single database of users to access any number of services, even tens of thousands.
OP is specifically talking about hosting local content that they want to protect. VPS is the solution here.