Comment on How do you all handle security and monitoring for your publicly accessible services?
Xanza@lemm.ee 1 year ago
By not making them publicly accessible. With Wireguard there’s really no reason.
Setup service to be active on a subnet, enable Wireguard to VPN into the subnet and use the services.
With Wireguard there’s really no reason.
Well, that’s kinda of a personal choice. If somebody needs to have services accessible by someone else besides him, that service can’t be behind a VPN (let’s face the truth: we know that we can’t ask all out relatives and friends to use a VPN).
If somebody needs to have services accessible by someone else besides him, that service can’t be behind a VPN
Again, this is the reason VPS’ exist. If that person needs access, then setup Wireguard…
It’s like saying you don’t need a front gate with an access code because then you would have to give out your own access code. But I mean, the lock has the ability to setup more access codes. And you’re saying the only viable option is the leave the gate open and hire a guard to manage access. It’s just… Weird and wrong.
Again, this is the reason VPS’ exist.
What? What’s the difference between a VPS and your home server? You may say that’s a good practice to separate things, so maybe have a a VM with public facing services and another with more private stuff reachable only with a VPN. But for something like Nextcloud, it needs to be public (if you’re not the only one using it), but it contains personal stuff and then comes the OP request!
You may say that’s a good practice to separate things
You’re missing the point. VPS isn’t about separating anything… I’m not even sure what you mean by that. VPS is the accepted practice here. Unquestionably. You create private services, and for security you only expose them to the least amount of people possible. You authenticate via VPS connections. You only have to maintain a single database of users to access any number of services, even tens of thousands.
OP is specifically talking about hosting local content that they want to protect. VPS is the solution here.
There’s also something to be said about some services being cordoned off in a VPN while leaving some public with security. I don’t necessarily want everyone within my full network if all I want is to share one service with them.
For that, you can restrict access to a single service with iptables.
This is effectively the same damn thing with a single exception. If your VPN is down, there’s no access to your server. If for whatever reason your firewall is down, there’s unrestricted access to your server…
VPN is unquestionably the correct choice 100 times out of 100.
I agree with WG however I need https for a few locally hosted items like actual budget so I have that through nginx proxy manager. I was debating adding Authelia in front with some of my others (audiobook shelf, home assistant and music assistant) as sometimes I disconnect from my home network and forget to reconnect.
Why not swap from nginx-proxy-manager to Caddy2, which can handle everything? SSL and reverse_proxy?
There should be an option in your phone VPN setup to reconnect if app X is being used.
There is. It’s called VPN Split Tunneling.
If you want to proxify your connection between you and a service, you enable the split. If you don’t care, or want to not use the VPN, then disable it for that application. So it’s effectively “proxify all connections to this app,” which is the same as your use case.
Just out of curiosity, why do you disconnect from your home VPN?
Anivia@feddit.org 1 year ago
Yeah, I’m not gonna tell the 50 users of my plex server to set up wireguard on their devices so they can request movies and TV series on my overseer, when I can instead just use NPM to make it publically accessible with a password prompt
Xanza@lemm.ee 1 year ago
Your use case, and OPs, are completely different scenarios. I can’t tell if you’re being purposefully disingenuous or just flippantly stupid.