Yeah, I’m not gonna tell the 50 users of my plex server to set up wireguard on their devices so they can request movies and TV series on my overseer, when I can instead just use NPM to make it publically accessible with a password prompt
Comment on How do you all handle security and monitoring for your publicly accessible services?
Xanza@lemm.ee 1 month ago
By not making them publicly accessible. With Wireguard there’s really no reason.
Setup service to be active on a subnet, enable Wireguard to VPN into the subnet and use the services.
Anivia@feddit.org 1 month ago
Xanza@lemm.ee 1 month ago
Your use case, and OPs, are completely different scenarios. I can’t tell if you’re being purposefully disingenuous or just flippantly stupid.
Slax@sh.itjust.works 1 month ago
I agree with WG however I need https for a few locally hosted items like actual budget so I have that through nginx proxy manager. I was debating adding Authelia in front with some of my others (audiobook shelf, home assistant and music assistant) as sometimes I disconnect from my home network and forget to reconnect.
peregus@lemmy.world 1 month ago
Just out of curiosity, why do you disconnect from your home VPN?
Xanza@lemm.ee 1 month ago
Why not swap from nginx-proxy-manager to Caddy2, which can handle everything? SSL and reverse_proxy?
ikidd@lemmy.world 1 month ago
There should be an option in your phone VPN setup to reconnect if app X is being used.
Xanza@lemm.ee 1 month ago
There is. It’s called VPN Split Tunneling.
If you want to proxify your connection between you and a service, you enable the split. If you don’t care, or want to not use the VPN, then disable it for that application. So it’s effectively “proxify all connections to this app,” which is the same as your use case.
peregus@lemmy.world 1 month ago
Well, that’s kinda of a personal choice. If somebody needs to have services accessible by someone else besides him, that service can’t be behind a VPN (let’s face the truth: we know that we can’t ask all out relatives and friends to use a VPN).
KairuByte@lemmy.dbzer0.com 1 month ago
There’s also something to be said about some services being cordoned off in a VPN while leaving some public with security. I don’t necessarily want everyone within my full network if all I want is to share one service with them.
peregus@lemmy.world 1 month ago
For that, you can restrict access to a single service with iptables.
Xanza@lemm.ee 1 month ago
This is effectively the same damn thing with a single exception. If your VPN is down, there’s no access to your server. If for whatever reason your firewall is down, there’s unrestricted access to your server…
VPN is unquestionably the correct choice 100 times out of 100.
Xanza@lemm.ee 1 month ago
Again, this is the reason VPS’ exist. If that person needs access, then setup Wireguard…
It’s like saying you don’t need a front gate with an access code because then you would have to give out your own access code. But I mean, the lock has the ability to setup more access codes. And you’re saying the only viable option is the leave the gate open and hire a guard to manage access. It’s just… Weird and wrong.
peregus@lemmy.world 1 month ago
What? What’s the difference between a VPS and your home server? You may say that’s a good practice to separate things, so maybe have a a VM with public facing services and another with more private stuff reachable only with a VPN. But for something like Nextcloud, it needs to be public (if you’re not the only one using it), but it contains personal stuff and then comes the OP request!
Xanza@lemm.ee 1 month ago
You’re missing the point. VPS isn’t about separating anything… I’m not even sure what you mean by that. VPS is the accepted practice here. Unquestionably. You create private services, and for security you only expose them to the least amount of people possible. You authenticate via VPS connections. You only have to maintain a single database of users to access any number of services, even tens of thousands.
OP is specifically talking about hosting local content that they want to protect. VPS is the solution here.