Cool if I understand only some of things that you have said. So you have a beginner guide I could follow?
Comment on Jellyfin over the internet
oong3Eepa1ae1tahJozoosuu@lemmy.world 1 month ago
Nginx in front of it, open ports for https (and ssh), nothing more. Let’s encrypt certificate and you’re good to go.
TribblesBestFriend@startrek.website 1 month ago
dataprolet@lemmy.dbzer0.com 1 month ago
Take a look at Nginx Proxy Manager and how to set it up. But you’ll need a domain for that. And preferably use a firewall of some sort on your server and only allow said ports.
TribblesBestFriend@startrek.website 1 month ago
I’ve look a little on it, didn’t understand most of it. I’m looking for a comprehensive beginner guide before going foward
wreckedcarzz@lemmy.world 1 month ago
This isn’t a guide, but any reverse proxy allows to to limit open ports on your network (router) by using subdomains (thisPart.website.com) to route connections to an internal port.
So you setup a rev proxy for jellyfin.website.com that points to the port that jf wants to use. So when someone connects to the subdomains, the reverse proxy is hit, and it reads your configuration for that subdomain, and since it’s now connected to your internal network (via the proxy) is routes to the port, and jf “just works”.
There’s an ssl cert involved but that’s the basic understanding. Then you can add Some Other Services at whatever.website.com and rinse and repeat. Now you can host multiple services, without exposing the open ports directly, and it’s easy for users as there is nothing “confusing” like port numbers, IP addresses, etc.
SapphironZA@sh.itjust.works 1 month ago
Why would you need to expose SSH for everyday use? Or does Jellyfin require it to function?
Maybe leave that behind some VPN access.
WhyJiffie@sh.itjust.works 1 month ago
I agree, but SSH is more secure than Jellyfin. it shouldn’t be exposed like that, others in the comments already pointed out why
cm0002@lemmy.world 1 month ago
Also run the reverse proxy on a dedicated box for it in the DMZ
Ptsf@lemmy.world 1 month ago
Honestly you can usually just static ip the reverse proxy and open up a 1:1 port mapping directly to that box for 80/443. Generally not relevant to roll a whole DMZ for home use and port mapping will be supported by a higher % of home routing infrastructure than DMZs.
oong3Eepa1ae1tahJozoosuu@lemmy.world 1 month ago
In a perfect world, yes. But not as a beginner, I guess?
cm0002@lemmy.world 1 month ago
It’s beginner level, the hard part is the reverse proxy, once you have a grasp on that just having it on a dedicated box in a segmented portion on your firewall designated as the DMZ is easy. Id even go so far as to say its the bare minimum if you’re even considering exposing to the internet.
It doesn’t even need to be all that powerful since its just relaying packets as a middleman
Novi@sh.itjust.works 1 month ago
I would not publicly expose ssh. Your home IP will get scanned all the time and external machines will try to connect to your ssh port.
30p87@feddit.org 1 month ago
fail2ban with endlessh and abuseipdb as actions
Anything that’s not specifically my username or git gets instantly blocked. Same with correct users but trying to use passwords or failing authentication in any way.
mosiacmango@lemm.ee 1 month ago
Youve minimized login risk, but not any 0 days or newly discovered vulnerabilites in your ssh server software. Its still best to not directly expose any ports you dont need to regularly interact with to the internet.
Also, Look into crowdsec as a fail2ban replacement. Its uses automatically crowdsourced info to pre block IPs. A bit more proactive compared to abuseipdb manual reporting.
Thaurin@lemmy.world 1 month ago
I have the firewall of my VPS reject any IP range except the ones I’m on frequently, that is mobile, home and work. Sucks when you travel, but otherwise works alright.
Still exposes ports to some people on the same mobile or home internet service networks…
oong3Eepa1ae1tahJozoosuu@lemmy.world 1 month ago
Sorry, misunderstanding here, I’d never open SSH to the internet, I meant it as “don’t block it via your server’s firewall.”
fuckwit_mcbumcrumble@lemmy.dbzer0.com 1 month ago
Change the port it runs on to be stupid high and they won’t bother.
caseyweederman@lemmy.ca 1 month ago
Yeah hey what’s your IP address real quick? No reason
fuckwit_mcbumcrumble@lemmy.dbzer0.com 1 month ago
In 3 years I haven’t had a single attempted connection that wasn’t me. Once you get to the ephemeral ports nobody is scanning that high.
I’m not saying run no security or something. Just nobody wants to scan all 65k ports. They’re looking for easy targets.
Everyday0764@lemmy.zip 1 month ago
i have ssh on a random port and only get so many scan, so low that fail2ban never banned anyone that was not myself (accidentally).
Auli@lemmy.ca 1 month ago
Ssh has nothing to do with scanning. Your IP and everyone else up is being scanned constantly. In ipv4 space at least.