Comment - FBXL Lotide

Comment on The first publicly open instance

Have you considered Cloudflare Tunnels/Zero Trust. When you use Cloudflare Tunnels/Zero Trust, you don’t need to fiddle with NAT, open any ports, in fact you don’t need any open ports. You just install Cloudflare Tunnels/Zero Trust on your server, connect to your Cloudflare Tunnels/Zero Trust account, and Cloudflare does the rest. To deploy Cloudflare Tunnels/Zero Trust you will need a domain name. Cloudflare will sell you a domain name but I think most get something cheap from NamesCheap or Pork Bun. When you have secured a domain name, switch the nameservers to the ones that Cloudflare assigns you. Jacks a doughnut, Bob’s your uncle.

ETA: Obviously you’ll need port 22 for administration.

sudo ufw default deny incoming

sudo ufw default allow outgoing

source

Sort:hotnew top

kossa@feddit.org ⁨5⁩ ⁨days⁩ ago
Ngl, with how often I just read “Cloudflare Tunnels/Zero Trust” this sounds like an ad.

A shitty ad like Chuck Testa.

source
- irmadlad@lemmy.world ⁨4⁩ ⁨days⁩ ago
  I recommend what works well for me. I assume others are doing the same. It’s a big umbrella. We can all coexist.
  
  source
commonmarmoset@reddthat.com ⁨5⁩ ⁨days⁩ ago
I think this is an excellent suggestion. I used Cloudflare tunnels until recently, and it was very effective. However, I stopped because of a minor issue, which I’ll mention in case its a deal breaker for anyone.

Technically, using Cloudflare tunnels for Jellyfin is a ToS violation. You’re only allowed to do so if you have an enterprise account, which is quite expensive.

I heard from a “friend of a friend” that everyday users don’t need to worry about this. Cloudflare are aware of people using tunnels with Jellyfin and they aren’t fussed. The rule is supposedly there to combat large scale piracy.

However, I have heard that cloudflare does decide to start caring if they can use jellyfin use as an extra excuse to kick anybody involved in other ToS violations.

In all likelihood, this won’t be a problem for you. While I used tunnels, they worked perfectly. However, given that you are going to go to the effort of sorting out some level of infrastructure for yourself, its something to keep in mind.

source
- irmadlad@lemmy.world ⁨5⁩ ⁨days⁩ ago
  
  Technically, using Cloudflare tunnels for Jellyfin is a ToS violation. You’re only allowed to do so if you have an enterprise account, which is quite expensive.
  
  I’ve heard people say this, and I’ve heard people say you can’t stream music. Tho I do not run the 'arr stack or Jellyfin, I do run Navidrome almost 24/7/365. But it’s something to keep in mind.
  
  ETA: I am the sole user
  
  source
Kkk2237pl@lemmy.world ⁨5⁩ ⁨days⁩ ago
Yeah, but if my server is in the local network, I have potential threat that someone will access my lan through public server

source
- irmadlad@lemmy.world ⁨5⁩ ⁨days⁩ ago
  Well, you could do network segmentation:
  
  Put the server in a DMZ or separate VLAN if your router supports it. This isolates it from your main devices (computers, phones, IoT). I’m not sure what router you have buy many consumer routers have a “guest network” that can serve this purpose.
  
  Utilize UFW rules. Mine are:
  
  sudo ufw default deny incoming
  
  sudo ufw default allow outgoing
  
  Anywhere ALLOW IN 192.168.1.0/24
  
  22 ALLOW IN 192.168.1.0/24
  
  22 on tailscale0 ALLOW IN Anywhere
  
  22 (v6) on tailscale0 ALLOW IN Anywhere (v6)
  
  Also:
  
  sudo ufw allow out to 1.0.0.1 port 53 # DNS only
  
  sudo ufw allow out to 1.1.1.1 port 53
  
  sudo ufw deny out to 192.168.1.0/24 # Block LAN access except admin
  
  So now I have SSH capability locally and through Tailscale installed on the server and this prevents the server from initiating connections to other LAN devices. You can do alot with UFW and Fail2Ban in conjunction with Cloudflare Tunnels/Zero Trust.
  
  source