In very basic terms, and why you want to do them:
Attack surface is the ports and services you are exposing to the internet. Keep this as small as possible to reduce the ways your setup can be attacked.
Network topology is the layout of your home network. Do you have multiple vlans/subnets, firewalls that restrict traffic between internal networks, a DMZ is probably a simple enough approach that is available on some home grade routers. This is so if your server gets breached it minimises the amount of damage that can be done to other devices in the network.
BearOfaTime@lemm.ee 1 year ago
If you don’t understand these terms, you probably shouldn’t be exposing any kind of port on your router. Seriously, not being snarky.
I used to teach multiple levels of Cisco classes, and I wouldn’t expose a port these days, I don’t know enough.
I stead, I’d recommend using Tailscale on a home machine and your mobile devices.
Using Tailscale, you can also selectively expose a service to the wider world (not just devices running Tailscale), using the Funnel feature.
I’d say it’s your safest intro to accessing self-hosted resources from just about anywhere.
milkytoast@kbin.social 1 year ago
i would need to open a port even if i were to use a domain name correct? would hiding the ip behind a reverse proxy be enough? is nextclouds brute force protection not enough?
BearOfaTime@lemm.ee 1 year ago
A reverse proxy helps, a LOT, like practically eliminating the issue because authentication happens at the proxy, not your port. I’ve never set one up, but I think your local system makes an outbound connection to the proxy, creating the tunnel. In this way no one ever knows what they’re really connecting to - the proxy appears to be the endpoint.
Which is essentially what Tailscale Funnel does - they expose an interface, then encrypt a tunnel between your Tailscale network and that “proxy”.
Same concept, just all rolled in to one thing, a check box and a little config info. TS Funnel will create the url to access your service. I suppose you could create another domain/url and have it redirect (or use a link shortener) to make it easier to share. I think by default it uses your Tailscale network name as the domain, and adds to it to define the service.
tailscale.dev/blog/funnel-serve-demo
milkytoast@kbin.social 1 year ago
first I have to find out if my ISP will even let me open a port lol
thanks tho :)