Security Audit Help

Submitted ⁨⁨8⁩ ⁨months⁩ ago⁩ by ⁨retrieval4558@mander.xyz⁩ to ⁨selfhosted@lemmy.world⁩

Hi all,

I’ve recently built a unRAID based NAS / Media acquisition (*Arr suite) machine that I’m really happy with, but I need help filling my knowledge gaps in networking and security.

I have all the relevant containers ran with docker. The only container behind a VPN is qbittorrent. The only containers which are accessible remotely are Jellyfin, and jellyseerr, which are accessed via cloud flare tunnel. I use strong UN/password combinations for access to those services, within the apps themselves.

I’ve seen a lot of talk of reverse proxies and ssl certificates but don’t really understand their function, or if the cloud flare tunnel replaces those functions.

I’ve heard of tailscale as a solution but I’m not able to install anything on computers which I’ll be accessing the content.

Would appreciate advice or resources to learn from. Thanks!

source

Comments

Sort:hotnew top

HamSwagwich@showeq.com ⁨8⁩ ⁨months⁩ ago
The cloudflare tunnel is the reverse proxy in this case. No particular need to run another. Are you using the docker cloudflared to set up the tunnel?

In my case, I use NGINX that connects to the cloudflare side and parse everything out from there, and I haven’t used the cloudflared docker, but I imagine that makes things easier. I set everything up before Cloudflare tunnels were a thing, so I didn’t really want to rejigger everything. If were doing it from scratch, I’d probably go with Cloudflare.

Inb4 the Cloudflare is Bad and is a MITM attack people. Yes, it is, but it’s about opportunity cost. I’m not doing anything I care that Cloudflare sees, so I’m fine using it for simplicity sake, and I imagine they do a better job of security than I do, and I can manage stuff on a well configured dashboard instead of a command line. I’m more interested in blocking people who AREN’T cloudflare from screwing with my shit than I am in keeping Cloudflare out of my business. I use a VPN for things I don’t want to run through Cloudflare (like Torrents).

source
- retrieval4558@mander.xyz ⁨8⁩ ⁨months⁩ ago
  I am using the official “cloudflared” docker image yeah. Setting up the tunnel was easy but for some reason I’ve had A LOT of trouble getting the DNS and subdomain settings to work consistently.
  
  source
Max_P@lemmy.max-p.me ⁨8⁩ ⁨months⁩ ago
How are you currently accessing those services?

If you're using Cloudflare tunnels already, then you're good. It already acts as a secure VPN between you and Cloudflare, and they handle the TLS certificates for you already.

TLS is what puts the S in HTTPS: it provides encryption and security of the connection. If you didn't use Cloudflare tunnels, you'd be port forwarding and serving the content directly from your public IP at home. To secure those connections, you'd need a reverse proxy. That's usually NGINX these days, and its purpose is to serve as a hub to reach all of your services. It would go Internet -> your router -> your server -> NGINX -> whatever container it needs to go to. As you can see, it's basically the entry point of your stuff.

To securely access it from the outside, you can either use a TLS certificate handled by NGINX (LetsEncrypt is easy to use and provides them for free), or you set up a VPN (that's what Tailscale would do) so that it doesn't matter if you access your server over plain text HTTP.

The key here is really just that you want your traffic to be encrypted in some way when it goes over the Internet, as otherwise, it doesn't matter that you have a strong password, everyone could see it anyway.

So, you usually want one of the 3 options: CF tunnels, self managed NGINX that you access directly over the Internet with a TLS certificate, or a VPN to your home network which automatically secures traffic between your device and your home network over the Internet.

Since you use CF tunnels, you used the first option and you're all good out of the box!

source