mic_check_one_two
@mic_check_one_two@lemmy.dbzer0.com
- Comment on Is they're an easy way to make my Jellyfin accessible outside of my home network 6 days ago:
I actually just updated it slightly, and may continue to do so if I think of things. So you may simply want to check back here instead of printing it.
- Comment on Is they're an easy way to make my Jellyfin accessible outside of my home network 6 days ago:
On Cloudflare, you’ll want to set a record to point any relevant subdomains to your current WAN IP address. IPv4 will be an A Name record. IPv6 would be an AAAA Name record, but I’m not going to deal with IPv6 for this…
So for instance, maybe you have a
peepee.example.comsubdomain, apoopoo.example.comsubdomain, etc which all point to your WAN IP address. That will basically tell Cloudflare’s DNS to forward any traffic for those subdomains to your WAN IP.Next, you’ll want to set up a reverse proxy service. This will be something like Nginx Proxy Manager, Caddy, etc that you run on a device on your LAN. It can even be on the same machine running your various services. The big reverse proxies all offer Docker images, so you can incorporate it directly into an existing Docker stack if you already have one. Personally I use NPM, but Caddy is also very popular.
You’ll tell this reverse proxy “when you receive valid traffic addressed to {subdomain}, forward it to {relevant service on your LAN}.” You can also set some additional options for each subdomain, like automatically upgrading to https. For instance, maybe
peepee.example.comforwards to192.168.1.100:42069on your LAN, and is configured to automatically upgrade any http traffic to https, and to require https.You can also set up automatic TLS certificate renewal, so https traffic can be properly encrypted. The reverse proxy will need an API key, and it will allow the service to automatically check expiration dates and pull a fresh TLS cert for your domain if the date is coming up soon.
You’ll probably want to use a wildcard certificate, (basically
*.example.com) because the TLS certificates are open to the public. So if you do individual certs for all of your various services, bots will scrape the public records and you’ll inevitably get a lot of bot traffic probing your various subdomains. A wildcard domain usually means the bots hit the standardexample.comandwww.example.comfirst, which makes them super easy to detect and block. I even have rules set up to automatically block anything that tries to access my www subdomain, because I specifically don’t host a landing page and don’t have anything available there. So I know that any traffic hitting that www subdomain is a bot trying to access common subdomains.Next, you’ll want to forward ports 80 and 443 to your reverse proxy. Port 80 is the standard port for http traffic, and 443 is the standard port for https traffic. These will be the ports that your reverse proxy actually receives the traffic on, before forwarding it to the various services.
Finally, for some ease-of-maintenance, you may want to consider adding a DDNS service (like Cloudflare-DDNS) to your docker stack. This will occasionally check your current WAN IP, and update it with Cloudflare if necessary. For example, if you have an outage and your router gets a new WAN IP when it boots back up again. Normally you would need to manually go to Cloudflare and update the IP info to point at your new address. But DDNS does that automatically.
The way traffic flows when it is all set up is along these lines:
- A device wants to access your service at
peepee.example.com. It doesn’t know where to find that site, so it asks a DNS server. - Cloudflare has told all of the various DNS servers “hey,
peepee.example.comcan be found at {your IPv4 WAN address}”. - The device follows that DNS record, and attempts to connect to your IPv4 WAN address, on port 80 or 443. For this example, let’s say it tries to connect on port 80 for standard http traffic. The device knocks on port 80’s door and says “hey, I’m here to access
http://peepee.example.com/.” - Your reverse proxy checks the configured list, finds the valid
peepee.example.comsubdomain, finds it has a valid TLS cert, finds it is configured to automatically upgrade to https, and responds “Yes, please upgrade to https. Http traffic is not allowed.” - The external device knocks again, this time on port 443’s door. It goes “hey, I’m here to access
https://peepee.example.com/. Your reverse proxy goes “thank you, here is the TLS cert and my half of the TLS security handshake.” - Your external device uses the data in the TLS cert to validate and complete the TLS handshake with the reverse proxy, and the traffic between the reverse proxy and your external device is now encrypted with https. Your device gets the nice little “secured” padlock icon in your browser. Because the traffic is encrypted, a malicious actor may be able to tell what kind of info you are passing (for example, a video stream will likely have a pretty obvious pattern) but they won’t be able to see what specific data you are passing. They may be able to tell that you’re streaming a video, but they won’t know which video specifically.
- The reverse proxy forwards the traffic to the service, configured at
192.168.1.100:42069. - Your service does not ever know the device is being accessed via WAN, because (as far as the service can tell) the traffic is coming from your reverse proxy (also a LAN device). So any “pay to use WAN” services will continue to work for free.
- The external device never gets access to info like the specific LAN IP or port number, because it only has access to the reverse proxy. All of the traffic is passing back and forth between the reverse proxy.
But notably, keep in mind that the reverse proxy didn’t do any actual user authentication. If your service has a weak password, a reverse proxy will act as a gateway for any potential hackers to gain access to the service. And any vulnerabilities in the service will still be accessible via the reverse proxy, because the reverse proxy is simply making sure the request is valid, and then passing the traffic back and forth. It isn’t actually inspecting the content of that traffic, so it’s not going to stop things like attackers.
- A device wants to access your service at
- Comment on Is they're an easy way to make my Jellyfin accessible outside of my home network 1 week ago:
Was going to comment something along the lines of “Inb4 someone posts that obscurity will keep you secure” but here you are. No, you won’t be secure just because it’s on IPv6. And TLS certs are open to the public, (they literally have to be, since any device attempting to access your server needs to be able to validate the cert) so bots will scrape them and instantly have whatever you made it for. So it wouldn’t even keep you obscure.
- Comment on Selfhosted & AI - Part 2: The Results 1 week ago:
I’m honestly shocked that nobody has corrected my incorrect usage of Poe’s Law.
- Comment on Selfhosted & AI - Part 2: The Results 1 week ago:
I think this is a very well thought out approach to handling it. I can’t personally think of any better solutions, at least. I probably would have chosen some different phrasing for the tags, (CBH feels… Disconnected? I’d probably go with something like “No AI” or “AI-Free” instead), but that’s just a matter of personal diction. Outright banning posts about projects that use AI likely isn’t going to be feasible in the long run, and I think that simple declaration requirements will go a long way towards encouraging people to actually disclose their usage.
If you outright ban it, people will simply hide their usage. It feels like it’s akin to the US War On Drugs^TM^ in that way. If you allow it and simply require responsible disclosure, more people will be inclined to be upfront about it. And that allows projects to be more accurately audited and vetted. The same way the war on drugs consolidated power to organized gangs (by making them the only ones capable of producing and transporting illegal drugs at scale), an outright ban on AI would only encourage people to hide their usage.
One potential way I see people trying to skirt the rules regarding self-promos is via proxy/strawman accounts. It would be trivial for me to spin up a dummy account and post my own project as an “I found this cool project but don’t have to disclose my AI use because I didn’t make it” post. I don’t personally have any projects in the works to post about, but I can easily see someone using it to try and skirt the disclosure requirements. Especially when we have seen situations like the (now infamous) Huntarr debacle, where the vibe-coder dev was actively avoiding AI disclosures. Because they knew it would tank the project’s popularity if people knew it was vibe coded.
I’m not sure if there is a good solution for this potential issue, except maybe to limit posts by new users. But even that is trivial to bypass. If you limit them based on account age, simply making a few strawman accounts and waiting for them to age is easy. Hell, I already have a few old throwaway accounts that I could swap over to whenever I want, and I’m not even planning anything nefarious.
There are similar problems with restricting users based on post/comment count, as that will likely stifle discussion from new users who are trying to be active in the community. One of the more frustrating parts about Reddit was that many of the most popular subs banned posts from users who were below a certain post karma threshold or who didn’t have enough previous posts. It created a catch-22 where you needed to have a few popular posts before you were allowed to make any posts. So there were people posting on random niche subs, simply for karma farming before they could then post on the larger subs. And if I was a vibe coder without scruples who is already looking to skirt the rules, it would be trivial for me to spin up an LLM and let it make a few comments before I start using it as a dummy account.
This may end up being a non-issue in the grand scheme of things. But I figured I’d mention it, because I genuinely don’t see a good solution for patching the big glaring hole in the self-promo rule. You’re absolutely correct that requiring disclosure for every post is unrealistic, because lots of users who post projects here aren’t the devs. They just stumbled across a cool project and wanted to share it, and they have no realistic way of knowing if the project uses AI. And if you restrict promo posts to only devs, you’ll only get posts from the people who fall into the (likely very small) overlapping section on the “is a Lemmy user” and “makes projects” Venn diagram. Lemmy is already a small community in the grand scheme of things. And restricting promo posts to only the people actively developing the projects would make it feel even smaller.
If I do use mine, I’ll put it up on codeberg so everyone can see exactly what its doing… and then get mad and tell me there is a better way.
Poe’s Law is always in effect. The best way to get an answer on the internet is not to ask a question; it is to post an incorrect answer, because people will go out of their way to correct you.
- Comment on Latest success Jellyfin rocks! 1 week ago:
Yes, but not everything does. But luckily, Docker exists on Windows. So anything that runs on Docker can be run on Windows.
Given, Docker’s implementation on Windows is… Uhh… Not Great^TM^. Because it’s basically using WSL to trick Windows into supporting a Linux file system. So it has some quirks. But it does technically work.
- Comment on Latest success Jellyfin rocks! 1 week ago:
You have trouble getting Docker to auto-start on Windows? I thought that was the default behavior…
- Comment on Latest success Jellyfin rocks! 1 week ago:
Yeah, I keep a “Kids” profile on my server, specifically so I can throw Bluey, Mr Rogers Neighborhood, Miss Rachel, etc on and not worry about it. The Elsagate thing with YouTube means you can’t just put on YouTube kids and expect auto-played content to stay safe. But with my server, running solely on content I have curated, I know that everything in that “Kids” profile is going to be safe.
- Comment on Self hosting: real game starts today @ selfhosted So, it' 1 week ago:
Yeah, WordPress is an extremely common vector for automated attacks. It’s highly expandable, but those plugins often aren’t secure. Even my tiny site (it isn’t running WordPress, and doesn’t even have a landing page because I only use it for my own stuff) sees a ton of attempted Wordpress attacks.
- Comment on Why I moved my Plex library to Jellyfin after 14 years 4 weeks ago:
You’ll need to do some config on the actual services as well. Mostly in regards to telling it how you want to add things to your wanted list, how it should search for files, how you want it to download files, how it should handle downloaded files to be compatible with your media server, etc… Docker-compose can do a lot, but the *arr services are too granular to define everything directly in the compose file. You’ll need to actually configure the services after they are booted up via docker.
My stack includes the following:
Prowlarr for tracker management. This defines the various search methods, and makes them available for the rest of the stack.
Seerr for media requests. This manages what shows/movies are on the stack’s search list.
Sonarr for TV shows. Seerr tells it what to search for. It takes the relevant trackers from Prowlarr, and uses them to search for wanted media. It grabs media from the search based on quality profiles. For instance, my profiles are set to exclude 3D media, because none of my screens can display 3D. This is synced with my torrent client for automated downloads. When a download is completed, it automatically creates a hardlink in the relevant media folder for my media server to find. It uses the specific naming scheme for the media program, so the program can automatically detect info about the files.
Radarr for movies. Same basic concept as Sonarr.
Cleanuparr for download management (and some basic malware protection). Tracks downloads’ ratios, and automatically removes them from my torrent list when the ratio/time threshold is met. It also tracks “slow” torrents and will automatically retry them if a torrent is stalled/slow for too long. Also does some basic “movie.mp4.exe” torrent checking, to automatically block malicious downloads that get grabbed by the rest of the stack.
Bazarr for subtitle downloads. Automatically analyzes my media, and finds matching subtitle files for my media server to use.Each of these will require specific config steps. For instance, Prowlarr will need to know which torrent/usenet trackers you want to use. Sonarr will need to know how to interface with your download client, which files to grab based on quality profiles, and how to rename files during import.
- Comment on Email ownership, I give up. 4 weeks ago:
I prefer to follow the advice from people who actually set up and maintain email servers: “Fucking don’t. It’s not worth it.”
Just get a custom domain and run it through an existing email provider.
- Comment on Why I moved my Plex library to Jellyfin after 14 years 4 weeks ago:
40TB, but that’s way more than I would realistically need if I was better about deleting old content. I have shows saved that I haven’t watched in years. With the *arr stack, there is very little reason to keep a lot of media saved, because reacquiring it again in the future is dead simple.
- Comment on Upgrading ungrounded two-prong outlets to grounded three-prong? 9 months ago:
Until someone does a repair using a non-conductive replacement part. If your ground is running through your sink, and your sink springs a leak, there’s a non-zero chance that the new install will be PEX instead of copper. Still up to code from a plumbing standpoint, but now people in the upstairs shower are getting shocked because the upstairs outlets are tied into ungrounded plumbing.
- Comment on Plex now will SELL your personal data 1 year ago:
Yeah, if you’re 100% local, that’s basically the ideal use case for Jellyfin. Plex really shines when it comes to remote access. But if you never use that, then there’s very little reason to use it over Jellyfin.
- Comment on Plex now will SELL your personal data 1 year ago:
Yup, just spin up a second Docker image for your porn Jellyfin server. Copy your transcoding settings over from the existing image, and point the new image at different media folders.
- Comment on Plex now will SELL your personal data 1 year ago:
It literally gives you a gigantic “hey we want to sell your data. Do you want to allow that” prompt when you open it. They didn’t even make the “no, don’t sell my data” button grey and tiny like so many cookie prompts do. Plex went out of their way to put it up front and center, instead of quietly burying it in an obscure opt-out. There are plenty of perfectly valid complaints about Plex… But if a company wants to sell my data, (and here’s a spoiler warning: They all want to) this is how it should be handled.
- Comment on Plex now will SELL your personal data 1 year ago:
And a Samsung TV app. There’s an entire branch of Samsung TVs that require side loading to get a Jellyfin app installed.
- Comment on Plex now will SELL your personal data 1 year ago:
Didn’t even need to dig. As soon as I opened Plex in my browser, it gave me a giant full screen “hey we want to sell your data. Do you consent” page. I disagree with data sale in general, but at least they didn’t go out of their way to bury the opt out. In fact, they actually went out of their way to present the notification in a way that was impossible to miss. If you’re capable of reading, you’ll know what the popup is for.
- Comment on Plex now will SELL your personal data 1 year ago:
Yeah, being a novice in the FOSS scene can be extremely frustrating sometimes. It can very easily start feeling like you’re reading documentation for a plumbus, where every single sentence seems to introduce a new term you’re unfamiliar with. And it often assumes you’re already intimately familiar with how these new terms work. So even just reading the documentation for one specific thing often means having fifty different tabs open, as you also have to read documentation about a ton of dependencies or terms.
- Comment on Plex now will SELL your personal data 1 year ago:
Yeah, the sad reality is that Plex’s setup experience is much smoother. And when you’re trying to convert people, the single largest obstacle is often social inertia. So lowering the barriers to entry is extremely important. My mother-in-law would need to sideload the Jellyfin app onto her TV, but Plex is available right on its app store.
Luckily, you can run both side by side. Jellyfin for me and my more tech-literate friends, Plex for those who don’t know/don’t care to learn.