I’ve been researching different ways to expose Docker containers to the internet. I have three services I want to expose: Jellyfin, Omnivore (Read-it-later app), and Overseerr.

I’ve come across lots of suggestions, like using Nginx with Cloudflared, but some people mention that streaming media goes against Cloudflared tunnel TOS, and instead recommend Tailscale, or Traefik, or setting up a WireGuard VPN, or using Nginx with a WireGuard VPN.

The amount of conflicting advice has left me confused. So, what would be the best approach to securely expose these containers?

  • Shimitar@feddit.it
    link
    fedilink
    English
    arrow-up
    4
    arrow-down
    1
    ·
    3 days ago

    Sorry third post. Trying to summarize.

    1. Get external access. Either via port-forward (you lucky American) or via VPS+ssh-tunnel or VPS+wireguard. Stay away from an hard dependency like tailscale and cloudflare (my personal opinion).

    2. Setup a reverse proxy with SSL certs via let’s Encrypt (don’t go wildcard, no need to, just add complexity)

    That’s the concept, implementation requires clearly extra steps…

    See my wiki (https://wiki.gardiol.org/). O describe both the simple and the complex solution. But to be honest, the complex solution is not fully described yet.

    • archomrade [he/him]@midwest.social
      link
      fedilink
      English
      arrow-up
      2
      ·
      2 days ago

      Is the reason you advocate avoiding VPN dependencies simply due to downtime if the tailscale service fails? Or is there a particular security vulnerability associated with using VPN subnets?

      • Shimitar@feddit.it
        link
        fedilink
        English
        arrow-up
        2
        ·
        2 days ago

        Mostly not being dependent from a specific vendor, that’s all.

        I prefer to use a VPS of my choice that I can replace when I want or need to.

        As far as its backed by wireguard its safe enough I guess.

    • MoonlitSanguine@lemmy.oneOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      3 days ago

      I am leaning towards Wireguard, as I don’t think I’m behind a CGNAT. But, I’ll check out your wiki for more details though. Thankyou

      • @shimitar’s advice is what I’d go with.

        Ideally:

        1. Set up a Wireguard subnet. Test it thoroughly, including restarting the server a couple of times.
        2. Close all ports except your Wireguard ports in your server firewall. Do this manually first (not persistent) and test.
        3. Make the firewall changes permanent.

        Then, it kinda doesn’t matter what else you do on the server, although you can fuss around with locking things down more.

        Caveats:

        • you won’t be able to use LetsEncrypt with this
        • accessing your services from an Android phone will be futzy, because Android is too stupid to be able to use more than one VPN at a time. Unless you don’t use a VPN on your phone, in which case it won’t be an issue.
        • you’ll only be able to access your server from computers/systems in your Wireguard subnet, so make sure you include multiple devices in the config from which you can ssh

        Wireguard is super easy to build VPN networks with, and there are tools (e.g. dsnet) to make it even easier.