Hi all. Noob question/s here. I want to be able to access my Immich server (docker) externally and maybe set up some others (e.g. Mealio). My understanding is that I need (should) use NGINX reverse proxy for this. My questions are:

  1. Do I need to set up NGINX on a VPS (or similar cloud based server) to send the queries to my home box?

  2. Do I need to purchase a domain (randomblahblah.xyz) to use as the main access route from outside my house?

Thanks a lot.

  • PriorProject@lemmy.world
    link
    fedilink
    English
    arrow-up
    14
    ·
    1 year ago

    Do I need to set up NGINX on a VPS (or similar cloud based server) to send the queries to my home box?

    A proxy on a VPS is one way to do this, but not the only way and not necessarily the best one… depending on your goals.

    • You can also use port-forwarding and dyndns to just expose the port off your home-ip. If your ISP is sucky, this may not work though.
    • You can also use Cloudflare’s free tunneling product, which is basically a hosted proxy that acts like a super port-forward that bypasses sucky ISP restrictions.
    • If you want to access Immich yourself from your own devices but don’t need to make it available to (many) others on devices you don’t control, I like and use tailscale the best. The advantage of tailscale is that Immich remains on a private network, not directly scannable from the internet. If there’s a preauth exploit published and you don’t pay attention to update promptly, scanners WILL exploit your Immich instance with internet-exposed techniques… whereas tailscale allows you to access services that internet scanners cannot connect to, which is a nice safety net.

    Do I need to purchase a domain (randomblahblah.xyz) to use as the main access route from outside my house?

    Not for tailscale, and I don’t think for Cloudflare tunnel. Yes for a VPS proxy.

    I’ve run a VPS for a long while and use multiple techniques for different services.

    • Some services I run directly on the VPS because it’s simple and I want them to be truly publicly accessible.
    • Other services I run on a bigger server at home and proxy through the VPS because although I want them to be publicly accessible, they require more resources than my VPS has available. When I get around to installing Immich, there’s a decent chance it will go into this category.
    • Still other services, I run wherever and attach them to my tailnet. These I access myself on my own devices (or maybe invite a handful of trusted people into my tailnet), but aren’t visible to the public internet. If I decide not to use immich’s shared gallery features (and so don’t need it publicly accessible) or decide I don’t trust it security-wise… it will go here instead of the proxy-by-vps category.
    • fiddlestix@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      Thanks a lot. Tailscale is out, unfortunately. Because the server also runs Plex and I need to use it with Chromecast on remote access (it’s an old CC, so can’t add tailscale to it). Looking into Cloudflare and port forwarding. I’ve just signed up to NextDNS though, so don’t want to add another layer of DNS stuff to my mix.

      • PriorProject@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        Tailscale is out, unfortunately. Because the server also runs Plex and I need to use it with Chromecast on remote access…

        I rather suspect you already understand this, but for anyone following along… Tailscale can be combined with other networking techniques as well. So one could:

        • Access Plex from a Chromecast on your home network using your physical IP, and on your tailnet using the overlay IP.
        • Or one could have some services exposed publicly and others exposed on the tailnet. So Immich could be on the tailnet while Plex is exposed differently.

        It’s not an all or nothing proposition, but of course the more networking components you have the more complicated everything gets. If one can simplify, it’s often well worth doing so.

        Good luck, however you approach it.

    • Toaster@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      So for something like Jellyfin that you are sharing to multiple people you would suggest a VPS running a reverse proxy instead of using DDNS and port forwarding to expose your home IP?

      What VPS would you recommend? I would prefer to self host, but if that is too large of a security concern I think there is a real argument for a VPS.

      • PriorProject@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        So for something like Jellyfin that you are sharing to multiple people you would suggest a VPS running a reverse proxy instead of using DDNS and port forwarding to expose your home IP?

        I run my Jellyfin on Tailscale and don’t expose it directly to the internet. This limits remote access to my own devices, or the devices of those I’m willing to help install and configure tailscale on. I don’t really trust Jellyfin on the public internet though. It’s both a bit buggy, which doesn’t bode well for security posture… and also a misconfiguration that exposes your content could generate a lot of copyright liability even if it’s all legitimately licensed since you’re not allowed to redistribute it.

        But if you do want it publicly accessible there isn’t a hoge difference between a VPS proxying and a dynamic DNS setup. I have a VPS and like it, but there’s nothing I do with it that couldn’t be done with Cloudflare tunnel or dyndns.

        What VPS would you recommend? I would prefer to self host, but if that is too large of a security concern I think there is a real argument for a VPS.

        I use linode, or what used to be linode before it was acquired by Akamai. Vultr and Digitalocean are probably what I’d look to if I got dissatisfied. There’s a lot of good options available. I don’t see a VPS proxy as a security improvement over Cloudflare tunnel or dyndns though. Tailscale is the security improvement that matters to me, by removing public internet access to a service entirely, while lettinge continue to use it from my devices.

  • Decronym@lemmy.decronym.xyzB
    link
    fedilink
    English
    arrow-up
    4
    arrow-down
    1
    ·
    edit-2
    1 year ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    DNS Domain Name Service/System
    HTTP Hypertext Transfer Protocol, the Web
    HTTPS HTTP over SSL
    IP Internet Protocol
    Plex Brand of media server package
    SSL Secure Sockets Layer, for transparent encryption
    VPS Virtual Private Server (opposed to shared hosting)

    7 acronyms in this thread; the most compressed thread commented on today has 3 acronyms.

    [Thread #86 for this sub, first seen 28th Aug 2023, 12:15] [FAQ] [Full list] [Contact] [Source code]

  • 3PO40K@lemmy.world
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    I’m still relatively new to NGINX Proxy Manager myself, but I’ll give your questions a shot. It doesn’t matter how (or where) you host your proxy instance, what matters is that the requests can get to it so that it can forward them to the correct resources. So simple answer to question one is no you can host locally.

    If you host it locally you need to make sure that you forward requests that come into your network on to the proxy to be routed correctly. This is where port forwarding comes into play. You’ll need to set your router to take any requests that come in on port 80 or 443 (HTTP and HTTPS) and send those to your proxy.

    As for question two do you need to purchase a domain. You can use a free domain name or you can pay for one that part doesn’t matter. The domain isn’t a technical requirement until you want to start hardening your instances with SSL. To get a cert you’ll need a domain. But if you set up your port forwarding and a proxy you could send a request to some_subdomain.123.456.789.123:80 (your external IP) and the proxy server will take thar request and translate it to the local server mapped to some_subdomain.

    • fiddlestix@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Thanks, I’m going to try the port forwarding part. That seems like the simplest step. NPM looks very useful though.

  • techgearwhips@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    Just use Cloudflare Tunnels if you’re opening it up to the Internet.

    Use tailscale if only using your own personal devices.

    Both easy to setup in 5 minutes.

    • u_tamtam@programming.dev
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      Why keep giving cloudflare a monopoly of the internet traffic? Isn’t the whole self-hosting movement about breaking out of the tech giants’ shenanigans and promoting a healthy alternative with a decentralized and robust internet?

      • techgearwhips@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        I honestly don’t care. I just self host as a way to not be locked into google specifically. So if I ever do decide to switch to something else outside of Cloudflare or Tailscale, I can. By the way, I tried to set up Wireguard and I felt like I had to have a degree in engineering to get it to work. Then I tried wg-easy and that didn’t work. Went to the github and seen it had like 300 issues. I like stuff that just works and I don’t have to spend hours tinkering with.

  • fiddlestix@lemmy.worldOP
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    Replying to my own comment to say thanks again for all the tips and advice. I got it all sorted with Tailscale. The final piece of the puzzle!