8
Safer to host NPM on a VPS? (lemmy.donmcgin.com)
submitted 1 year ago by ElGringoLoco@lemmy.donmcgin.com to c/selfhosted@lemmy.world
17 comments fedilink hide all child comments

Greetings! I currently host a number of services on an old pc in my basement. I have ports 80 and 443 forwarded and am running Nginx Proxy Manager as well as Authelia to protect most of them. I have set up a lemmy instance that I am using as my main point of access to the fediverse. I guess I have two questions. I am assuming that hiding lemmy behind Authelia would break Federation (although maybe only one way?), is that correct? And secondly, would it be objectively safer for me to pay for a VPS, run Nginx Proxy Manager there and then forward all of the traffic to the services hosted in my basement server using Tailscale? Thanks!

top 17 comments
sorted by: hot top controversial new old
[-] curioushom@lemmy.one 3 points 1 year ago

Not sure about the Lemmy part of the question... but it'll definitely be safer to run nginx on a VPS and then communicate with your basement box over tailscale. That doesn't expose your home ip for your services. The other thing you can look into is using a wildcard cert so the specific services you're ruining aren't enumerated in your DNS, might not be necessary since you have nginx sitting in front.

[-] ElGringoLoco@lemmy.donmcgin.com 1 points 1 year ago

Thank you! I have a followup question if you don't mind. If I host npm on a vps that allows me, say 500GB of data transfer a month, and I am streaming media through a jellyfin instance that I have forwarded through the VPS, will the media I'm streaming count against that transfer amount? This seems like basic information that I should have learned a long time ago.

[-] jackz@lemmyrs.org 3 points 1 year ago

I think that depends on if the VPS charges incoming and outgoing external connections, some only charge outgoing. From VPS to browser would be outgoing, from your home instance to VPS would be incoming.

[-] ElGringoLoco@lemmy.donmcgin.com 1 points 1 year ago

Thank you! It does seem like there are afforadable VPS options that don't limit traffic anyway, so I might as well start there.

[-] d4nm3d@reddthat.com 1 points 1 year ago

Mind sharing which VPs those are?

[-] ElGringoLoco@lemmy.donmcgin.com 1 points 1 year ago

For sure, I think Oracle has unlimited bandwidth even in it's free tier. Ionos is one that I was looking at, fairly cheap but also offers unlimited transfer

[-] d4nm3d@reddthat.com 1 points 1 year ago

Sure.. i already have an oracle free tier that i use for NPM (though switching it to caddy) .. i'd be wary of trusting either of them for long term usage though...

[-] ElGringoLoco@lemmy.donmcgin.com 1 points 1 year ago

I've definitely heard bad things about Oracle deleting people's machines without warning. Unfortunately I don't know anything about Ionos. I may go with Linode, their cheapest VPS at $5/month has a 1TB transfer limit, which I might stay under. But please let me know if you end up finding a decent option from a reliable company!

[-] thorn_staff@lemmy.avata.social 1 points 1 year ago

OVH US has unlimited traffic but limits the bandwidth. I think they start at 100mbps and go over 1gbps depending on which configuration you pick.

[-] curioushom@lemmy.one 1 points 1 year ago

Like the other poster said, the traffic will go through the VPS. But since you mentioned tailscale, why not just connect to your network over tailscale. You could even use DNS to point to your services (nicer names than IPs) but then the clients would connect directly and you wouldn't need to route through VPS.

[-] ElGringoLoco@lemmy.donmcgin.com 3 points 1 year ago

I've definitely thought about it, and I would if it were just me. I share some services with family and I don't want to be responsible for troubleshooting if they accidentally uninstall tailscale or reset their phones

[-] curioushom@lemmy.one 3 points 1 year ago

Yeah worth the reduced headache. Good luck!

[-] cstine@lemmy.uncomfortable.business 1 points 1 year ago

NPM also looks abandoned right now. There’s some security patches that are not being addressed, and certificate renewal is hit or miss due to the age of NPM’s certbot vs the mainline.

If you’re deploying something new, you might want to consider caddy or nginx by itself or some other reverse proxy at this point since it really looks like the dev has vanished and nobody is taking over maintenance yet.

[-] ElGringoLoco@lemmy.donmcgin.com 1 points 1 year ago

Are you sure it's abandoned? The docker page was last updated three days ago and there is activity on the github page. Are they just updating the software without pushing any security fixes? I've definitely not had issues renewing certificates

[-] cstine@lemmy.uncomfortable.business 3 points 1 year ago

There are nearly 1000 open issues and a couple of them are about potential vulnerabilities where the repeated refrain is 'we tried to contact the developer, but there's no response' which makes me... uncomfortable, especially given that NPM was the gatekeeper to a lot of services on my local network.

The cert error is related to outdated python code in the latest shipping version, https://github.com/NginxProxyManager/nginx-proxy-manager/issues/2912 and 2921.

Again, you CAN work around it but the whole radio silence on issues and ongoing issues just makes me uncomfortable with the project and exceedingly reluctant to continue using it because it's unclear what's going on, and why.

[-] ElGringoLoco@lemmy.donmcgin.com 1 points 1 year ago

Thank you for explaining and for the examples, it's definitely time to start learning caddy. I liked npm for the simple gui, but security and reliability are more important

[-] d4nm3d@reddthat.com 2 points 1 year ago

the problems mentioned by @cstine@lemmy.uncomfortable.business are what lead me to try Caddy.. there's no fancy gui but it does "just work" once you figure out the caddyfile..

this post was submitted on 17 Jun 2023
8 points (100.0% liked)

Selfhosted

39212 readers
594 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz