this post was submitted on 31 May 2026
35 points (92.7% liked)

Selfhosted

50711 readers
506 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

  7. No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
35
The first publicly open instance (lemmy.world)
submitted 18 hours ago by Kkk2237pl@lemmy.world to c/selfhosted@lemmy.world
25 comments fedilink hide all child comments
 

I want to start with self hosting something available from internet. Currently I have jellyfin, nas etc but everything is available in local network.

My biggest concern is securing local network. I thought i will run application on separate server, I will use small vps as proxy, but Im not sure if it will be enough

top 25 comments
sorted by: hot top controversial new old
[–] WolfLink@sh.itjust.works 1 points 9 minutes ago

Keep stuff that’s not designed to be exposed to the internet on your LAN behind your router’s firewall.

Use a VPN to access your LAN remotely. Tailscale is the easiest way to do this, but I found it not too hard to set up WireGuard.

[–] Noggog@programming.dev 1 points 2 hours ago (1 children)

My baseline is a public VPS with Pangolin/Crowdsec installed. I have authentik as a login system. Pangolin let's me put authentik in front of any service so they have to log in hit before the service in question. Helps give a bit of peace of mind with the services which themselves might not be security focused. Also, these pangolin routes are able to block anything outside my country by rules, so that trims a good portion of attacks as well.

Some things don't like that authentik layer in front though. Audiobookshelf's phone app for example cant handle it. For that, I route those domains through cloudflare tunnels. Their tunnels do a good job blocking lots of attacks, so not having authentik in front is more acceptable.

But then there's jellyfin that doesnt want to be on cloudflare tunnels and doesnt want authentik in front. For that, I just have it on my pangolin side with only crowdsec helping. Not ideal, but best I can do without making my grandma install a VPN on a raspberry pi in so her TV can connect or some shit.

And lastly, I have some private services like forgejo that don't like authentik in front and only I myself care about. I tailscale to those rather than exposing sometimes.

Only other thing I think I need to add sometime is some VLAN separations?

[–] mcchots@sh.itjust.works 1 points 1 hour ago

I have oidc setup in both foregejo and Audiobookshelf with authentik as the provider.

[–] possiblylinux127@lemmy.zip 9 points 11 hours ago* (last edited 8 hours ago) (1 children)

Don't do this

Right now you know enough to be dangerous and because of that you should not expose thing to the internet.

[–] Kkk2237pl@lemmy.world 0 points 10 hours ago (2 children)

Idk how to understand your post?

I read some comments here and I think that the most important is to separate lan in proper way.

But still I feel more comfortable if everything is in tailscale network…

[–] possiblylinux127@lemmy.zip 6 points 8 hours ago

Separating LANs doesn't really do much in terms of the wider internet. An adversary would likely be more interested in your internet connection than anything else.

I personally would stick to using a VPN

[–] irmadlad@lemmy.world 5 points 9 hours ago (1 children)

OP, if you ever decide to go the Cloudflare Tunnels/Zero Trust route, I've got a set of instructions/notes that have helped a handful of people deploy Cloudflare Tunnels/Zero Trust. I'd be more than happy to share them.

[–] Kkk2237pl@lemmy.world 1 points 1 hour ago

Thank you

[–] bjoern_tantau@swg-empire.de 18 points 18 hours ago

To mitigate the risks you could put the local server into its own network where it cannot reach anything else in your home.

[–] 0ops@piefed.zip 8 points 16 hours ago (1 children)

The absolute easiest way to securely access your server from over the internet would be to use tailscale or similar, but then you'd have to connect to the vpn service whenever you wanted to access those servers from outside your local network.

[–] luckyeddy@sh.itjust.works 1 points 10 hours ago

There is also this feature in tailscale, but I haven’t used it myself because I don’t know enough about the security implications to use it: https://tailscale.com/docs/features/tailscale-funnel

[–] kythrea@lemmy.world 6 points 17 hours ago

I run my server on the internet, and my security is crowdsec + geo ip block (well, white-list my country's ip but same idea) and authelia.

Using this setup, I barely ever have even bots randomly pingig me, let alone anyone trying to access my NAS.

[–] androidul@lemmy.world 5 points 17 hours ago* (last edited 57 minutes ago)

I was pondering the same for last couple of days and had some thoughts on how to make it feasible. My research led me so far to 2 prerequisites:

  1. must have Anubis in front
  2. must have a WAF solution in place that covers at least OWASP Top 10

I found pretty good Caddy documentation that covers both, so I think I’ll deploy a secondary Caddy reverse proxy that’ll perform such ops for public facing services.

Of course, I currently have only 1 Caddy instance reverse proxying my internal services, haven’t reached the part on traffic handling when my devices are connected to the “safe network” (aka my home LAN)

[–] Decronym@lemmy.decronym.xyz 1 points 12 hours ago* (last edited 55 minutes ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
DNS Domain Name Service/System
IoT Internet of Things for device controllers
NAS Network-Attached Storage
NAT Network Address Translation
SSH Secure Shell for remote terminal access
VPN Virtual Private Network
VPS Virtual Private Server (opposed to shared hosting)

[Thread #323 for this comm, first seen 31st May 2026, 19:10] [FAQ] [Full list] [Contact] [Source code]

[–] irmadlad@lemmy.world 1 points 12 hours ago* (last edited 12 hours ago) (3 children)

Have you considered Cloudflare Tunnels/Zero Trust. When you use Cloudflare Tunnels/Zero Trust, you don't need to fiddle with NAT, open any ports, in fact you don't need any open ports. You just install Cloudflare Tunnels/Zero Trust on your server, connect to your Cloudflare Tunnels/Zero Trust account, and Cloudflare does the rest. To deploy Cloudflare Tunnels/Zero Trust you will need a domain name. Cloudflare will sell you a domain name but I think most get something cheap from NamesCheap or Pork Bun. When you have secured a domain name, switch the nameservers to the ones that Cloudflare assigns you. Jacks a doughnut, Bob's your uncle.

ETA: Obviously you'll need port 22 for administration.

sudo ufw default deny incoming

sudo ufw default allow outgoing

[–] kossa@feddit.org 1 points 1 hour ago

Ngl, with how often I just read "Cloudflare Tunnels/Zero Trust" this sounds like an ad.

A shitty ad like Chuck Testa.

[–] commonmarmoset@reddthat.com 3 points 12 hours ago (1 children)

I think this is an excellent suggestion. I used Cloudflare tunnels until recently, and it was very effective. However, I stopped because of a minor issue, which I'll mention in case its a deal breaker for anyone.

Technically, using Cloudflare tunnels for Jellyfin is a ToS violation. You're only allowed to do so if you have an enterprise account, which is quite expensive.

I heard from a "friend of a friend" that everyday users don't need to worry about this. Cloudflare are aware of people using tunnels with Jellyfin and they aren't fussed. The rule is supposedly there to combat large scale piracy.

However, I have heard that cloudflare does decide to start caring if they can use jellyfin use as an extra excuse to kick anybody involved in other ToS violations.

In all likelihood, this won't be a problem for you. While I used tunnels, they worked perfectly. However, given that you are going to go to the effort of sorting out some level of infrastructure for yourself, its something to keep in mind.

[–] irmadlad@lemmy.world 2 points 12 hours ago* (last edited 12 hours ago)

Technically, using Cloudflare tunnels for Jellyfin is a ToS violation. You’re only allowed to do so if you have an enterprise account, which is quite expensive.

I've heard people say this, and I've heard people say you can't stream music. Tho I do not run the 'arr stack or Jellyfin, I do run Navidrome almost 24/7/365. But it's something to keep in mind.

ETA: I am the sole user

[–] Kkk2237pl@lemmy.world 2 points 12 hours ago (1 children)

Yeah, but if my server is in the local network, I have potential threat that someone will access my lan through public server

[–] irmadlad@lemmy.world 3 points 12 hours ago

Well, you could do network segmentation:

  • Put the server in a DMZ or separate VLAN if your router supports it. This isolates it from your main devices (computers, phones, IoT). I'm not sure what router you have buy many consumer routers have a "guest network" that can serve this purpose.

Utilize UFW rules. Mine are:

  • sudo ufw default deny incoming

  • sudo ufw default allow outgoing

  • Anywhere ALLOW IN 192.168.1.0/24

  • 22 ALLOW IN 192.168.1.0/24

  • 22 on tailscale0 ALLOW IN Anywhere

  • 22 (v6) on tailscale0 ALLOW IN Anywhere (v6)

Also:

  • sudo ufw allow out to 1.0.0.1 port 53 # DNS only
  • sudo ufw allow out to 1.1.1.1 port 53
  • sudo ufw deny out to 192.168.1.0/24 # Block LAN access except admin

So now I have SSH capability locally and through Tailscale installed on the server and this prevents the server from initiating connections to other LAN devices. You can do alot with UFW and Fail2Ban in conjunction with Cloudflare Tunnels/Zero Trust.

[–] abeorch@friendica.ginestes.es 2 points 18 hours ago (1 children)

@Kkk2237pl What are you using for a router? A good uptodate version of something like ooenwrt, a separate subnet running on a different vnet and firewall zone.

Why the vps?

[–] Kkk2237pl@lemmy.world 2 points 17 hours ago (1 children)

Deco

[–] abeorch@friendica.ginestes.es 1 points 17 hours ago

@Kkk2237pl Im no expert so you know take everything with a grain of salt but for me i flash all my routers with #openwrt including #tplink stuff... Butnthat gives me everything i need.

You probably do.everything with stock firmware though

[–] ui_hater@lemmy.aaronhosting.xyz 1 points 16 hours ago

Get you a vps and start! Or if you don't want to pay extra money host a tor service. You don't have to open ports for that.

[–] abeorch@friendica.ginestes.es 1 points 16 hours ago

@Kkk2237pl Can I suggest that you start with something simple where as much as possible is templated - im like a broken record on this but i use #yunohost simply because heaps of people are using the same config.