I currently have a server that I use for plex, torrents, kodi, smb, etc. Pretty much everything runs in docker. My router offers a dynamic dns service but I’d like to migrate away from it in case I ever get a different router.
The way it currently works, when I spin up a new service or docker container I go into the router and go to NAT Forwarding -> Virtual Servers and put in the external port and internal IP/Port. I don’t know of any other port forwarding settings on my router.
I’m concerned about the security of my setup because at present I don’t have SSL on any of my services. I also am concerned that this machine is pretty much directly exposed to the internet. What is the best way to migrate this to a more router-neutral config that’s more secure?
Do I use Traefik? Nginx Proxy Manager? Authentik? A different dynamic DNS? Cloudflare tunnels? Getting everything up and running with docker was a challenge when I started but I feel pretty comfortable with it now. This part with the networking and security is what I’m still struggling with. Appreciate your help
I use Nginx Proxy Manager, with a cloudflare managed domain. I create subdomains for each service (service.example.com), and then only have to port forward 443.
The best thing you can do is to document your setup. You may be comfortable now, but if your router/server/whatever explodes in 3 years time, you be starting from scratch. The more doco you have the better. I am using silverbullet, but anything is better than nothing.
So there is the HOSTED solution which is Nginx Proxy Manager, Traefik, Swag, etc. Once setup then you forward the 443/80 ports to that “app” or server address. From there it securely routes traffic to your “hosted applications”. They can use SSL encryption with Lets Encrypt certificates so that your hosted sites are secured. You can add Authelia to setup Security Access so that you dont have to use the built in application security if you dont want to.
Then there is Cloudflare Tunnels and its Zero Trust solution. It is hosted by them but in order to use it you will need to host a container in docker that connects securely to their services. You setup your site with them, then you setup the container to connect to it securely and once connected you can then add you hosted applications to their hosted solution and they will handle the traffic routing from their site back to your hosted application via your container. It is all SSL encrypted and they use their certificates. You can use an existing domain that you might have (free or paid) with NPM, Traefik, SWAG, or other hosted reverse proxy, or you can just purchase a domain from them and use it (fairly cheap). Once setup you can then go into their Zero Trust side and add the Security. It is a little bit of a learning curve to work with but once setup you can be using something your Github Signon as your SSO for all you hosted applications. You can also set it up so that you only have to reauthenticate every XX number of days. You can opt for their WARP client and a token based authentication, however I am not big on peoples clients on all my devices so I setup a known existing supported provider to be my SSO. Google, Github, and many more can be used.
Documentation for using the Reverse Proxys is immense and support on Reddit and the Facebook groups is huge as it is a long used and trusted solution.
Documentation for using the Cloudflare Zero Trust solution is more scarce and harder to find. I recently setup mine up over a weekend and found it to be decently complicated as a Senior Virtualization Engineer and Architect who specializes not just in the virtualized machines and operating systems, but also the virtualized networking and security. The Zero Trust was the part that got me for a bit, but once I got it working it has been a dream to use. I love it way more than I ever did my Nginx Reverse Proxy as it operates and responds a lot faster being hosted by them and not you, although where you put the container could be a bottleneck as your traffic will go in and out of it. Also solves any and all double NAT issues presented if you have home routers behind AT&T routers and other setups.
Great write up, I don’t disagree with you at all. But OP could be streaming and CF could potentially ban him/her right?
Completely true… you should attempt to do streaming over the Cloudflare solution as you will get banned. I would also guess performance might not be great since again the bottleneck is the Cloudflared/Cloudflared container on your network sending and allowing all the data to and from Cloudflare. Fine and dandy for normal work but I would think streaming media and even trying to do something like high end remote video editing is not going to fair well over it unless you give that a lot of good resources and that device itself has a really good network adapter connected to a good switch.
I mean you will still have a bottleneck local hosting and streaming through your reverse proxy anyways since it goes through the SSL encrypted hosted site and if it is Plex it is totally pointless to do other than for hiding purposes like your server is cloud hosted. You are essentially SSL encrypting the SSL encrypted traffic. You might as well add an additional Wireguard VPN around all of it and then attempt to stream something and watch it all buffer and come back and ask everyone for help.
I like traefik because I just add a few lines in my docker compose files and it takes care of all the SSL renewals automatically
Just use caddy on the server. Two lines to activate and done. It’s really that simple.
Do you really want all these services be publicly accessable? Because the more services are publicly accessable the bigfer your attack surface is.
First set up a reverse proxy, a vpn and a local dns like pihole. Only port forward the reverseproxy. And only allow public acess for the public services.
Setup local hostnames for the other services with the local dns.
Only give internal access to these services.
But with the vpn you can get these services from everywhere.
not getting the point why you need every new service exposed to the public. do you really need WAN access to your services? If not, not exposing anything is the way to go. then in case you need anything specific, setup a cloudflare tunnel to it. Also, put every container that may need exposure into a separate bridge network.
Traefik
Tailscale. I had some of the same concerns when I noticed someone else stumble across my stable diffusion external IP/port and generate a few random images… yikes. I’ve since used Tailscale and completely removed all my router forwarding rules. It works seamlessly across devices, and is super easy on the setup. If it’s for personal use only then this option works really well but I can’t comment on if it could work as well for multi-user needs. There are some config options for sharing services I think.