I have an openwrt router at home which also acts as my home server. It’s running a bunch of services using docker (Jellyfin, Nextcloud, etc.)

I have set up an SSH tunnel between my openwrt router and VPS and can access jellyfin successfully.

I understand that I need to set up a reverse proxy to access multiple services and have https.

But I’m confused if I should set up this reverse proxy on the VPS or on the router itself. Is nginx the easiest option? Should i add subdomains in cloudflare for every service?

Pease don’t recommend vpns since they are all blocked where i live (wireguard, tailscale openVPN, etc.) I’m limited to using ssh tunneling only.

Thanks

  • lemmyvore
    link
    fedilink
    English
    278 months ago

    I should also add something that lots of beginners miss.

    The reverse proxy does not care what the domains that you define in it actually resolve to. It receives the domain name as a HTTP header which is completely at the whim of the client. As long as that domain name matches one of the domains defined in the proxy, it’s all good.

    You can successfully connect to a proxy with a domain name defined in the domain owner’s DNS, or you can make up your own DNS that says whatever you want, or you can define any domain->IP association you want in your hosts file, or you can simply use curl or wget to connect directly to the proxy IP and lie about the domain in the HTTP headers without having it resolve in any DNS.

    This means that yes, the proxy will happily serve your “private” *.local.example.com services to someone connecting from outside your LAN. All they have to do is figure out (or guess) your subdomain names. You need to add IP restrictions in the proxy (default deny from all + lan ip mask explicit exception) if you really want those services to be restricted to the LAN.

    DNS is not security, it’s a public service that maps domains to IPs.

    TLS is only security in the sense it protects the connection en route from eavesdropping, but it doesn’t restrict access.

    • mFatOP
      link
      fedilink
      English
      28 months ago

      Thanks I understand the theory behind this but I can’t get it to work.

      I have a jellyfin.mydomain.com subdomain pointing at my VPS ip. On my home server I have Nginx Proxy Manager listening to 192.168.8.1:8998 (http) and 8999 (https) From my home server I forward port 80 from the VPS to local port 8999 like this:

      ssh -R 80:127.0.0.1:8998 root@vps-ip
      

      Then on npm I define a proxy to localhost:8096 (jellyfin) for any traffic sent to jellyfinn.mydomain.com.

      But I can’t access jellyfin remotely.

      • lemmyvore
        link
        fedilink
        English
        48 months ago

        Check all the steps individually then:

        • check that the ip resolves to the VPS IP at the location you’re testing this
        • set up the tunnel to bypass the proxy (connect it directly to jellyfin)
        • check that jellyfin works directly
        • check the proxy directly, with curl connected to the proxy with the header “Host” set to the domain
        • check that the VPS firewall didn’t block port 80
        • normally you wouldn’t be able to forward port 80 with a normal ssh user but I see you’re logging in as root so it should be working