I’ve been researching different ways to expose Docker containers to the internet. I have three services I want to expose: Jellyfin, Omnivore (Read-it-later app), and Overseerr.
I’ve come across lots of suggestions, like using Nginx with Cloudflared, but some people mention that streaming media goes against Cloudflared tunnel TOS, and instead recommend Tailscale, or Traefik, or setting up a WireGuard VPN, or using Nginx with a WireGuard VPN.
The amount of conflicting advice has left me confused. So, what would be the best approach to securely expose these containers?
Why would you be using a cloudflare tunnel to stream media? You can do that just fine using any reverse proxy.
Do you actually want to expose the things to “the internet”, or do you just want yourself (and an approved set of other users) to be able to access them from outside of your network?
If it’s the former, you’re going to want to learn about DNS, NAT, exposing ports, firewall settings, and network monitoring.
But if it’s the latter, then I recommend checking out tailscale because that gives you and some friends LAN-like access with a great internal DNS and it works really well.
The thing with tailscale is that its just a VPN connection – from my understanding. Why not just self host your own VPN server?
I’ll just use Tailscale until they fuck it up, which I’m sure they will, eventually. It’s not very hard to rebuild using something else for the 40 or 50 nodes I’m likely to have. I’ve done it before and I’m sure I’ll do it again.
Yes, but No, but. It’s like an always on self discovering VPN. No need to connect and login if you lose connection or change from WiFi to cell to Ethernet, it just figures it out. And as other commentor said it is wireguard. So you can set it up yourself without a 3rd party, just takes a little bit of tech savvy skill and trasfering some public keys between each set of connections. Tailscale just makes it effortless.
Yeah it’s wireguard under the hood iirc, so you probably could put in effort in order to achieve roughly what tailscale does, if you have the knowledge and time involved in doing that. I don’t think there’s any secret sauce that would be impossible to someone to DIY.
I don’t blame people for being skeptical, especially those of us in the Linux, FOSS, and self-hosted world. I was skeptical too, because part of the reason I wanted to self-host was to move away from a dependency on companies, and I’m weary of the mere possibility of tailscale’s eventual capitalist enshittification. But after trying it, I have to admit that it’s been a game changer for me.
For me personally, tailscale is just an easy out-of-the-box solution that works well for what I want it to do (give me encrypted access to my server from anywhere in the world). I’m not so good at networking that I could get anywhere near the level of convenience that tailscale affords me, and I have too many other projects that I want to do before reinventing tailscale for myself. So instead I have a small free tailnet with all of my devices (and a couple other users’ devices), and it has totally changed my relationship with self-hosting and my server.
In my view, It’s a pretty good deal, for now at least.
- Never host anything that is externally accessible
- If you have to, put it behind a VPN (OVPN, Wireguard, IPSec, Tailscale, etc.)
- Certificate based authentication is preferred for VPN tunnels
- Always TLS encrypt your actual endpoints. Private CAs are most secure but a pain in the ass. Let’s Encrypt is very simple to set up in most cases.
Just my 2 cents.
How is a private CA more secure then an offline CA with cross signed intermediate signing subCA?
You’ll have to explain that one to me.
A public CA (Let’s Encrypt, Komodo, GoDaddy, etc) don’t actually sign certificates with their root CA certificate. The root CA creates a subCA (Or signing CA) that actually generates the certificates and the system holding the private keys of the root certificate is shutdown to prevent access but is brought back online every so often to update the revocation list.
You said a private CA is more secure so I am wondering how that is?
Because a private CA allows you to create a certificate and nobody else has the ability to create certificates unless you give them the keys or a signing CA. With Let’s Encrypt, you are trusting every major certificate authority to not create a cert on your domain; coupled with DNS poisoning means you would end up on a legit-looking but counterfeit website of yours.
Nothing is stopping me from making a certificate from my offline CA for your domain.
Even if you don’t trust the certificate the traffic is still encrypted.
Yea that’s the whole trusting trust thing. You can theoretically set up hour browser to only trust your private CA and not trust any of the publicly trusted CAs. Depends on your threat model I suppose.
I just tried tailscale in the last month and it will now be my preferred way to access my services outside of my network.
Is it just you that needs access? VPN like Tailscale or Wireguard is the most secure option then, as it’s not exposing any services to the internet.
Otherwise a reverse proxy in front of things like Traefik or Nginx, make sure things are automatically updated ASAP, and make sure auth is enabled on the services.
Yeah, I feel like exposing ports 80 and 443 towards an up to date nginx/whatever is referred to as a super dangerous thing in this community and also the selfhosted subreddit. Recommending cloudflare is almost the default, which I find a bit sad given many people selfhost to escape the reliance on big monopolist companies.
One can add different layers of security of course, but having nginx with monitoring in it’s own VM without keys to jump to another VM is enough of risk mitigation for me.
Thankyou. Since it’s just my devices (laptop/phone) that need access, I think WireGuard—or possibly Tailscale—seems like the best solution for me.
Tailscale is very easy and handles everything for you but you are relying on their services, so if you want to be 100% self hosted Wireguard is the way to go.
“Secure” and “exposed” are antonyms in this scenario, that’s the nature of the beast. I use Nginx which I have a domain pointing to. Worst case scenario, a hacker brute forces access to my container and mucks around within the confines. As I understand from a WireGuard VPN, there’s an added level of security. You have to use the VPN to get access to your home ports, and then you can access your Docker containers as configured. There’s an added layer of security.
Some things to consider:
- Do you have a target on your back?
- Does your container contain sensitive data?
- If so, does your container have access to external directories?
- Does your project have security options like Geo Blocking, rate limiting, etc?
I’ve been running some local servers for a few years only behind Nginx. So far nothing bad has happened. But that doesn’t mean something bad couldn’t happen later.
Thanks for the info.
Do you have a target on your back?
No.
Does your container contain sensitive data?
No.
If so, does your container have access to external directories?
I have a hard drive mounted to the media folder that Jellyfin can access, and also a config folder. Omnivore/Overseer will probably be similar once I add them. Could this be a problem?
- '/home/${USER}/server/configs/jellyfin:/config' - '/home/${USER}/server/media:/data/media'
Does your project have security options like Geo Blocking, rate limiting, etc?
That is a good idea. Thankyou
What I was referring to is called a Bind Mount, where host directories are exposed to the docker container. You may be fine if it’s an external hard drive. I use bind mounts because they’re easier to back up, but I acknowledge they are less safe.
You may be perfectly fine as you are now. My (and others) suggestions are for added security. As it stands, if there’s no target on your bind, the only bad traffic you’ll get are from bots trying to pick away at your domain and sub domains. Generally they’re not a problem. But being extra safe costs nothing but time.
Slap a good reverse proxy in front of it (nginx I what I use) and set it up with HTTPS using let’s Encrypt. For added layer of security setup also some SSO like Authelia.
Or just go the VPN way but then, that will not be access from internet, only via VPN, only you will be accessing it.
It depends on if you want to access it from anywhere (or give others access), or if you’re only accessing your server from specific devices.
Since I only ever access my server from my phone or my desktop, I use Wireguard via wg-easy. You set it up as a docker container on your server and it gives you a neat web UI (defaults to port 51821) from which to add Wireguard clients. Once connected through Wireguard, you can access your services as if you’re on the server’s local network.
Note, you’ll of course have to open up a port for Wireguard on your router for this to work, the default being 51820.
wg-easy is fabulous! I use it too and I love it
My preference is just Cloudflare with or without nginx. Not sure if you’re using a hypervisor or not but it makes things exceedingly easy and I feel plenty safe enough inside of a Cloudflare tunnel. I stream a lot of data from Jellyfin. All day long, several streams to several people for over a year now with no problems. Last I knew, Cloudflare removed the language about video streaming from their TOS. Not sure if that’s changed but functionality on my end hasn’t.
I am using Unraid but I’ve installed the Cloudflare tunnel in docker containers and TrueNAS without many issues. Takes a bit of copying/pasting to get set up but it’s not terrible and everything is very responsive to make sure you’re doing things correctly.
+1 for cloudflare. But I don’t use their tunnel products, I just expose my ports to only their known IPs. With cloudflare you have a nice “free” waf in front with tls that points to a secure(nginx proxy) or unsecured docker container. Audiobookshelf is a great example. Is best to use their dns product too, for easy management of your public facing sites.
Sorry third post. Trying to summarize.
-
Get external access. Either via port-forward (you lucky American) or via VPS+ssh-tunnel or VPS+wireguard. Stay away from an hard dependency like tailscale and cloudflare (my personal opinion).
-
Setup a reverse proxy with SSL certs via let’s Encrypt (don’t go wildcard, no need to, just add complexity)
That’s the concept, implementation requires clearly extra steps…
See my wiki (https://wiki.gardiol.org/). O describe both the simple and the complex solution. But to be honest, the complex solution is not fully described yet.
Is the reason you advocate avoiding VPN dependencies simply due to downtime if the tailscale service fails? Or is there a particular security vulnerability associated with using VPN subnets?
Mostly not being dependent from a specific vendor, that’s all.
I prefer to use a VPS of my choice that I can replace when I want or need to.
As far as its backed by wireguard its safe enough I guess.
I am leaning towards Wireguard, as I don’t think I’m behind a CGNAT. But, I’ll check out your wiki for more details though. Thankyou
@shimitar’s advice is what I’d go with.
Ideally:
- Set up a Wireguard subnet. Test it thoroughly, including restarting the server a couple of times.
- Close all ports except your Wireguard ports in your server firewall. Do this manually first (not persistent) and test.
- Make the firewall changes permanent.
Then, it kinda doesn’t matter what else you do on the server, although you can fuss around with locking things down more.
Caveats:
- you won’t be able to use LetsEncrypt with this
- accessing your services from an Android phone will be futzy, because Android is too stupid to be able to use more than one VPN at a time. Unless you don’t use a VPN on your phone, in which case it won’t be an issue.
- you’ll only be able to access your server from computers/systems in your Wireguard subnet, so make sure you include multiple devices in the config from which you can ssh
Wireguard is super easy to build VPN networks with, and there are tools (e.g. dsnet) to make it even easier.
-
Maybe something like this https://github.com/fosrl/pangolin
Networking is fun because there are literally infinite potential options. There really isn’t a best option. It’s just what do you prefer. In my case I like to write a docker compose and write a tailscale container into it. I then set the service I want to expose either to my own tailnet or to the internet through funnel or though this other implementation I came up with a while back that I still need to do a write up on. Either way here is a guide i wrote with some docs as reference on my forgejo (git alternative). Docs are kinda a mess but hopefully it makes sense enough to help you out.
I’ve noticed 🥲, which hopefully means there’s no horribly wrong choice. I am leaning towards Tailscale, or maybe WireGuard. Thanks for the docs
I just installed tailscape and it works for my needs. Will read up on your docs. Thx
If you need also external access, because you are behind a CGNAT or in general have no public IP at all, get a VPS and setup some tunneling.
I don’t like tailscale/cloudflare dependency so I have a different solution.
I have documented it all here: https://wiki.gardiol.org/
Depending on your level of paranioia. First, you don’t expose your containers, but their port(s).
With a reverse proxy, you will likely expose only 1 port, 443, no matter how many apps/containers/ports it will be pointing internally. For this, having a proper dns setup will be key, and a service like cloudflare dns (not tunnel), which additionally you can proxy your proxy. Also, you will need certificates (letsencrypt) for your traffic to be encrypted. Here, everybody will potentially have access to your services.
Another option is a zero trust tunnel, but as you had seen streaming may break tos. It will be likely enforced if you stream a lot, but I seriously doubt you’ll get any problem by having sporadic one or two users.
Tailscale, you need to add all the devices you need to access your services into the mesh, and you’ll need to re-authenticate every one again every few months.
Setting up a VPN (selfhosted) will require your devices to sign into it when accessing your services, and it seems to me the best approach as this way you will nave the most control over your setting.
Don’t forget to mention that, for this to work, your ISP should provide you with public IP, because if on CGNAT you will have to go with something like tunnels or tailscale.
For Tailscale you can disable key expiry on select devices.