Selfhosted

39256 readers

326 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago

MODERATORS

ruud@lemmy.world

Loki@lemmy.world

CannaVet@lemmy.world

HybridSarcasm@lemmy.world

devve@lemmy.world

HybridSarcasm@lemmy.hybridsarcasm.xyz

Help needed setting up NGINX reverse Proxy / HA / Vaultwarden using Duckdns (lemmy.world)

submitted 8 months ago by Lobotomie@lemmy.world to c/selfhosted@lemmy.world

16 comments fedilink hide all child comments

Hey Guys,

so I still have no clue about most of the stuff im doing hence why I am doing it :)

I have a ubuntu system running all kinds of docker containers and I want to expose homeassistant and vaultwarden to the internet.

Now I have set up a Duckdns account, I have setup my Router (fritzbox) to update the dyndns settings, I have set up my homeassistant the following:

homeassistant:
  internal_url: http://192.168.178.214:8123
  external_url: https://ha.xxxxx.duckdns.org

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.22.0.0/24

Following is my Homeassistant Configuration:

  homeassistant:
    container_name: homeassistant
    image: "ghcr.io/home-assistant/home-assistant:stable"
    volumes:
      - /homeassistant/:/config
      - /etc/localtime:/etc/localtime:ro
    restart: unless-stopped
    network_mode: host
    privileged: true
    ports:
      - 8123:8123
      - 5683:5683

  nginx-proxy-manager:
    container_name: nginx
    privileged: true
    image: 'jc21/nginx-proxy-manager:latest'
    ports:
      - '80:80'
      - '81:81'
      - '443:443'
    environment:
      DB_MYSQL_HOST: "nginx-db"
      DB_MYSQL_PORT: 3306
    volumes:
      - /nginx/data:/data
      - /nginx/letsencrypt:/etc/letsencrypt

  nginx-db:
    container_name: nginx-db
    image: 'jc21/mariadb-aria:latest'
    environment:
    volumes:
      - /nginx/mysql:/var/lib/mysql

  vaultwarden:
    container_name: vaultwarden
    image: vaultwarden/server:latest
    restart: unless-stopped
    volumes:
      - /vaultwarden:/data/
    ports:
      - 8125:3012
      - 8124:80
    environment:
      - DOMAIN=https://vw.xxxxx.duckdns.org
      - LOGIN_RATELIMIT_MAX_BURST=10
      - LOGIN_RATELIMIT_SECONDS=60
      - ADMIN_RATELIMIT_MAX_BURST=10
      - ADMIN_RATELIMIT_SECONDS=60
      - ADMIN_TOKEN=
      - SENDS_ALLOWED=true
      - EMERGENCY_ACCESS_ALLOWED=true
      - WEB_VAULT_ENABLED=true
      - SIGNUPS_ALLOWED=true

I have forwarded the ports in the router.

I have set up nginx the following:

Issue is when I open the website, it will give me the error that hsts is enabled, even though I definitely did not check this option ( and I never did (today!).

What is the reason for this?

Do I have to set some sort of header?

Same thing with vaultwarden, basically I set this up 1:1 except for the url whichi is vw.xxxxx.duckdns .org.

you are viewing a single comment's thread
view the rest of the comments

[–] MSgtRedFox@infosec.pub 4 points 8 months ago (3 children)

What cert did you put on the proxy answering the inbound? Usually that error means either the browser doesn't like the cert, or it's connecting to 80, and modern browsers really fight you on that sometimes. Also, cache. Clear your cache if you're bouncing between internal URL/IP and the public.

I assume you just want to expose to internet to learn art of reverse. Otherwise there's better ways.

[–] Lobotomie@lemmy.world 1 points 8 months ago (2 children)

Mainly I want to expose it so I can access my stuff remotely. What would you recommend otherwise? Traefik looks alot more difficult to me from the get go but I haven't tried it out yet (because I dont know where to start) Issue is just that I have a basic understanding about docker/ubuntu stuff now (or I know how to manipulate stuff like I want) but basically everything with Web and https is a big black hole for me which I can't seem to grasp yet.

[–] MSgtRedFox@infosec.pub 3 points 8 months ago (1 children)

Yeah, it's a lot. It's a very large field, and you're playing in two or three areas here.

Look at a couple of overlay options. ZeroTier is the one I remember off top of my head. There are others, Google alternatives. These use a coordination server. Some are a hosted service, but there's some that you host yourself. These are supposed to be pretty easy. You watch a couple of videos on these, I bet you're be fine.

Wire guard offers more traditional VPN. You can tunnel your device back to your network. Some routers offer a VPN option. There's open sense, ddwrt, etc. Again, lots of videos.

Since you said you mostly wanted remote access, I strongly suggest not opening services to public and use VPN.

You can still learn reverse proxy too, but just do it internally, even though it wouldn't technically be needed. This will be much safer and learner friendly.

I have ridiculous amounts of services running, but I use gateway router VPN to access most of them.

[–] Lobotomie@lemmy.world 0 points 8 months ago

using a vpn or similar is not really an option as I have famiy members accessing it and I dont want to always connect using a vpn just for example to open my garage or accessing my shopping list. Security wise I just use 2FA so I dont think thats the issue.