Please can someone show off how smart and sexy they are by answering these questions. I don't mind if you just link me to a video or guide explaining it (like I'm 5?) instead of typing it out - but please don't just send me stuff that says something like "To forward to ports correctly, simply forward the correct ports - but be sure to reverse-p the goeanity-2.0 exposed server flange via qPack*7_bingb (IMPORTANT put 1=2 in /conf!!!)" - which is what all the help documents read like to me right now.
Here's what I think I know, but I have probably got wrong, and would be delighted if you could not only tell me how wrong I am but what is the right answer instead:
-> I have a raspberry pi 4 running raspbian/debian bookworm, all software up to date.
-> I have installed docker and docker compose. Docker lets you run apps/programs in separate little cages so if they crash or do something insecure they don't crash or expose the whole computer (the Raspberry Pi), the operating system (Raspbian), or the other apps running in other containers. Docker compose allows you to fine-tune the settings of these apps from outside the container by changing a text file. Each docker container, controlled by a compose yml has a port, e.g. Jellyfin's is :8096
-> I can set up and configure radarr sonarr qbittorrent to download movies, for this I need a VPN. I paid for and installed mullvad (app) but it crashes a lot (for over a minute every 20 seconds), so it looks like I need to configure something like gluetun to do it instead. For this reason I want to stick with mullvad as I paid for it, gluetun is really confusing.
-> However, downloading is only half the battle - assuming I can get a VPN to work without crashing every 20 seconds so it takes less than 5 hours to download a single movie in 1080p(!!!) - I can only watch stuff by plugging an HDMI cable into my raspberrypi and a monitor and using a mouse and keyboard to navigate to the UI and click "play"
-> If I want to watch them on my TV I need to connect something to my TV that talks to the raspberry pi, so I have an NVIDIA shield with Jellyfin installed on it - but in order for the NVIDIA-Jellyfin to connect to the RaspberryPi-Jellyfin it needs to go through the internet (if this is not the case, how does one point the NVIDIA-Jellyfin at the Raspberry Pi jellyfin?)
-> Because it's going through the internet I need to hide my activities from prying eyes, and because it's on the internet it will have a web address (I bought the cheapest domain for a few bucks on namecheap), so a proxy and reverse proxy are neccessary to hide my activity on my end (proxy) and the activity on the internet (reverse proxy) from said prying eyes while allowing me to watch my stuff in peace.
-> I can set up my domain to point to Jellyfin, this means I configure mysubdomain.mydomain.com to point to Cloudflare on the internet. Then I set up Cloudflare to point to NGINX on my raspberry pi. But I really don't know what this entails or how to do it. I changed my nameservers to Cloudflare's on namecheap and that's where I stopped because I didn't understand any further.
-> So, in practical terms, I'm on my sofa and I want to watch a movie in my Jellyfin on my raspberry pi, I open the NIVIDA sheild, I open the jellyfin app and I tell the jellyfin app to go to mysubdomain.mydomain.com
-> I think I'm correct in saying that mysubdomain.mydomain.com is actually an IP address and a public port, so something like 123.456.7.8:443, then Cloudflare - which is the reverse proxy - gets involved (somehow? how?) to say "ah, 123.456.7.8:443, you obviously want to go to funkless.raspberry.pi:NGINX (or rather something like 987.654.3.2:443)" and then NGINX - which is the proxy-proxy, not a reverse-proxy - goes (somehow? how?) "ah, 987.654.3.2:443, you obviously want to go to 987.654.3.2:8096 which is jellyfin")
-> At some point in that last step SSL certificate(s?) need to be issued and used on Cloudflare and/or NGINX - but I don't know how or why - and/or a public and private key
Here's where the questions start:
- First of all, is that all correct or have I misunderstood something?
- How does mysubdomain.mydomain.com know it's me and not some random or bot?
- How do I tell Cloudflare to switch from web:443 to local:443 (assuming I've understood this correctly)
- Is this step "port forwarding" or "opening ports" or "exposing ports" or either or both? (I don't understand these terms)
- If my browser when accessing mysubdomain.mydomain.com is always going to port 80/443, does it need to be told it's going to talk to cloudflare - if so how? - and does cloudflare need to be told it's going to talk to NGINX on my local machine - if so how?
- How do I tell NGINX to switch from local:443 to local:8096 (assuming I've understood this correctly)
- Is there a difference between an SSL cert and a public and private key - are they three things, two things or one thing?
- Doesn't a VPN add an extra step of fuckery to this and how do I tell the VPN to allow all this traffic switching without blocking it and without showing the world what I'm doing?
- Gluetun just looks like a text document to me (compose.yml) - how do I know it's actually protecting me?
- From https://nginxproxymanager.com/ : "Add port forwarding for port 80 and 443 to the server hosting this project. I assume this means to tell NGINX that traffic is coming in on port 80 and 443 and it should take that traffic and send it to 8096 (Jellyfin) and 5000 (ombi) - but how?
- Also from that site: "Configure your domain name details to point to your home, either with a static ip or a service like DuckDNS or Amazon Route53" - I assume this is what Cloudflare is for instead of Duck or Amazon? I also assume it means "tell Cloudflare to take traffic on port 80 and 443 and send it to NGINX's 80 and 443 as per the previous bullet) - but how?
If your reaction is "Asking how how to set up port forwarding from Cloudflare to NGINX is a cowardly question - just figure it out!" Please could you at least link me to something that will help me figure it out if all those words just look like gibberish to me?
Thank you so much for your help and time in advance.
Look, this is a large puzzle you're trying to solve all at once. I'll try to answer at least some of it. I'd advise you take these things step by step. DM me if you need some more help, I may have time to help you figure things out.
Check the error logs and see what's wrong with it instead. How is it crashing? Did you check stdout and stderr (use
docker attach
or check the compose logs)?Technically not. You can use the Jellyfin web UI to stream directly from the RPi. You may need the shield if the RPi does not have enough resources for streaming, but I'd try it out first. Try to get the IP the Raspberry is listening on on your local network and put that in a web browser on a computer first. IF you get the web UI and can watch stuff, then try a web browser on your TV, or cast your computer to the TV or something. As long as you have a web browser you should be fine.
You should look a bit into how the internet, DNS and IP addresses work on the public internet and private networks. You can absolutely set it up so that traffic from your local network hitting your domain never leaves your home, while if you try the same from somewhere else, you get an encrypted connection to your home. You're a bit all over the place with these terms so it's hard to give you a straight answer.
If the question is whether how the domain routes to your IP, look up how DNS works. If you are asking how to make sure you can access your domain while others can't look up the topic of authentication (basically anything from a username/password to a VPN and network rules).
If I remember correctly, Cloudflare forwards HTTP/S traffic only, so don't worry about the ports, that's all it will do. About the domains, you need to have a fixed public IP address for that, and you have to give Cloudflare by setting a DNS A record for an IPv4 address and/or an AAAA record for an IPv6 address.
So something like this:
A myhost.mydomain.com 123.234.312.45
Nope. Port forwarding is making sure that your router knows what machine should answer when something on the Internet comes knocking. So if the RPi port 8096 is "forwarded" to the router, then if something from the internet connects to the router's 8096 port, it will get to your RPi instead of something else. Opening ports has to deal with firewalls. Firewalls drop all connections on all ports that are not open, for security reasons. By opening a port you are telling the firewall what entities outside your device can connect to a service like Jellyfin listening on that port. Exposing ports is Docker terminology, it is the same as port forwarding except instead of "moving" a port from your machine to your router you "move" a port from a container to your machine.
The DNS server you are hosting the domain from will propagate that info through the DNS network. Look up how DNS works for more info. If your domain is managed by Cloudflare, it should "just work". Cloudflare knows it talks to your router by you setting up a DNS record in their UI that points to your router, where your RPi's port should be forwarded, which directs traffic to your RPi, on which your NGINX should be listening and directing traffic to your services.
Look up NGINX virtual servers and config file syntax. You need to configure a virtual server listening on 443 with a
proxy_pass
block to 8096.Yes, SSL certs are the "public keys" of an X509 pair, while what you know as "public and private keys" are RSA or ED25519 key pairs. The former is usually used to make sure that the server you are accessing is indeed who it claims to be and not a fake copy, it's what drives HTTPS and the little lock icon in your browser. RSA or ED25519 keys are used for authentication as in instead of a username and password, you give a public key to a service, then you can use a private key to encrypt a message to auth yourself. One service you might know that it uses it is SSH.
A VPN like Mullvad is used for your outgoing traffic. All traffic is encrypted, the reason you want a VPN is not so that others can't see your messages, it's so that your ISP and the other people forwarding your messages don't know who you're talking to (they'll only know you're talking to your VPN), and so that the people you're talking to don't know who you are (they are talking to your VPN). You need this so your ISP doesn't see you going to pirate sites, and so that other pirates, and copyright trolls acting as pirates don't know who you are when you talk to them and exchange files using torrents.
I don't know shit about Gluetun, sorry.
Again, look up virtual servers in NGINX configuration. You need a virtual server listening on 80 and 443 proxying traffic to 8096 and 5000, separating on hostnames I guess.
Add a DNS A record.
thank you so much for this considered reply. I'm just stepping out now, but will check in later to go through this in depth
"Crash" is the wrong word. The app is running, it says "Connected" for about 15-20 seconds, then it says "Internet blocked" for about 20 seconds, then it says "Reconnecting" for 30-90 seconds, repeat indefinitely.
Using the CLI for logging, it says something along the lines of "Timeout... Hyper time out"
Do you have any recommendations on how to learn this?
Also, thank you for explaining that "configuring a domain name" is adding an A record. I've added TXT records and similar for Google analytics and I've added mail records to set up my own domain's email before - but this is helpful, thanks.