thedoctorJul 30, 2025

Okay, I've got a question to anyone who is a more experienced #sysadmin or #selfhoster than me: I'm currently self-hosting Umami as a fun side project for website analytics. I embed a snippet of JS in my personal website, this makes a request to an endpoint of my instance of Umami which therefore needs to be publicly accessible.

Umami also exposes a web interface where I can look at all the statistics and whatnot but since it's the same service, it's also open to the internet. I'd rather not expose the web interface (with a login page) to the internet, if I can avoid it.

Does anyone have an idea of something clever than I can do to mitigate this? I don't have a stable public IP address so IP allowlisting doesn't seem to be an option.

#askfedi #askmastodon #askgotosocial #askAbsolutelyEveryone

P.S.: If I'm being totally stupid and there's an obvious solution, please don't hesitate to tell me, I'd really like to be wrong here.

Umami

Umami is a simple, fast, privacy-friendly alternative to Google Analytics.

Show threadPaul Wilde    Jul 30, 2025

@thedoctor with a reverse proxy you could define IP addresses that can access certain web-subdirectories.
Though, if you have a dynamic public IP you'd be better off accessing via VPN (i.e. tailscale direct wireguard) as your wireguard network would have a static IP range (tailscale unsure, but headscale you'd have a static IP range too)

i'm tempted to say something about old school port knocking that opens a port based on a secret knock (simplified example, but reall 😁

Show threadCornelius K.Aug 10, 2025

@paul @thedoctor
100% on both those solutions (revprox and VPN).

It is also possible to setup a SOCKS proxy using OpenSSH (I'm assuming the server has public facing SSH for management), then define some firewall rules so the login page is only available via the proxy. This would require some browser configuration as well, so you don't pass all your traffic through the SOCKS proxy (best to only use it for the given site for example).

Show threadCornelius K.Aug 10, 2025
@paul @thedoctor
Side note: nothing wrong with Tailscale/Headscale, but there is also NetBird. It's a personal preference on my part, but don't see it mentioned as much as Tailscale so just want to mention it. :)
Show threadthedoctorAug 11, 2025
@kln @paul Looks interesting but apparently the Android app isn't good.
Show threadPaul Wilde    Aug 11, 2025

@thedoctor yeah, it does look interesting, same sort of alternative like zerotier.

Any idea if there's a self-hosted version, @kln ? That's why I like headscale - I can run the tail[head]net

Or, just standalone wireguard is stupidly simple with no overheads

I love options!

Show threadPaul Wilde    Aug 11, 2025
@thedoctor @kln don't worry, just found the self-hosted bit on the website. will take a looky
Show threadthedoctor
@paul @kln The self-hosted version seems on par with the cloud one and it's actually open source. I might try it out myself.
Aug 11, 2025 at 8:52amWeb
Show threadPaul Wilde    Aug 11, 2025

@thedoctor @kln
Not sure about it myself, docker first development (ew) and if you want to run without docker there's a bunch of interacting daemons you need to run that make assumptions on how the others operate

Not that I'm against multiple services interacting, but this feels a bit messy in its current state.
Headscale - one binary, one job, does it well.

Show threadthedoctorAug 11, 2025
@paul @kln I don't mind Docker but I see the point. On the other hand, Headscale seems more like a second-class citizen in the Tailscale world which worries me a bit. I mean it's not developed by the Tailscale people, IIRC.
Show threadPaul Wilde    Aug 11, 2025

@thedoctor @kln no it isn't developed by them, although one Tailscale devs does contribute. But you're right, Tailscale could interrupt it at any time... though, technically Netbird or zerotier could do the same for their self-hosted services too. It's a tough world.

But I'd still say a standalone wireguard service, or a bunch of them, is still the most robust option. no reliance on anything other than the server you're connecting to being online.

Show threadthedoctorAug 11, 2025
@paul @kln True, but I don't feel up to managing all the legwork myself. There area whole lot of niceties that come with these services that I wouldn't know how to achieve myself. And even if I did, it'd probably be much more brittle.
Show threadCornelius K.Aug 11, 2025

@thedoctor @paul

NetBird does have an issue with Android - there is a work around but yea... It's one thing that makes me sad about it. Still, it's open source, which gives me hope that if it does go bad, we will just get an LXD/Incus situation, not RHEL/CentOS. If that makes sense.

Wireguard and a VPS isn't too much work, but by the sound of of it you should go with just Tailscale or NetBird free tiers. Then it is all largely managed for you, you just setup devices/access policies ;)

Show threadthedoctorAug 11, 2025

@kln @paul

Wireguard and a VPS isn't too much work, but by the sound of of it you should go with just Tailscale or NetBird free tiers. Then it is all largely managed for you, you just setup devices/access policies ;)

Exactly. It would surely be a nice exercise and I'd learn a lot but I'm not comfortable with such an endeavor at the moment because I rely too much on this and wouldn't have the time for troubleshooting. And I'm sure I'd need to troubleshoot

Show threadCornelius K.Aug 12, 2025

@thedoctor @paul absolutely, nothing is perfect and time is limited, so focus on what you want/need to learn and find solutions that work for the ready.

Good luck.