Hi, Mastodon. I'm looking for some help with #selfhosted #homelab stuff; a jumping-off point for me to research from.
I keep hearing that it's a big security no-no to just forward ports to the relevant servers, but I don't really comprehend why; I used to port forward for game servers all the time. Can anyone scare me straight?
1/2
And how would I best get a domain to point to my own stuff safely so that I might have jellyfin.my.domain and matrix.my.domain, etc. for anything I want to host? Tailscale is frequently recommended, but it would be too big of a hurdle for my friend group to get on a server for a Discord replacement, and I understand services like Cloudflare don't want me to use their services to access Jellyfin.
2/2
@ampersandrew @Andrew This is exactly what I run — have for ~10 years now.
Cheap VPS running a reverse tunnel, home server runs Traefik + Docker. No open ports on the home box, it connects out to the VPS, VPS forwards traffic back. Subdomains are just DNS records + Traefik routing rules.
On port forwarding: Exposing Jellyfin/NextCloud means auth endpoints, databases, file systems. One CVE and your whole home network is reachable. With a tunnel, your home IP is never exposed and the attack surface is just the VPS.
For the tunnel piece, rathole and frp are both solid lightweight options — just a binary on each end, config file, done. I'd avoid jumping straight to something like ngrok — it's great software but way more complexity than you need for this, and the free tier has limitations that'll frustrate you for self-hosting.
It's a bit of upfront work but once it's running it's very low maintenance. Happy to answer questions if you go this route.
ampersandrew
DJ Majumdar