A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
Resources:
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
Nobody here with a tailscale funnel?? It's such a simple way to get https access from anywhere without being on the tailnet.
I’m looking into it but I find that starting (or keeping open) Tailscale for music is not the best system.
I’m looking into building a shared Jellyfin library between friends
Synology with Emby (do not use the connect service they offer) running behind my fortinet firewall. DDNS with my own domain name and ssl cert. Open 1 custom port (not 443) for it, and that's it. Geoblock every country but my own, which basically eliminated all random traffic that was hitting hit. I've been running it this way for 5 years now and have no issues to report.
An $11/yr domain pointed at my IP. Port 443 is open to nginx, which proxies to the desired service depending on subdomain. (and explicitly drops any connection that uses my raw ip or an unrecognized name to connect, without responding at all)
ACME.sh automatically refreshes my free ssl certificate every ~2months via DNS-01 verification and letsencrypt.
And finally, I've got a dynamic IP, so DDClient keeps my domain pointed at the correct IP when/if it changes.
There's also pihole on the local network, replacing the WAN IP from external DNS, with the servers local IP, for LAN devices to use. But that's very much optional, especially if your router performs NAT Hairpinning.
This setup covers all ~24 of the services/web applications I host, though most other services have some additional configuration to make them only accessible from LAN/VPN despite using the same ports and nginx service. I can go into that if there's interest.
Only Emby/Jellyfin, Ombi, and Filebrowser are made accessible from WAN; so I can easily share those with friends/family without having to guide them through/restrict them to a vpn connection.
For my travel devices, I use Tailscale to talk to the server. For raw internet, I use their funnel feature to expose the service over HTTPS. Then just have fail2ban watching the port to make sure no shenanigans or have the entire service offlined until I can check it.
My router has a VPN server built-in. I usually use that.
Use a reverse proxy (caddy or nginx proxy manager) with a subdomain, like myservice.mydomain.com (maybe even configure a subdir too, so …domain.com/guessthis/). Don’t put anything on the main domain / root dir / the IP address.
If you’re still unsure setup Knockd to whitelist only IP addresses that touch certain one or two random ports first.
So security through obscurity :) But good luck for the bots to figure all that out.
VPN is of course the actually secure option, I’d vote for Tailscale.
With wireguard i set up an easy VPN, then vpn to the home network and use jellyfin.
If i cant use vpn, i have Jellyfin behind a caddy server with automatic https and some security settings.
Pangolin with Newt and CrowdSec on a VPS hosted in Europe, domain registered through cloudflare.
Tailscale, with nginx for https.
Very easy, very simple, just works, and i can share my jellyfin server with my friends
I'm using a cheap VPS that connects over Tailscale to my home server. The VPS runs Nginx Proxy Manager, has a firewall and the provider offers DDOS protection and that's it.
@TribblesBestFriend @selfhosted Tailscale. I also use a reverse proxy because I like nice names
I’m using Tailscale right now but so far no luck on my friend AppleTV. But like I said elsewhere it’s probably a operator error
@TribblesBestFriend @selfhosted I don’t use appletv but a workaround could be using airplay maybe?
There’s no dedicated Jellyfin app for AppleTV you have to use Infuse.
I presume that the information from Tailscale wasn’t transfer correctly into Infuse. I’ll have to check it on place
Over the top for security would be to setup a personal VPN and only watch it over the VPN. If you are enabling other users and you don't want them on your network; using a proxy like nginx is the way.
Being new to this I would look into how to set these things up in docker using docker-compose.
Personally I use twingate, free for 5 users and relatively straightforward to set up.
I’m fidgeting with Tailscale right now, only to stream on a AppleTV at a friend house. So far no luck but that’s not me that set up Infuse, so could be an operator error on my friend part
I use LSIO container stack so SWAG for the proxy. They have really good documentation and active discord docs.linuxserver.io
Unifi teleport. A zero configuration VPN to my home network.
I’m fidgeting with Tailscale but I find this solution some what lacking
Tailscale is great for not opening your ports to the internet. Having it playable on a friend's appletv adds some extra complexity. Reverse proxy on a subdomain with something like fail2ban would work, but it does leave you more vulnerable.
for me i just needed a basic system so my family could share so I have it on my pc, then I registered a subdomain and pointed it to my existing ec2 server with apache using a proxy which points to my local ip and port then I opened the jellyfin port on my router
and I have certbot for my domain on ec2 :)
Who are you using for your domain? I was told if I used cloudfair they would ban me for having streaming traffic over their DNS.
You can use cloudflares DNS and not use their WAF (the proxy bit) just fine. I have been for almost a decade.
That would only be if you use their cloudflare tunnel feature
for me I just registered through route 53 its a subdomain of my personal domain.
Nginx in front of it, open ports for https (and ssh), nothing more. Let's encrypt certificate and you're good to go.
I would not publicly expose ssh. Your home IP will get scanned all the time and external machines will try to connect to your ssh port.
fail2ban with endlessh and abuseipdb as actions
Anything that's not specifically my username or git gets instantly blocked. Same with correct users but trying to use passwords or failing authentication in any way.
Cool if I understand only some of things that you have said. So you have a beginner guide I could follow?
Take a look at Nginx Proxy Manager and how to set it up. But you'll need a domain for that. And preferably use a firewall of some sort on your server and only allow said ports.
I’ve look a little on it, didn’t understand most of it. I’m looking for a comprehensive beginner guide before going foward
@TribblesBestFriend domain name, reverse proxy and a static ip address
I’ve read about that. Any useful beginner walktrough to suggest ?
I like traefik for reverse proxy.
Also does ssl certs very smoothly.