[Question] External access for my network

wolfowl@beehaw.org · edit-2 1 year ago

[Question] External access for my network

𝘋𝘪𝘳𝘬 · 1 year ago

I know I can open a port on router (not recommended)

This is basically the only option you have if you want to provide access from external to selfhosted applications. Just forward the desired ports to the machine where the services are running on.

The less entry points you have, the better. You could “bundle” all web-based applications on port 443 and use a reverse proxy to route the traffic to the actual port based on the hostname the access was done on.

So in your router you define that all https traffic (port 443) is forwarded to your server, and on your server there is running a reverse proxy listening on port 443. All of your applications are listening on different ports that are not accessible from external. The reverse proxy then takes the hostname used for access and proxies the traffic to the actual host based on that hostname.

With this you have only one port open on your router and this one port is only forwarded to one single machine. Everything else is handled by that machine.

wolfowl@beehaw.org · 1 year ago

Thanks. I tried setting up reverse proxy through synology and failed miserably. I might try again.

marsara9@lemmy.world · 1 year ago

This doesn’t stop the requirement to open at least one port on your router… but you could just setup a Wireguard server instead of exposing a reverse proxy. This way any attack on your network has to get through Wireguard rather than the reverse proxy and/or any of the services that it’s exposing.

𝘋𝘪𝘳𝘬 · edit-2 1 year ago

Yep. You need at least one forwarded port to at least one “endpoint”.

What exactly that endpoint may be depends on the individual setup. Let it be a Wire guard server, or an reverse proxy, or some VPN server.

In my setup the entry point is a reverse proxy is in a Docker container with exposed port 443 doing all the proxying and certificates to web applications.