I’ve been researching different ways to expose Docker containers to the internet. I have three services I want to expose: Jellyfin, Omnivore (Read-it-later app), and Overseerr.
I’ve come across lots of suggestions, like using Nginx with Cloudflared, but some people mention that streaming media goes against Cloudflared tunnel TOS, and instead recommend Tailscale, or Traefik, or setting up a WireGuard VPN, or using Nginx with a WireGuard VPN.
The amount of conflicting advice has left me confused. So, what would be the best approach to securely expose these containers?
It depends on your exact requirements and your definition of “secure”. Lots of people like software like Tailscale. And it’s relatively secure as it doesn’t expose the services to the public but instead is an VPN. I personally don’t like Cloudflare at all, but that’s also a popular solution to get services exposed to the public internet. What I do is just use NGinx or NginxProxyManager, open up a port in my firewall and be done with it. No extra tunnel providers required and no Cloudflare that could be able to snoop on my connections. It also opens up connections to everyone else, so your software needs to be properly protected with passwords. But yeah, I can see how you get a bazillion different recommendations. I’d say if you prioritize security and it’s just your devices connecting, and they can all install a special client, go for something like Tailscale.