I have a self hosted server running yunohost that I use for a few services for my own use all of which require login to use so they’re safe enough.

However I’m increasingly uncomfortable with the fact that anyone can discover my home IP via my domain name. Especially if I decided to install something like Lemmy or Mastodon.

Yunohost installs dyndns as part of it’s setup but, aside from buying a fixed IP from a VPN provider that allows incoming connections I’m not sure what other options I have

I can’t change very much on the modem router either. I can forward ports but that’s about it.

I can add and manage new domains if necessary.

Any and all ideas welcome but, as you can guess from the fact I’m using yunohost, my networking knowledge is limited so please eli5 :)

  • lambchop@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    1 year ago

    Google cloudflared tunnels, zeroteir and tailscale. They all solve this exact problem, I’ve been using cloudflared tunnels to host without exposing my ip for while now, it’s relatively easy for https services.

    Edit: also just because services require login, doesn’t necessarily make them secure if their implementation is terrible. It’s best practise to use a reverse proxy like nginx which specialises in having not shit security for authentication, and proxy your services behind it.

    • SpaceCadet2000@kbin.social
      link
      fedilink
      arrow-up
      0
      ·
      1 year ago

      It’s best practise to use a reverse proxy like nginx … for authentication

      What kind of authentication are you using for nginx? Just basic http authentication with a .htpasswd file?

      That’s what I’m using right now, but I’ve found that not all services play nice with it.

      • lps2@lemmy.ml
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        I moved on to Authetik to handle auth and all but one or two of my services is able to work either using SAML, OIDC, LDAP, header keys, or basic auth. It was a bit to get set up but man does SSO make things convenient in the long-run