35
Should i use Cloudflare? (lemmy.moe)
submitted 11 months ago by SmokingKinoko@lemmy.moe to c/selfhosted@lemmy.world
21 comments fedilink hide all child comments

I recently got a Synology NAS and I am trying to setup Emby. I wanna host a media server however, I wanna be able to access the emby location from anywhere and let say my mom access it. Just I wanna keep it secure. Should I use cloudflare?

top 21 comments
sorted by: hot top controversial new old
[-] scrubbles@poptalk.scrubbles.tech 26 points 11 months ago

For your own personal items? It's not really worth it IMO. However if you're hosting something for the public, like a Lemmy server, then absolutely yes you should.

For Emby that is breaking their ToS, and you'll have a big corpo watching your traffic all the time. Just buy a cheap 5-10 dollar domain and get HTTPS up and running and you'll be fine.

[-] SmokingKinoko@lemmy.moe 7 points 11 months ago

I just worried about attacks on my router in case someone gets ahold of the link. Im learning all this security stuff. I actually helped my friend with his lemmy instance and got it running.

I just know next to nothing about security...

Give me something to try and get working I'll pick it up, but I don't even know where to start with this stuff. I read something the other day about using cloudflare to connect to a VPS and then direct that to my nas or something.

I have 2 VPS services and 1 already hosts my jellyfin instance but i was gonna try out emby however, I wanna share my library with family like I share my Jellyfin with them. Just the VPS I run my jellyfin on handles all the security stuff. shrugs

[-] JustEnoughDucks@feddit.nl 8 points 11 months ago

To reduce that, there are a few things you can do.

Option 1:

  • Only open port 443 and run everything through a reverse proxy like traefik. You can open other ports ad you need them (game server for example)

  • Run crowdsec to get rid of 95% of bad actors

  • Whitelist IPs that you know traffic will be coming from and drop everything else

Option 2:

  • wireguard VPN and just VPN into your home network to access your server

Option 3:

  • Run tailscale

  • run fail2ban

[-] scrubbles@poptalk.scrubbles.tech 8 points 11 months ago* (last edited 11 months ago)

Absolutely a fair reason to be nervous. For this just follow the rules of minimum access. Only open the ports you need to open, and make sure they only point to the item you want to expose. That will take care of 99% of use cases. Most hacks you see happening right now with home labs are because someone did something pretty obvious - like exposing their router/firewall UI to the open internet (instead of it only being accessible to the local network), same with their data servers.

If you have a good network you can even restrict which IPs are allowed to connect through those ports, but remember if your mom's IP changes or you're sitting in a hotel then you're essentially blocking yourself out (without a VPN or something).

Finally, and I would save this for a little later, you can move your Emby/external services to an alternate VLAN. VLANs are virtual-lans, they are a block of IPs that have firewall rules in between each of them. So you could do rules like "Internal clients can talk to Emby, but Emby cannot talk to Internal Clients". This can be a daunting thing and will take a lot of trial and error, not to mention probably revamping your entire network - so I'd hold off for now.

[-] cryptix@discuss.tchncs.de 1 points 11 months ago* (last edited 11 months ago)

I wanted to do vlan , but that would mean no more super fast local access

[-] floridaman@lemmy.blahaj.zone 2 points 11 months ago

It's been a while since I've heard anything about this but didn't they change their ToS in regards to media on their network? I thought I read something about that clause getting removed at some point a few months back.

[-] scrubbles@poptalk.scrubbles.tech 1 points 11 months ago

Maybe. Personally it's just another huge corpo that's reading my traffic. There's a dozen other middle men, but no doubt cloudflare wouldn't hesitate to release all of my traffic at a moment's notice.

[-] floridaman@lemmy.blahaj.zone 1 points 11 months ago

That's a fair point, I self host stuff more out of convenience over privacy (although that's still a factor) so I guess I just care less about them watching my traffic I suppose. CF is just so easy with their Argo Tunnels and domain registrar service.

[-] tux7350@lemmy.world 1 points 11 months ago

I believe media hosting is only against their ToS if you try and use the proxy service. In the DNS page you would want to make sure the clouds are not orange. Fair warning though now your IP is exposed to the public.

[-] floridaman@lemmy.blahaj.zone 1 points 11 months ago

I use their tunnels in conjunction with internal split horizon DNS so I don't have to forward any ports and can access things locally faster so I'm probably breaking this rule but I haven't gotten any emails or letters about it yet. Crossing my fingers they don't care lol

[-] Eric_Pollock@lemmy.world 2 points 11 months ago

Can this be done with an ISP that gives you a dynamic IP? I have a domain through Google Domains, I just have no idea how to set it up for Jellyfin

[-] scrubbles@poptalk.scrubbles.tech 2 points 11 months ago

Look into dynamic DNS. It's for your exact case, when your up updates you need to update the DNS host with your new IP. Idk if Google domains does it, I use it with namecheap and then there's an option in offense that will tell namecheap that my IP has changed.

This isn't a "production" worthy option because there can be downtime when your Ip switches, but for us it's perfect.

[-] nutbutter@discuss.tchncs.de 21 points 11 months ago

This might help you understand things a little better. I would advise staying away from Cloudflare if you are self-hosting for privacy.

[-] Tealk@rollenspiel.forum 10 points 11 months ago

Quite clearly NO It is a central office that now answers a large part of the DNS questions; apart from the fact that they so often have failures.

[-] avidamoeba@lemmy.ca 7 points 11 months ago

Tailscale

[-] Decronym@lemmy.decronym.xyz 6 points 11 months ago* (last edited 11 months ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
CF CloudFlare
DNS Domain Name Service/System
HA Home Assistant automation software
~ High Availability
HTTP Hypertext Transfer Protocol, the Web
HTTPS HTTP over SSL
IP Internet Protocol
SSL Secure Sockets Layer, for transparent encryption
VPN Virtual Private Network
VPS Virtual Private Server (opposed to shared hosting)

8 acronyms in this thread; the most compressed thread commented on today has 15 acronyms.

[Thread #318 for this sub, first seen 1st Dec 2023, 01:55] [FAQ] [Full list] [Contact] [Source code]

[-] hottari@lemmy.ml 2 points 11 months ago

Skip Emby and look into setting up Jellyfin with Nginx proxy manager. At the end of the day, whatever solution you go with be sure to enable good password security or more advanced security options like 2FA for your exposed Jellyfin service.

[-] retro@infosec.pub 1 points 11 months ago

You're asking on Lemmy, so you're going to get a lot of privacy related answers. For usability, Cloudflare tunnels are a super easy and free way to setup and don't involve your family members having to VPN into your network with Tailscale or Wireguard. This is especially useful if they are streaming from a smart TV or media stick.

Is it the most privacy-friendly? No. You're giving up a little bit of that for convenience and lower maintenance. IMO for my threat model, it's worth it.

[-] vojta637@lemmy.dbzer0.com 1 points 11 months ago

I only use cloudflare for Home Assistant and Bitwarden, just not to have many layers where a problem could happen as those 2 services are critical.

I rent a VPS with Authentik and Wireguard for the rest, like Nextcloud, Emby etc. But it's huge hassle with ssl certificates, especially with Let's encrypt ones.

But honestly I've never used it, except the HA and Bitwarden. When I'm on vacation I just want to experience as much as I can from the location I'm at. And I'm trying to stay away from computers when I'm away. And my family really does not care about Emby. So I'll probably stop it.

And BTW you probably shouldn't pass video streams through cloudflare as it's against their TOS. Although I didn't hear about anyone who has been banned.

If you want simple and no hassle solution, just use Tailscale or ZeroTier.

[-] jelloeater85@lemmy.world -1 points 11 months ago

You can use CF Tunnel so you don't need to expose any ports from your router. They'll also do SSL termination for you as well. You can use their free plan for this AFAIK. You can also run your own SSL proxy as well with HAProxy or Nginx. I'd just use CF, it's easier TBH.

[-] nick_99@sh.itjust.works 12 points 11 months ago

Be aware hosting media thru their proxy is breaking their ToS. Not saying anything will happen, but be mindful.

this post was submitted on 01 Dec 2023
35 points (85.7% liked)

Selfhosted

39677 readers
358 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz