Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam.
-
Posts here are to be centered around self-hosting. Please ensure it is clear in your post how it relates to self-hosting.
-
Don't duplicate the full text of your blog or git here. Just post the link for folks to click.
-
Submission headline should match the article title.
-
No trolling.
-
Promotion posts require your active participation in selfhosting or related communities, or the post will be removed. No more than 10% of your posts or comments may be self-promotional, or your post will be removed. F/LOSS Exception: If your post is about a project that is completely open source & can be self-hosted in full without payment, and your account is at least 7 days old, your post is exempt from this rule as long as you continue to engage in comments.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
view the rest of the comments
Yeah, I have caddy and traefik in front of most of my home-based services, except for a few web UIs like the router's. Pangolin just receives incoming connections and routes them to the correct reverse proxy in the correct VLAN for that service.
I have VLANs to separate services that are more public facing from very private ones that only certain devices should be able to connect to directly. Basically, I have one VLAN for IoT devices that need to connect to the internet often but only certain things should access directly, one for very private things like my NAS, database server, 3D printer, etc, that rarely if ever need access to the internet, one for my personal devices (laptop, desktop, phone, tv) which are behind a pihole for ad blocking, and one guest VLAN for guests, but mostly for my work computer which really likes to snoop.
Pangolin is built on traefik, and does all the reverse proxying I need (X sub-domain goes to Y port on Z home server).
I don't really like the idea of n metroyska reverse proxis, both because conceptually it bothers me, but also because my needs seem simple and doesn't seem like it deserves the extra complexity. The public resource reverse proxy works for everything I have.
I'm looking for a way to configure pangolin, which already routes property, to skip auth when the auth can be provided by the pangolin client.
Yeah get that. I do it because my pangolin is segregated so that if that internet facing layer is penetrated, there's not much else they'll have access to. Similarly, if my WiFi is penetrated, there's just a few devices. And many of my services run on Kubernetes distributed and load balanced across a bunch of cheap devices, so it needs reverse proxying at the ingress anyway. And there are a few other reasons for keeping traffic off of the pangolin server or even the router when it's internal to internal, but still be able to use the single domain name for the service, especially with IPv6 not having static IP addresses quite the same way as IPv4, so not wanting to hard code IP addresses or even port assignments in services that back other services like the database server which originally was just running on the NAS, but switching it over to another system only required changing the internal reverse proxy, not every service that used it. I like abstraction like that.
I may end up doing extra reverse proxies just because complicated configuration is better than complicated use. It kinda feels like there should be a way to do it right in pangolin, it seems like it's right there lol.