this post was submitted on 02 Apr 2025
123 points (98.4% liked)

Selfhosted

60587 readers
1425 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Detailed Rules Post

  1. Be civil.

  2. No spam.

  3. Posts are to be related to self-hosting.

  4. Don't duplicate the full text of your blog or readme if you're providing a link.

  5. Submission headline should match the article title.

  6. No trolling.

  7. Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details. Tags [CBH] or [AIP] are required, see the links in Rule 8 for details.

  8. AI-related discussions and AI-involved promotional posts have additional requirements for tagging, as noted in Rule 7 and the AI & Promotional Post Expanded Rules post, and find example disclosures here.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
 

Inspired by this comment to try to learn what I'm missing.

  • Cloudflare proxy
  • Reverse Proxy
  • Fail2ban
  • Docker containers on their own networks

Another concern I have is does it need to be on a separate machine on a vlan from the rest of the network or is that too much?

you are viewing a single comment's thread
view the rest of the comments
[–] Chewy7324@discuss.tchncs.de 11 points 1 year ago* (last edited 1 year ago) (2 children)

Some I haven't yet found in this thread:

  • rootless podman
  • container port mapping to localhost (e.g. 127.0.0.1:8080:8080)
  • systemd services with many of its sandboxing features (PrivateTmp, ...)
[–] ikidd@lemmy.world 2 points 1 year ago (2 children)

I assume #2 is just to keep containers/stacks able to talk to each other without piercing the firewall for ports that aren't to be exposed to the outside? It wouldn't prevent anything if one of the containers on that host were compromised, afaik.

[–] MangoPenguin@lemmy.blahaj.zone 3 points 1 year ago (1 children)

Containers can talk to each other without any ports exposed at all, they just need to be added to the same docker network.

[–] ikidd@lemmy.world 1 points 1 year ago* (last edited 1 year ago) (1 children)

I was getting more at stacks on a host talking, ie: you have a postgres stack with PG and Pgadmin, but want to use it with other stacks or k8s swarm, without exposing the pg port outside the machine. You are controlling other containers from interacting except on the allowed ports, and keeping those port from being available off the host.

[–] MangoPenguin@lemmy.blahaj.zone 3 points 1 year ago (1 children)

You can do that by joining the containers to the same docker network, you don't need to expose ports even to localhost.

[–] ikidd@lemmy.world 1 points 1 year ago

I mustn't be communicating well, but that's fine.

[–] Chewy7324@discuss.tchncs.de 2 points 1 year ago (1 children)

It's mostly to allow the reverse proxy on localhost to connect to the container/service, while blocking all other hosts/IPs.

This is especially important when using docker as it messes with iptables and can circumvent firewall like e.g. ufw.

You're right that it doesn't increase security on case of a compromised container. It's just about outside connections.

[–] ikidd@lemmy.world 2 points 1 year ago

OK, yah, that's what I was getting at.

[–] ocean@lemmy.selfhostcat.com 2 points 1 year ago (1 children)

Does adding 127.0.0.1 make it so only that server can access it or what? I’ve seen that but not understand

[–] Chewy7324@discuss.tchncs.de 2 points 1 year ago* (last edited 1 year ago) (1 children)

Yes. 127.0.0.0 is the localhost. This is the IP the container is listening on. Even if there was no firewall it wouldn't allow any connection except from the host. If it's set to 0.0.0.0 it means it'll allow connections from any IP (which might not be an issue depending on your setup).

The reverse proxy runs on localhost anyway, so any other IPs have no reason to ever have access.

[–] ocean@lemmy.selfhostcat.com 2 points 1 year ago

Yes. 127.0.0.0 is the localhost. This is the IP the container is listening on. Even if there was no firewall it wouldn’t allow any connection except from the host. If it’s set to 0.0.0.0 it means it’ll allow connections from any IP (which might not be an issue depending on your setup).

Thanks for explaining this!