Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil.
-
No spam.
-
Posts are to be related to self-hosting.
-
Don't duplicate the full text of your blog or readme if you're providing a link.
-
Submission headline should match the article title.
-
No trolling.
-
Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details. Tags [CBH] or [AIP] are required, see the links in Rule 8 for details.
-
AI-related discussions and AI-involved promotional posts have additional requirements for tagging, as noted in Rule 7 and the AI & Promotional Post Expanded Rules post, and find example disclosures here.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
view the rest of the comments
Some I haven't yet found in this thread:
127.0.0.1:8080:8080)I assume #2 is just to keep containers/stacks able to talk to each other without piercing the firewall for ports that aren't to be exposed to the outside? It wouldn't prevent anything if one of the containers on that host were compromised, afaik.
Containers can talk to each other without any ports exposed at all, they just need to be added to the same docker network.
I was getting more at stacks on a host talking, ie: you have a postgres stack with PG and Pgadmin, but want to use it with other stacks or k8s swarm, without exposing the pg port outside the machine. You are controlling other containers from interacting except on the allowed ports, and keeping those port from being available off the host.
You can do that by joining the containers to the same docker network, you don't need to expose ports even to localhost.
I mustn't be communicating well, but that's fine.
It's mostly to allow the reverse proxy on localhost to connect to the container/service, while blocking all other hosts/IPs.
This is especially important when using docker as it messes with iptables and can circumvent firewall like e.g. ufw.
You're right that it doesn't increase security on case of a compromised container. It's just about outside connections.
OK, yah, that's what I was getting at.
Does adding 127.0.0.1 make it so only that server can access it or what? I’ve seen that but not understand
Yes. 127.0.0.0 is the localhost. This is the IP the container is listening on. Even if there was no firewall it wouldn't allow any connection except from the host. If it's set to 0.0.0.0 it means it'll allow connections from any IP (which might not be an issue depending on your setup).
The reverse proxy runs on localhost anyway, so any other IPs have no reason to ever have access.
Thanks for explaining this!