Access control for selfhosted services via VPS? (lemmy.sdf.org)

submitted 6 months ago by qjkxbmwvz@lemmy.sdf.org to c/selfhosted@lemmy.world

9 comments fedilink hide all child comments

Looking for advice for self hosted networking.

Question first, details below:

Everything works fine now, but feels...hacky. My question is, what's the best way of dealing with allowing only certain services to be accessible to the world while blocking other services to everything except local (+vpn) clients? Currently, because of my vps port forwarding, all external traffic appears to come from that machine. So, what I have now in my nginx config is to allow traffic from the local & wireguard subnets, except for traffic from the vps itself.

So: looking for advice on how to better manage access, but of course, if anyone has other improvements/suggestions, I'm all ears.

My current setup is:

Machines:

VPS (vps) with public IP.
Home router (router) with no public IP or open ports.
Home server (srv-home).
Remote server (srv-remote), located with family.

Network structure, ignoring vlans and whatnot, is:

vps <--wireguard--> router
vps <--wireguard--> srv-remote
router <--ethernet--> srv-home

srv-remote and srv-home can communicate through vps+router.

Services & structure, broadly speaking:

vps port forwards http/s to router, which port forwards to srv-home (can optionally have it port forward directly to srv-home, doesn't really matter to me).

srv-home handles SSL, both for services on srv-home and srv-remote. This allows me to a) manage certificates locally in one place (not on vps), and b) use local DNS on my router to bypass vps for locally hosted services. Works great.

srv-home and srv-remote both host some services which I would like to be publically accessible and some that I would like to remain private.

vps also acts as my roadwarrior vpn, on the same wireguard interface that's used for the vps<-->router link. One solution would be to just have separate wireguard interfaces (or maybe just separate address spaces?) for the vps<-->router and vps<-->[roadwarrior] links? Another would be to get the vps portforwarding set up in a way that doesn't lose originating IP address, but so far I have been unsuccessful there.

Thanks in advance for any insight!

top 9 comments

sorted by: hot top controversial new old

[-] mhzawadi@lemmy.horwood.cloud 6 points 6 months ago

I would move the SSL to your VPS, make that your nginx entry point.

Then use virtual servers in nginx to listen on the wiregiard nic for local stuff and it's public IP for internet accessible stuff, you could also add in some Auth service for things without MFA.

[-] qjkxbmwvz@lemmy.sdf.org 1 points 6 months ago

So in order to access from local network (useful for e.g. photo uploading as it is way faster) would you just handle SSL locally too? So, SSL on VPS+SSL on local server (with only one being used per client of course)?

[-] mhzawadi@lemmy.horwood.cloud 1 points 6 months ago

You could, that would keep home stuff at home

[-] SeeJayEmm@lemmy.procrastinati.org 2 points 6 months ago

What I do is have NGINX proxy manager running in the VPS with ACLs defined there and then forwarding traffic over the WG tunnel.

Alternatively you could treat the vps like a full VPN endpoint. Route all traffic over the tunnel and nat/masquerade on the vps.

Having done both. Option 1 is cleaner and you're not routing unnecessary traffic over what is likely a metered link.

[-] qjkxbmwvz@lemmy.sdf.org 1 points 6 months ago

Thanks! So, for local (not VPN) traffic I like to access the local IP for bandwidth reasons

would you then just set up SSL on both the local server and the VPS?

[-] SeeJayEmm@lemmy.procrastinati.org 1 points 6 months ago

Yeah. I have a couple of those. I'll admit it's a little bit of a hassle but if you're using something like let's encrypt you could have a Cron job sync the cert.

[-] rammer@sopuli.xyz 1 points 6 months ago

Let's Encrypt's certbot allows you to setup a script to be run after acquiring the certificate. No cron job needed.

[-] Decronym@lemmy.decronym.xyz 1 points 6 months ago* (last edited 6 months ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters	More Letters
HTTP	Hypertext Transfer Protocol, the Web
IP	Internet Protocol
SSL	Secure Sockets Layer, for transparent encryption
VPN	Virtual Private Network
VPS	Virtual Private Server (opposed to shared hosting)
nginx	Popular HTTP server

[Thread #372 for this sub, first seen 25th Dec 2023, 04:55] [FAQ] [Full list] [Contact] [Source code]

[-] tagginator@utter.online -1 points 6 months ago

New Lemmy Post: Access control for selfhosted services via VPS? (https://lemmy.world/post/9932375)
Tagging: #SelfHosted

(Replying in the OP of this thread (NOT THIS BOT!) will appear as a comment in the lemmy discussion.)

I am a FOSS bot. Check my README: https://github.com/db0/lemmy-tagginator/blob/main/README.md

this post was submitted on 24 Dec 2023

27 points (100.0% liked)

Selfhosted

37779 readers

551 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago

MODERATORS

HybridSarcasm@lemmy.world

HybridSarcasm@lemmy.hybridsarcasm.xyz