“Technically” my jellyfin is exposed to the internet however, I have Fail2Ban setup blocking every public IP and only whitelisting IP’s that I’ve verified.

I use GeoBlock for the services I want exposed to the internet however, I should also setup Authelia or something along those lines for further verification.

Reverse proxy is Traefik.

If you aren’t already familiarized with the Docker Engine - you can use Play With Docker to fiddle around, spin up a container or two using the docker run command, once you get comfortable with the command structure you can move into Docker Compose which makes handling multiple containers easy using .yml files.

Once you’re comfortable with compose I suggest working into Reverse Proxying with something like SWAG or Traefik which let you put an domain behind the IP, ssl certificates and offer plugins that give you more control on how requests are handled.

There really is no “guide for dummies” here, you’ve got to rely on the documentation provided by these services.

Me: Siri turn lights on

Siri: Now playing Bon Jovi’s “Wanted dead or alive”

Me: Siri shut the fuck up, you have one job, do that job

If you don’t mind DM’ing me or dropping it in a comment here it would be greatly appreciated! The docker engine isn’t something entirely new to me so i’m a bit skeptical into thinking that i missed something but always happy to compare with others, actually Docker is what pushed me to switch fully to Linux on my personal computers.

Snippet from my docker-compose.yml:

  pihole:
    container_name: pihole
    hostname: pihole
    image: pihole/pihole:latest
    networks:
      main:
        ipv4_address: 172.18.0.25
    # For DHCP it is recommended to remove these ports and instead add: network_mode: "host"
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "127.0.0.1:67:67/udp" # Only required if you are using Pi-hole as your DHCP server
      - "127.0.0.1:85:80/tcp"
      - "127.0.0.1:7643:443"
    environment:
      TZ: 'America/Vancouver'
      FTLCONF_webserver_api_password: 'insert-password-here'
      FTLCONF_dns_listeningMode: 'all'
    # Volumes store your data between container upgrades
    volumes:
      - './config/pihole/etc-pihole:/etc/pihole'
      - './config/pihole/etc-dnsmasq.d:/etc/dnsmasq.d'
      - '/etc/hosts:/etc/hosts:ro'
  #   https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
    cap_add:
      - NET_ADMIN # Required if you are using Pi-hole as your DHCP server, else not needed
      - CAP_SYS_TIME
      - CAP_SYS_NICE
      - CAP_CHOWN
      - CAP_NET_BIND_SERVICE
      - CAP_NET_RAW
      - CAP_NET_ADMIN
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.pihole.rule=Host(`pihole.my.domain`)"
      - "traefik.http.routers.pihole.entrypoints=https"
      - "traefik.http.routers.pihole.tls=true"
      - "traefik.http.services.pihole.loadbalancer.server.port=80"
      - "traefik.http.routers.pihole.middlewares=fail2ban@file"
 unbound:
   image: alpinelinux/unbound
   container_name: unbound
   hostname: unbound
    networks:
      main:
        ipv4_address: 172.18.0.26
   ports:
     - "127.0.0.1:5334:5335"
   volumes:
     - ./config/unbound/:/var/lib/unbound/
     - ./config/unbound/unbound.conf:/etc/unbound/unbound.conf
     - ./config/unbound/unbound.conf.d/:/etc/unbound/unbound.conf.d/
     - ./config/unbound/log/unbound.log:/var/log/unbound/unbound.log
   restart: unless-stopped

Edit: After re-reading the Unbound github and their documentation it seems i may have missed some volume mounts that are key to the function of Unbound, i’ll definitely have to dive deeper into it.

I got two PiHoles running on my network via Docker Compose, I tried setting up Unbound in Docker-Compose and that fell flat, from my understanding DNSSEC was preventing DNS resolution outright.

Also tried OpenSense + Unbound which led to the same thing.

Eventually got tired of having my network cutting in and out over minor changes so I just stuck with Quad9 for my upstream needs.

Lame……

I owned a three foot metal energy sword for god’s sake.

As someone who works in metal fabrication, thank you for the idea!

Kinda late to the conversation but always follow the documentation for your distro, if you choose Debian find Debians guide to installing drivers, if you choose Arch follow Arch’s documentation and so on, Nvidia themselves supply .run files for Linux drivers however some distro’s don’t work with these so just be careful.

I learned this the hard way when I used Nvidia’s .run files and wondered why games kept stuttering every couple seconds, learned this lesson pretty quick.

Interesting that you chose Reddit as an example.

I was in a rush! Honestly it was the quickest thing I could come up with on the spot, plus database tools are something I lack a lot of knowledge about so I really couldn’t go in depth even if I wanted to.

Appreciate the history behind Reddit’s database!

Postgres, SQLite, etc are tools for database management, things like user data, application data and so on are collected here.

Edit: the DB_PASS=“postgres” is the default password when setting up a Postgres database.

Take Reddit’s Karma system or Upvotes/Downvotes for example, they’re stored in a database and however Reddit wants to utilize that data Postgres makes it easy to call upon it.

I’m sure others can give more detailed responses, I’m typing this out in a rush.

The Matrix.org Foundation is a non-profit and only relies on donations to operate. Its core mission is to maintain the Matrix Specification, but it does much more than that.

Non-profit… only relies on donations…

This was taken quite literally at the bottom of that article.

The Docker Engine makes hosting applications over your network easy, if you have spare hardware I highly recommend setting up your own server.

I would disagree, you’re still directly communicating with YouTube servers without a proxy in-between. Invidious or Piped are the proxies you need, they let you blend in with the other users of their services making data-collection on YouTube’s part difficult.

We need to make feeding the algorithm as difficult as possible.

I spent 25 years on this planet without the need for an actual Ai, I’ve used Siri when she was dumb to make quick phone calls or to turn lights off but other than that I really don’t need to know the last digit to Pi.

I may not know much about software development & programming itself however, I feel like I did my part here.

+1 for Linux folks.

Depends on how many sites comply, most will likely block Belgian IP’s due to this.

Once again, thank you for your insight! It truly does help a lot.

Today I learned the VPN routing is the cause of my issues, I opted to expose my homelab to WAN and tried to connect over LTE/5G and was surprised to see it actually resolve!

I also learned Fail2Ban has failed me in this regard.

Unfortunately this now throws a wrench in my plans In regard to security so now I’m debating on getting another piece of hardware and labelling one as “front end” and the other as “back end” so that the “back end” doesn’t share the same public IP as the “front end”.

This has ignited a spark to rework my homelab!

So glad my router supports WireGuard/OVPN server hosting, doing it this way also relieves resources off your homelab and for whatever reason your homelab shuts off or loses network access you can at least rely on your router to re-establish the VPN server without further intervention.

While i appreciate the detailed response here i did make another comment letting OP know i’m in a similiar situation as them, i use Docker Engine & Docker Compose for my self-hosting needs on a 13th Gen Asus Nuc (i7 model) running Proxmox with a Debian 12 VM. My reverse proxy is traefik and i am able to receive SSL certificates on port :80/:443 (also have Fail2Ban setup) however, i can’t for the life of me figure out how to expose my containers to the internet.

On my iPhone over LTE/5G trying my domain leads to an “NSURLErrorDomain” and my research of this error doesn’t give me much clarity. Edit appears to be a 503 error.

services:
  homepage:
    image: ghcr.io/gethomepage/homepage
    hostname: homepage
    container_name: homepage
    networks:
      - main
    environment:
      PUID: 0 # optional, your user id
      PGID: 0 # optional, your group id
      HOMEPAGE_ALLOWED_HOSTS: my.domain,*
    ports:
      - '127.0.0.1:3000:3000'
    volumes:
      - ./config/homepage:/app/config # Make sure your local config directory exists
      - /var/run/docker.sock:/var/run/docker.sock #:ro # optional, for docker integrations
      - /home/user/Pictures:/app/public/icons
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.homepage.rule=Host(`my.domain`)"
      - "traefik.http.routers.homepage.entrypoints=https"
      - "traefik.http.routers.homepage.tls=true"
      - "traefik.http.services.homepage.loadbalancer.server.port=3000"
      - "traefik.http.routers.homepage.middlewares=fail2ban@file"
      # - "traefik.http.routers.homepage.tls.certresolver=cloudflare"
      #- "traefik.http.services.homepage.loadbalancer.server.port=3000"
      #- "traefik.http.middlewares.homepage.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.0/24, 172.18.0.0/16, 208.118.140.130"
      #- "traefik.http.middlewares.homepage.ipwhitelist.ipstrategy.depth=2"
  traefik:
    image: traefik:v3.2
    container_name: traefik
    hostname: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - main
    ports:
      # Listen on port 80, default for HTTP, necessary to redirect to HTTPS
      - target: 80
        published: 55262
        mode: host
      # Listen on port 443, default for HTTPS
      - target: 443
        published: 57442
        mode: host
    environment:
      CF_DNS_API_TOKEN_FILE: /run/secrets/cf_api_token # note using _FILE for docker secrets
      # CF_DNS_API_TOKEN: ${CF_DNS_API_TOKEN} # if using .env
      TRAEFIK_DASHBOARD_CREDENTIALS: ${TRAEFIK_DASHBOARD_CREDENTIALS}
    secrets:
      - cf_api_token
    env_file: .env # use .env
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./config/traefik/traefik.yml:/traefik.yml:ro
      - ./config/traefik/acme.json:/acme.json
      #- ./config/traefik/config.yml:/config.yml:ro
      - ./config/traefik/custom-yml:/custom
      # - ./config/traefik/homebridge.yml:/homebridge.yml:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`traefik.my.domain`)"
      #- "traefik.http.middlewares.traefik-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.0/24, 208.118.140.130, 172.18.0.0/16"
      #- "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_CREDENTIALS}"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`my.domain`)"
      #- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=my.domain"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.my.domain"
      - "traefik.http.routers.traefik-secure.service=api@internal"
      - "traefik.http.routers.traefik.middlewares=fail2ban@file"

Image of my port-forwarding rules (note; the 3000 internal/external port was me “testing”)

Edit: I should note the Asus Documentation for Port-forwarding mentions this:

2. Port Forwarding only works within the internal network/intranet(LAN) but cannot be accessed from Internet(WAN).

(1) First, make sure that Port Forwarding function is set up properly. You can try not to fill in the [ Internal Port ] and [ Source IP ], please refer to the Step 3.

(2) Please check that the device you need to port forward on the LAN has opened the port. For example, if you want to set up a HTTP server for a device (PC) on your LAN, make sure you have opened HTTP port 80 on that device.

(3) Please note that if the router is using a private WAN IP address (such as connected behind another router/switch/modem with built-in router/Wi-Fi feature), could potentially place the router under a multi-layer NAT network. Port Forwarding will not function properly under such environment.

Private IPv4 network ranges:

Class A: 10.0.0.0 – 10.255.255.255

Class B: 172.16.0.0 – 172.31.255.255

Class C: 192.168.0.0 – 192.168.255.255

CGNAT IP network ranges:

The allocated address block is 100.64.0.0/10, i.e. IP addresses from 100.64.0.0 to 100.127.255.255.

I want to highlight the fact that i may be under a multi-layered NAT, the folks in my household demand the ISP router given that i have PiHole running DNS blocking and my Asus Router routes all outbound connections through a VPN tunnel, besides DDNS obviously which my router also handles, i have to run these routers in bridged-mode so that they share the same WAN IP but, if I am able to receive SSL/TLS certificates from LetsEncrypt on port :80/:443 that means port-forwarding is working as intended right?

I’m in the same boat (sorta)!

Follow up question, did you have trouble exposing port :80 & :443 to the internet? Also are you also using Swarm or Kubernetes?

I have the docker engine setup on a machine along side Traefik (have tried Nginx in the past) primarily using Docker Compose and it works beautifully on LAN however I can’t seem to figure out why I can’t connect over the internet, I’m forced to WireGuard/VPN into my home network to access my site.

No need to provide troubleshooting advice, just curious on your experience.