This is a continuation of my other post
I now have homeassistant, immich, and authentik docker containers exposed to the open internet. Homeassistant has built in 2FA and authentik is being used as the authentication for immich which supports 2FA. I went ahead and blocked connections from every country except for my own via cloudlfare (I’m aware this does almost nothing but I feel better about it).
At the moment, if my machine became compromised, I wouldn’t know. How do I monitor these docker containers? What’s a good way to block IPs based on failed login attempts? Is there a tool that could alert me if my machine was compromised? Any recommendations?
EDIT: Oh, and if you have any recommendations for settings I should change in the cloudflare dashboard, that would be great too; there’s a ton of options in there and a lot of them are defaulted to “off”
I’ve half ass thought about this but never have tried to actually self host. If you have access to all devices, why not just use your own self signed certificates to encrypt everything and require the certificate for all connections? Then there is never a way to log in or connect right? The only reason for any authentication is to make it possible to use any connection to dial into your server. So is that a bug or a feature. Maybe I’m missing something fundamental in this abstract concept that someone will tell me?
Sounds like you are describing a VPN. I was using that setup before but small stuff like immich album sharing via a link won’t work properly. Also, having to ensure a vpn is on and connected is a little to much to ask of my partner; they would turn it off and forget about it and then ask why their app wasn’t working :/
I mean more like a self signed TLS certificate with your own host manually set in the browser. Then only make the TLS port available, or something like that. If you have access to both(all) devices, you should be able to fully encrypt by bruit force and without registering the certificate with anyone. That is what I do with AI at home.
I don’t know much about certificates, but doesn’t that just alert the browser that the certificate is not trusted and you can decide if keep going or not?
Sorta, you have to install your certificate authority into the browser and it might complain about verifying that but it will still connect with the encryption.
No no, what I meant is that if I connect to your server without the certificate installed don’t I just get the warning and I can still get through?
Not unless an http port is open too. If the only port is https, you have to have the certificate. Like with my AI stuff it acts like the host is down if I try to connect with http. You have to have the certificate to decrypt anything at all from the host.
If you are just using a self signed server certificate anyone can connect to your services. Many browsers/applications will fail to connect or give a warning but it can be easily bypassed.
Unless you are talking about mutual TLS authentication (aka mTLS or two way ssl). With mutual TLS in addition to the server key+cert you also have a client key+cert for your client. And you setup your web server/reverse proxy to only allow connections from clients that can prove they have that client key.
So in the context of this thread mTLS is a great way to protect your externally exposed services. Mutual TLS should be just as strong of a protection as a VPN, and in fact many VPNs use mutual TLS to authenticate clients (i.e. if you have an OpenVPN file with certs in it instead of a pre-shared key). So they are doing the exact same thing. Why not skip all of the extra VPN steps and setup mTLS directly to your services.
mTLS prevents any web requests from getting through before the client has authenticated, but it can be a little complicated to setup. In reality basic auth at the reverse proxy and a sufficiently strong password is just as good, and is much easier to setup/use.
Here are a couple of relevant links for nginx. Traefik and many other reverse proxies can do the same.
How To Implement Two Way SSL With Nginx
Apply Mutual TLS over kubernetes/nginx ingress controller
Oh, I really didn’t know that. Thanks
oh, my mistake. tbh, I don’t know enough about it but I’m interested. Why set up a TLS cert for AI at home? How is that benefiting you and your setup?
I’ve seen some people set up SSL certs for self hosted services and not make them publicly available but I didn’t get around to seeing why they were doing it
I live with family and have an extra network, but I’m not sure exactly what can leak out of my own and onto theirs. It could be just my paranoia here, but I noticed at night when I am alone in the living room chatting with my AI over my network, the new smart TV has a mechanical relay when it switches from standby to mains power. I never watch TV or connect to the same network as the TV, however the relay was clicking every 15-20 minutes when I was chatting over http. It doesn’t do that when I am on Lemmy or other stuff. So I tried setting up the certs and the TV never clicks. It did click if I used words with the cats or watched Piped video. Now I intentionally speak gibberish to the cats, mostly use headphones, and never hear that relay clicking any more.
Anyways, in my half ass quest to eventually self host some stuff, in abstraction, I only want a setup where I manually transfer my keys and everything is always encrypted between devices with those keys. I never want the functionality of login, key transfers, or anything like that. My phone has a key, my computer has a key, and my server has a key. Breaking one of those keys is the only way into that connection, and those keys are made and shared offline over hardware connections in person. If I was really serious, I would also use the TPM chips for even more secure keys that cannot be accessed even within each device’s OS for the private key.
I think this methodology is less well documented in easy to find searches and sources because it ostracises cloud services as the oddity. Most guides and info assumes you do not have physical access to all devices so you must transfer keys over a public network or assumes you will want to connect from random extra sources or devices. This is what opens you up to other people also connecting. If everything is encrypted with certificates and no one else has those certificates, problem solved, your password is your certificate… As far as I understand it.
Beside the fact that you would like to understand if you’ve done everything properly (that’s good, but I can’t help you here), a VPN on a smartphone can be always active. Mine is always on and I’ve never noticed any battery problem. If you prefer something simpler there’s Tailscale.
If it were only me using the apps, I’d be using a VPN. Over the years, I’ve used OpenVPN, Wireguard, and now Tailscale. In my experience, they work like 99% of the time. That last 1% though is weird connection issues; usually when switching between WiFi and cellular (or vice versa) but sometimes it’s my server or ISP and I have to turn the VPN off and back on to troubleshoot. During those rare times, my partner will either turn off the VPN and forget to turn it back on or they will forget about the VPN completely and not be able to use their phone. Ideally, I’d like to set something up that doesn’t require any potential troubleshooting on their part so I can avoid hearing “why can’t we just use Google photos?” or “what’s wrong with Google home?” 😓
Yes this is the main reason for me. If you’re alone then you don’t care that things occasionally don’t work. Once you have at least one more person or potentially the extended family it’s a whole different story. And then in my opinion a potentially not 100% secured publicly accessible immich instance at home is magnitudes better than having the family just use google photos.
Because like you say, every little hick up from your site is met with “why can’t we just use $bigtech instead, it always works”.