Do you actually want to expose the things to “the internet”, or do you just want yourself (and an approved set of other users) to be able to access them from outside of your network?

If it’s the former, you’re going to want to learn about DNS, NAT, exposing ports, firewall settings, and network monitoring.

But if it’s the latter, then I recommend checking out tailscale because that gives you and some friends LAN-like access with a great internal DNS and it works really well.

1. Never host anything that is externally accessible
2. If you have to, put it behind a VPN (OVPN, Wireguard, IPSec, Tailscale, etc.)
3. Certificate based authentication is preferred for VPN tunnels
4. Always TLS encrypt your actual endpoints. Private CAs are most secure but a pain in the ass. Let’s Encrypt is very simple to set up in most cases.

Just my 2 cents.

Sorry third post. Trying to summarize.

1. Get external access. Either via port-forward (you lucky American) or via VPS+ssh-tunnel or VPS+wireguard. Stay away from an hard dependency like tailscale and cloudflare (my personal opinion).

2. Setup a reverse proxy with SSL certs via let’s Encrypt (don’t go wildcard, no need to, just add complexity)

That’s the concept, implementation requires clearly extra steps…

See my wiki (https://wiki.gardiol.org/). O describe both the simple and the complex solution. But to be honest, the complex solution is not fully described yet.

Slap a good reverse proxy in front of it (nginx I what I use) and set it up with HTTPS using let’s Encrypt. For added layer of security setup also some SSO like Authelia.

Or just go the VPN way but then, that will not be access from internet, only via VPN, only you will be accessing it.

Maybe something like this https://github.com/fosrl/pangolin

If you need also external access, because you are behind a CGNAT or in general have no public IP at all, get a VPS and setup some tunneling.

I don’t like tailscale/cloudflare dependency so I have a different solution.

I have documented it all here: https://wiki.gardiol.org/

Is it just you that needs access? VPN like Tailscale or Wireguard is the most secure option then, as it’s not exposing any services to the internet.

Otherwise a reverse proxy in front of things like Traefik or Nginx, make sure things are automatically updated ASAP, and make sure auth is enabled on the services.

It depends on if you want to access it from anywhere (or give others access), or if you’re only accessing your server from specific devices.

Since I only ever access my server from my phone or my desktop, I use Wireguard via wg-easy. You set it up as a docker container on your server and it gives you a neat web UI (defaults to port 51821) from which to add Wireguard clients. Once connected through Wireguard, you can access your services as if you’re on the server’s local network.

Note, you’ll of course have to open up a port for Wireguard on your router for this to work, the default being 51820.

“Secure” and “exposed” are antonyms in this scenario, that’s the nature of the beast. I use Nginx which I have a domain pointing to. Worst case scenario, a hacker brute forces access to my container and mucks around within the confines. As I understand from a WireGuard VPN, there’s an added level of security. You have to use the VPN to get access to your home ports, and then you can access your Docker containers as configured. There’s an added layer of security.

Some things to consider:

• Do you have a target on your back?
• Does your container contain sensitive data?
• If so, does your container have access to external directories?
• Does your project have security options like Geo Blocking, rate limiting, etc?

I’ve been running some local servers for a few years only behind Nginx. So far nothing bad has happened. But that doesn’t mean something bad couldn’t happen later.

My preference is just Cloudflare with or without nginx. Not sure if you’re using a hypervisor or not but it makes things exceedingly easy and I feel plenty safe enough inside of a Cloudflare tunnel. I stream a lot of data from Jellyfin. All day long, several streams to several people for over a year now with no problems. Last I knew, Cloudflare removed the language about video streaming from their TOS. Not sure if that’s changed but functionality on my end hasn’t.

I am using Unraid but I’ve installed the Cloudflare tunnel in docker containers and TrueNAS without many issues. Takes a bit of copying/pasting to get set up but it’s not terrible and everything is very responsive to make sure you’re doing things correctly.

Networking is fun because there are literally infinite potential options. There really isn’t a best option. It’s just what do you prefer. In my case I like to write a docker compose and write a tailscale container into it. I then set the service I want to expose either to my own tailnet or to the internet through funnel or though this other implementation I came up with a while back that I still need to do a write up on. Either way here is a guide i wrote with some docs as reference on my forgejo (git alternative). Docs are kinda a mess but hopefully it makes sense enough to help you out.

Tailscale docker compose examples

Lots of great ideas in this thread. It sounds like you prefer Jellyfin, but I always encourage people to consider Plex. Plex is excellent, and even if you prefer the features or interface of Jellyfin, you should never expose any application (Plex, Jellyfin, or otherwise) directly to the Internet. This should be non-negotiable. Plex uniquely solves for external access with the mobile/desktop apps and app.plex.tv by brokering client connections into your network without a NAT/PAT on your router or firewall. Plex also supports Google logins, which means that you can now have 2fa and potentially phishing-resistant 2fa if you secure your Google account with a passkey.

At my company we only expose our applications behind a WAF and firewall, and I see that some folks here have recommended Cloudflare. For those who may not know, it is no longer enough to simply rely on a firewall. When your application is built with components that may become vulnerable over time, it’s critical to use a WAF.

Depending on your level of paranioia. First, you don’t expose your containers, but their port(s).

With a reverse proxy, you will likely expose only 1 port, 443, no matter how many apps/containers/ports it will be pointing internally. For this, having a proper dns setup will be key, and a service like cloudflare dns (not tunnel), which additionally you can proxy your proxy. Also, you will need certificates (letsencrypt) for your traffic to be encrypted. Here, everybody will potentially have access to your services.

Another option is a zero trust tunnel, but as you had seen streaming may break tos. It will be likely enforced if you stream a lot, but I seriously doubt you’ll get any problem by having sporadic one or two users.

Tailscale, you need to add all the devices you need to access your services into the mesh, and you’ll need to re-authenticate every one again every few months.

Setting up a VPN (selfhosted) will require your devices to sign into it when accessing your services, and it seems to me the best approach as this way you will nave the most control over your setting.

Don’t forget to mention that, for this to work, your ISP should provide you with public IP, because if on CGNAT you will have to go with something like tunnels or tailscale.

Interested in this as well, posting a comment here just to find the post more easily:)

Twingate is another option if it’s just device to device networking and you trust all the devices that are in your network. It’s free for personal use and peer to peer so no issues with TOS if you’re streaming.