Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Seeking guidance for secure wireguard and reverse proxy (swag) setup

Featured Replies

I'm hoping this is in the right location. I've been doing lots of searching on the forums, googling and watching SpaceInvader One's videos for setting up reverse proxies and have successfully gotten things up and running but I need a bit of clarity on what is exposed to the internet. I've read that opening ports 80 and 443 from your router is not the best thing to do which swag requires. But on the other hand, I've read that it's ok if it's more isolated to individual docker containers. If this is not the best way to do this what would be?

 

Please let me know if there is further documentation I could read about best ways to setup safe remote access. My overall goal is to setup NextCloud for home use but fear the risk of exposing too much to the internet.

 

Thanks for reading and looking forward to learning more!

  • Author

After reading lots more tutorials and watching more YouTube videos, I think I'm going to setup Authelia with SWAG using this tutorial:

https://blog.linuxserver.io/2020/08/26/setting-up-authelia/

I'd also like to setup LDAP but I'm finding it a bit complicated to setup/understand. Could anybody point me in the right direction for setting this up in a docker for unraid if you own your own domain? I believe I need OpenLDAP and LDAP Auth but I'm not sure how to set them up. I'll continue to read the projects documentation in the mean time and try out some configs this weekend!

Thanks for reading!

I am not an expert in this space, but the first thing we would need to help you is your use case: for what are you trying to solve?

 

If you want to access your server or assets remotely, consider setting up a VPN on your server and connecting exclusively with that.

 

The reverse proxy makes me think you want to be able to route requests from subdomains to specific applications, most likely for publicly hosting access to your server. In that case you do need to open port 80 and 443 to the reverse proxy app.

 

LDAP makes me think you want to set up user management to one or more apps... maybe to have them register for your blog and also allow a user to use some completely separate front end app? It's a complicated process, for sure.

  • Author

Thanks for the reply! The case I'm trying to solve is secure user access for my family to NextCloud from locations outside the home network (Maybe sonarr and radarr down the line too). I don't think I want remote access to the server itself yet but if I do I'm going to set that up through wireguard vpn (is that correct?)

 

What's pulling me to LDAP are the walkthroughs and videos I've been looking at. Most say that LDAP is the recommended way to setup?

 

The last constraint I want to work around is to setup everything using the domain I own. No other paid services other than the domain registration.

Let me know if I've answered your queries @mattz!

  • 2 weeks later...

That's a classic use case.  It has not gone well for me personally, due to my ISP blocking incoming port 443 requests. I need to use a different port to forward requests via a Reverse Proxy.  For example, I need to enter nextcloud.example.com:1443 (notice the port number).  Most ISP's lock down port 443, ISPs I have been with across the country locked 443.  so you won't be able to use any domain without appending the port number you are using as a substitute (e.g. 1443 or something).  It works, but it is not the super clean option I wanted.  Other consideration is static vs. dynamic IP address - you can use a service like DuckDNS.org to get around that, and link to that with an ALIAS or A record from your domain.

 

LDAP (or any Single Sign On) is not necessary and would be overkill for a family.  You will not be managing users on a regular basis (you add them and they stay, right?).  You would use NextCloud's built-in user management and separate logins for each Sonarr and Radar.

 

If you want to remote access to YOUR server from outside, you would need to set up a VPN server to access your network. Check out OpenVPN Sever to do that.  Wireguard VPN would be more about securing your server's outgoing connection.

 

Edited by mattz
modified port 443 statement

2 hours ago, mattz said:

Most ISP's lock down port 443

Citation?

 

Blocking 25 and 80 are semi common, but 443 tends to be open in my experience.

On 5/17/2021 at 12:19 PM, jonathanm said:

Citation?

 

Blocking 25 and 80 are semi common, but 443 tends to be open in my experience.

Redacted... In my experience: currently on Centurylink Fiber in Portland, OR. and I can't crack the nut.

Archived

This topic is now archived and is closed to further replies.

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.