Ahoy mateys! I’ve been doing some research into getting a self-hosted streaming setup built, and I’d like to ask the knowledgeable folks here for advice as well.
My goal is to be running a server that can host a jellyfin stack for acquiring and streaming media for myself and my partner. (I’d like to also run a matrix chat server on it for us to have secure chats as well, but I think that’ll be less of a hassle. I hope…)
I found a few guides that don’t seem too out of date. I’m an experienced full stack software dev, so the idea of running some docker containers and doing a little command line server set up doesn’t intimidate me.
These guides though, they just cover the software application set up mainly. I also need to know:
- Where should I host at? I’m on a shitty 5G internet at home, so VPS seems like the way to go but with who? What are some good secure hosts that aren’t super expensive? Considering Hetzner auctions maybe? Anyone used them?
- Will I need a VPN on the server too? If I’m torrenting, do I need to be careful which hosts I choose so I don’t get copyright pinged?
- Is there a good guide for securing and hardening my server? I’d like my partner and i to have easy access from home or on our mobiles, but I also don’t want to find out my box is suddenly mining crypto because I forgot to close one port. I don’t know what gotchas to be looking out for.
- Any other guides you’d recommend? Any must have software or sites to know about?
Thanks in advance!
I’ve read a lot about using a VPS with reverse proxy but I’m kind of a noob in that area. How exactly does that protect my machine? Couldn’t an attacker with access to the VPS still harm my local machine? Currently I’m just using a WireGuard tunnel to log into my server, from what I understand you’d tunnel the service from the VPS to the homeserver and then on the VPS URL you could watch right m?
And do I understand correctly that since we’re using the reverse proxy the possible attack surface just from finding the domain would be limited to the web interface of e.g. Jellyfin?
Sorry for the chaotic & potentially stupid questions, I’m just really a confused beginner in this area.
So you’re not letting people directly connect to your server via ports. Instead, you’re sending the data through your reverse proxy. So let’s say you have a server and you want to server something off port
:9000. Normally you would connect fromdomain.com:9000. With a reverse proxy you would setup to use a subdomain, likeservice.domain.com. If you choose caddy as your reverse proxy (which I highly recommend that you do) everything is served from port:443on your proxy, which as you might know is the default SSL port.I wouldn’t say that it decreases your attack surface, but it does put an additional server between end-users and your server, which is nice. It acts like a firewall. If you wanted to take security to the n^th degree, you could run a connection whitelist from your home server to only allow local and connections from your rproxy (assuming it’s a dedicated IP). Doing that significantly increases your security and drastically lowers your attack vector–because even if an attack is able to determine the port, and even your home IP, they can’t connect because the connection isn’t originating from your rproxy.
You’re good. Most of this shit is honestly hard.