@ohshit604

ohshit604@sh.itjust.works · edit-2 23 hours ago

Depends on how many sites comply, most will likely block Belgian IP’s due to this.

ohshit604@sh.itjust.works · edit-2 2 days ago

Once again, thank you for your insight! It truly does help a lot.

Today I learned the VPN routing is the cause of my issues, I opted to expose my homelab to WAN and tried to connect over LTE/5G and was surprised to see it actually resolve!

I also learned Fail2Ban has failed me in this regard.

Unfortunately this now throws a wrench in my plans In regard to security so now I’m debating on getting another piece of hardware and labelling one as “front end” and the other as “back end” so that the “back end” doesn’t share the same public IP as the “front end”.

This has ignited a spark to rework my homelab!

ohshit604@sh.itjust.works · edit-2 3 days ago

While i appreciate the detailed response here i did make another comment letting OP know i’m in a similiar situation as them, i use Docker Engine & Docker Compose for my self-hosting needs on a 13th Gen Asus Nuc (i7 model) running Proxmox with a Debian 12 VM. My reverse proxy is traefik and i am able to receive SSL certificates on port :80/:443 (also have Fail2Ban setup) however, i can’t for the life of me figure out how to expose my containers to the internet.

On my iPhone over LTE/5G trying my domain leads to an “NSURLErrorDomain” and my research of this error doesn’t give me much clarity. Edit appears to be a 503 error.

This is a snippet of my docker-compose.yml

services:
  homepage:
    image: ghcr.io/gethomepage/homepage
    hostname: homepage
    container_name: homepage
    networks:
      - main
    environment:
      PUID: 0 # optional, your user id
      PGID: 0 # optional, your group id
      HOMEPAGE_ALLOWED_HOSTS: my.domain,*
    ports:
      - '127.0.0.1:3000:3000'
    volumes:
      - ./config/homepage:/app/config # Make sure your local config directory exists
      - /var/run/docker.sock:/var/run/docker.sock #:ro # optional, for docker integrations
      - /home/user/Pictures:/app/public/icons
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.homepage.rule=Host(`my.domain`)"
      - "traefik.http.routers.homepage.entrypoints=https"
      - "traefik.http.routers.homepage.tls=true"
      - "traefik.http.services.homepage.loadbalancer.server.port=3000"
      - "traefik.http.routers.homepage.middlewares=fail2ban@file"
      # - "traefik.http.routers.homepage.tls.certresolver=cloudflare"
      #- "traefik.http.services.homepage.loadbalancer.server.port=3000"
      #- "traefik.http.middlewares.homepage.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.0/24, 172.18.0.0/16, 208.118.140.130"
      #- "traefik.http.middlewares.homepage.ipwhitelist.ipstrategy.depth=2"
  traefik:
    image: traefik:v3.2
    container_name: traefik
    hostname: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - main
    ports:
      # Listen on port 80, default for HTTP, necessary to redirect to HTTPS
      - target: 80
        published: 55262
        mode: host
      # Listen on port 443, default for HTTPS
      - target: 443
        published: 57442
        mode: host
    environment:
      CF_DNS_API_TOKEN_FILE: /run/secrets/cf_api_token # note using _FILE for docker secrets
      # CF_DNS_API_TOKEN: ${CF_DNS_API_TOKEN} # if using .env
      TRAEFIK_DASHBOARD_CREDENTIALS: ${TRAEFIK_DASHBOARD_CREDENTIALS}
    secrets:
      - cf_api_token
    env_file: .env # use .env
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./config/traefik/traefik.yml:/traefik.yml:ro
      - ./config/traefik/acme.json:/acme.json
      #- ./config/traefik/config.yml:/config.yml:ro
      - ./config/traefik/custom-yml:/custom
      # - ./config/traefik/homebridge.yml:/homebridge.yml:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`traefik.my.domain`)"
      #- "traefik.http.middlewares.traefik-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.0/24, 208.118.140.130, 172.18.0.0/16"
      #- "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_CREDENTIALS}"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`my.domain`)"
      #- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=my.domain"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.my.domain"
      - "traefik.http.routers.traefik-secure.service=api@internal"
      - "traefik.http.routers.traefik.middlewares=fail2ban@file"

Image of my port-forwarding rules (note; the 3000 internal/external port was me “testing”)

Edit: I should note the Asus Documentation for Port-forwarding mentions this:

Port Forwarding only works within the internal network/intranet(LAN) but cannot be accessed from Internet(WAN).

(1) First, make sure that Port Forwarding function is set up properly. You can try not to fill in the [ Internal Port ] and [ Source IP ], please refer to the Step 3.

(2) Please check that the device you need to port forward on the LAN has opened the port. For example, if you want to set up a HTTP server for a device (PC) on your LAN, make sure you have opened HTTP port 80 on that device.

(3) Please note that if the router is using a private WAN IP address (such as connected behind another router/switch/modem with built-in router/Wi-Fi feature), could potentially place the router under a multi-layer NAT network. Port Forwarding will not function properly under such environment.

Private IPv4 network ranges:

Class A: 10.0.0.0 – 10.255.255.255

Class B: 172.16.0.0 – 172.31.255.255

Class C: 192.168.0.0 – 192.168.255.255

CGNAT IP network ranges:

The allocated address block is 100.64.0.0/10, i.e. IP addresses from 100.64.0.0 to 100.127.255.255.

I want to highlight the fact that i may be under a multi-layered NAT, the folks in my household demand the ISP router given that i have PiHole running DNS blocking and my Asus Router routes all outbound connections through a VPN tunnel, besides DDNS obviously which my router also handles, i have to run these routers in bridged-mode so that they share the same WAN IP but, if I am able to receive SSL/TLS certificates from LetsEncrypt on port :80/:443 that means port-forwarding is working as intended right?

ohshit604@sh.itjust.works · edit-2 4 days ago

I’m in the same boat (sorta)!

Follow up question, did you have trouble exposing port :80 & :443 to the internet? Also are you also using Swarm or Kubernetes?

I have the docker engine setup on a machine along side Traefik (have tried Nginx in the past) primarily using Docker Compose and it works beautifully on LAN however I can’t seem to figure out why I can’t connect over the internet, I’m forced to WireGuard/VPN into my home network to access my site.

No need to provide troubleshooting advice, just curious on your experience.

ohshit604@sh.itjust.works · edit-2 4 days ago

around the 12 week mark.

Not all computers need to tell the date & time, just uninstall clock.exe

ohshit604@sh.itjust.works · 4 days ago

If you don’t mind me asking, how do you host your site?

ohshit604@sh.itjust.works · 4 days ago

deleted by creator

ohshit604@sh.itjust.works · 5 days ago

Waiting on the day Firefox extensions support the iOS app.

ohshit604@sh.itjust.works · 6 days ago

Unpopular opinion, if you’re going to use a Debian based distro you should just use Debian.

Yes, it is command-line/BASH heavy however, once you learn it it’ll make all the other Debian based distro’s even easier to manage. Only real difference is system directories are in different locations distro-to-distro.

ohshit604@sh.itjust.works · 8 days ago

deleted by creator

ohshit604@sh.itjust.works · 9 days ago

So… they’re doing exactly what apple was forced to do.

ohshit604@sh.itjust.works · edit-2 9 days ago

Yewtube Is a third party front end for YouTube using Invidious, more private, no ads and if you pair it with Freetube you can even skip in video advertisements/sponsors.

ohshit604@sh.itjust.works · edit-2 9 days ago

I’ll just leave this video guide here to cure world of this cancer

~~https://youtu.be/xL23Xvv1Pis~~

https://yewtu.be/watch?v=xL23Xvv1Pis

Fixed that for you.

ohshit604@sh.itjust.works · 12 days ago

I prefer acetone and a map-gas torch.

ohshit604@sh.itjust.works · 12 days ago

As another person mentioned Proton is Linux’s compatibility layer for Windows applications, from my understanding it installs necessary .NET frameworks and other dependencies into a fake C:\ drive an then utilizes that fake C:\ to trick the game into thinking it’s running Windows.

Every windows applications I put through Proton has not once failed to open. Now the claims that Anti-Cheat for games isn’t supported is purely false, most popular anti cheat’s do support Linux however, it’s entirely up to the publisher to tick the checkbox to allow Linux users to play.

Battle eye, Punk Buster, Easy Anti-Cheat all support Linux natively.