I’ve been researching different ways to expose Docker containers to the internet. I have three services I want to expose: Jellyfin, Omnivore (Read-it-later app), and Overseerr.

I’ve come across lots of suggestions, like using Nginx with Cloudflared, but some people mention that streaming media goes against Cloudflared tunnel TOS, and instead recommend Tailscale, or Traefik, or setting up a WireGuard VPN, or using Nginx with a WireGuard VPN.

The amount of conflicting advice has left me confused. So, what would be the best approach to securely expose these containers?

  • MoonlitSanguine@lemmy.oneOP
    link
    fedilink
    English
    arrow-up
    1
    ·
    2 days ago

    Thanks for the info.

    Do you have a target on your back?

    No.

    Does your container contain sensitive data?

    No.

    If so, does your container have access to external directories?

    I have a hard drive mounted to the media folder that Jellyfin can access, and also a config folder. Omnivore/Overseer will probably be similar once I add them. Could this be a problem?

      - '/home/${USER}/server/configs/jellyfin:/config'
      - '/home/${USER}/server/media:/data/media'
    

    Does your project have security options like Geo Blocking, rate limiting, etc?

    That is a good idea. Thankyou

    • plm00@lemmy.ml
      link
      fedilink
      English
      arrow-up
      2
      ·
      2 days ago

      What I was referring to is called a Bind Mount, where host directories are exposed to the docker container. You may be fine if it’s an external hard drive. I use bind mounts because they’re easier to back up, but I acknowledge they are less safe.

      You may be perfectly fine as you are now. My (and others) suggestions are for added security. As it stands, if there’s no target on your bind, the only bad traffic you’ll get are from bots trying to pick away at your domain and sub domains. Generally they’re not a problem. But being extra safe costs nothing but time.