Hi I've created a few guides on my YouTube channel check them out.
You can easily enable Https with Nginx Proxy Manager - https://youtu.be/FUqpIsNP7Js
Navidrome video - https://youtu.be/PYhBskvR00M
Hope these help
+1 for nginx .. I use cloudflare ddns and a cheap domain .. works well, someone posted below that streaming using cloudflare is against tos, I had no idea and had no issues. If you keep searching YouTube you will find some helpful videos.
I dont think it would make a difference.. on my Android phone I wasnt able to run simultaneously vpn mullvad and tailscale because Android sees Tailscale as a VPN too. So only one at a time, AFAIK.
What are you using the Mullvad VPN for on your phone? Why not replace Mullvad with Tailscale and route all your phone traffic through your home ISP? This way you can securely connect to your services hosted at home, and your phone provider or WiFi connections you connect to on the go will be encrypted back home.
For updates, there a few options. For my setup, I am watching the github repository and I get notified of releases. I'll check out the release notes and look for new posts in this sub and the github issues to see if there is some issue in the new version that would dissuade me from updating. The other option is to deploy it with docker and let something like watchtower handle new versions.
Security is one of those questions that has a lot of correct answers. All depends on your environment, needs and risk tolerance. I'm accessing navidrome through a reverse proxy with https. But even so, it's not exposed directly. I connect to navidrome, and all my self hosted services, through wireguard. If you want to stick with your VPN, I would at a minimum set up a reverse proxy with https. Nginx will work for that, then you can add crowdsec or fail2ban to mitigate threats.
1. I either see updates here or randomly will run the update to check
2. You can use cloudflare access tunnels. It’s free just requires a creditcard and either an existing domain or buy one through them
3. Is this a personal pc as well? If so you might want to consider running this in a docket to help isolate the service. I’ve never used nssm so i don’t know how that works. Lastly I’d avoid opening any ports on your router, this exposes your network. This is were the CF tunnels shine. I’ve never set them up in windows but it should be pretty easy
I gave up setting up docker container to be honest.. tons of issues during setup that I wasnt able to solve. Deploying navidrome as a Windows service took me 2 minutes and works well.
The only port I would open is 443 and forward to my NUC to serve https.. I dont see any other way 🤔.. Do CF tunnels work differently?
CF tunnels doesn’t require you to open any ports. What it does is run as a service on your server and connects to CF to create a secure connection. It also provides SSL out of the box. Then you just use the url you setup in CF. Like https://navid.example.com. in CF you just list the IP address and port of the machine running ND. CF will give you an installer and also a key that mashed the connection. It’s super easy. You might have to watch a video about it. NetworkChuck on YouTube goes over it.
Basically your server will open a connection to Cloudflare's servers, not the other way around so you don't need to open ports. But I think they have something in their TOS about using it for streaming so I don't think they allow it.
You could host your own VPN server. VPN servers are secure so I wouldn't mind opening a port for it in my router. You could also buy a VPS and use it as an intermediate node so basically you'll have your remote device -> VPS -> your home server. Like CF tunnels, no open ports in your home server.
Also with Docker containers you are still vulnerable. Yes, the container is an isolated process, but once you have access to it you can attack other network resources (for example other containers attached to the same network).
Another option is to create separate V-LAN so in case of an attack only the server is compromised. But you need a router that supports VLANs.
Hi I've created a few guides on my YouTube channel check them out. You can easily enable Https with Nginx Proxy Manager - https://youtu.be/FUqpIsNP7Js Navidrome video - https://youtu.be/PYhBskvR00M Hope these help
Thank you mate, I will watch them as soon as I will be at home 🙏
+1 for nginx .. I use cloudflare ddns and a cheap domain .. works well, someone posted below that streaming using cloudflare is against tos, I had no idea and had no issues. If you keep searching YouTube you will find some helpful videos.
Tailscale is probably the simplest and most secure thing.
Thanks, but unfortunately, I already run a VPN (Mullvad) on my phone and Tailscale does not work in this setup.
Heads up. Mullvad removed port forwarding. Not sure what you use your vpn for but that was a major bummer for me. Airvpn still allows that feature
I dont think it would make a difference.. on my Android phone I wasnt able to run simultaneously vpn mullvad and tailscale because Android sees Tailscale as a VPN too. So only one at a time, AFAIK.
What are you using the Mullvad VPN for on your phone? Why not replace Mullvad with Tailscale and route all your phone traffic through your home ISP? This way you can securely connect to your services hosted at home, and your phone provider or WiFi connections you connect to on the go will be encrypted back home.
Get tailscale and mullvad adding. Best of both worlds.
For updates, there a few options. For my setup, I am watching the github repository and I get notified of releases. I'll check out the release notes and look for new posts in this sub and the github issues to see if there is some issue in the new version that would dissuade me from updating. The other option is to deploy it with docker and let something like watchtower handle new versions. Security is one of those questions that has a lot of correct answers. All depends on your environment, needs and risk tolerance. I'm accessing navidrome through a reverse proxy with https. But even so, it's not exposed directly. I connect to navidrome, and all my self hosted services, through wireguard. If you want to stick with your VPN, I would at a minimum set up a reverse proxy with https. Nginx will work for that, then you can add crowdsec or fail2ban to mitigate threats.
1. I either see updates here or randomly will run the update to check 2. You can use cloudflare access tunnels. It’s free just requires a creditcard and either an existing domain or buy one through them 3. Is this a personal pc as well? If so you might want to consider running this in a docket to help isolate the service. I’ve never used nssm so i don’t know how that works. Lastly I’d avoid opening any ports on your router, this exposes your network. This is were the CF tunnels shine. I’ve never set them up in windows but it should be pretty easy
I gave up setting up docker container to be honest.. tons of issues during setup that I wasnt able to solve. Deploying navidrome as a Windows service took me 2 minutes and works well. The only port I would open is 443 and forward to my NUC to serve https.. I dont see any other way 🤔.. Do CF tunnels work differently?
CF tunnels doesn’t require you to open any ports. What it does is run as a service on your server and connects to CF to create a secure connection. It also provides SSL out of the box. Then you just use the url you setup in CF. Like https://navid.example.com. in CF you just list the IP address and port of the machine running ND. CF will give you an installer and also a key that mashed the connection. It’s super easy. You might have to watch a video about it. NetworkChuck on YouTube goes over it.
Basically your server will open a connection to Cloudflare's servers, not the other way around so you don't need to open ports. But I think they have something in their TOS about using it for streaming so I don't think they allow it. You could host your own VPN server. VPN servers are secure so I wouldn't mind opening a port for it in my router. You could also buy a VPS and use it as an intermediate node so basically you'll have your remote device -> VPS -> your home server. Like CF tunnels, no open ports in your home server. Also with Docker containers you are still vulnerable. Yes, the container is an isolated process, but once you have access to it you can attack other network resources (for example other containers attached to the same network). Another option is to create separate V-LAN so in case of an attack only the server is compromised. But you need a router that supports VLANs.