I should also add something that lots of beginners miss.
The reverse proxy does not care what the domains that you define in it actually resolve to. It receives the domain name as a HTTP header which is completely at the whim of the client. As long as that domain name matches one of the domains defined in the proxy, it’s all good.
You can successfully connect to a proxy with a domain name defined in the domain owner’s DNS, or you can make up your own DNS that says whatever you want, or you can define any domain->IP association you want in your hosts file, or you can simply use curl or wget to connect directly to the proxy IP and lie about the domain in the HTTP headers without having it resolve in any DNS.
This means that yes, the proxy will happily serve your “private” *.local.example.com services to someone connecting from outside your LAN. All they have to do is figure out (or guess) your subdomain names. You need to add IP restrictions in the proxy (default deny from all + lan ip mask explicit exception) if you really want those services to be restricted to the LAN.
DNS is not security, it’s a public service that maps domains to IPs.
TLS is only security in the sense it protects the connection en route from eavesdropping, but it doesn’t restrict access.
Thanks I understand the theory behind this but I can’t get it to work.
I have a jellyfin.mydomain.com subdomain pointing at my VPS ip. On my home server I have Nginx Proxy Manager listening to 192.168.8.1:8998 (http) and 8999 (https) From my home server I forward port 80 from the VPS to local port 8999 like this:
For the license to be changed every team member needs to submit a written agreement that he agrees to the change, otherwise their contributions must be removed as they were written under a different license, the only exception is usually permissive licenses such as MIT/BSD 3 clause.
Usually, to rugpull FOSS contributors, companies who maintain FOSS software ask contributors to sign a CLA which waives their rights and lets the control their contributions. Immich isn’t doing any of that, and it will likely remain AGPL forever because changing the license will be a big hassle for them with the amount of contributors.
Contribution/contributor license agreement. It’s a document that transfers the copyright from the original author - developer submitting a patch or PR - to the project owner, e.g. FUTO. If FUTO required CLA for all Immich contributions, then FUTO would own the copyright for all the source code of Immich. This allows FUTO to relicense Immich under a different license, other than GPL, for whatever purpose, without asking anyone. For example they could make modified Immich versions for sale, or sell the Immich source code to third parties under EULA or any other license. Without a CLA, FUTO would have to get written agreement from every Immich source code contributor to change the Immich license, which would happen in 2000 and never, at least not without ponying up cash.
Like many other security mechanisms VLANs aren't really about enabling anything that can't be done without them.
Instead it's almost exclusively about FORBIDDING some kinds of interactions that are otherwise allowed by default.
So if your question is "do I need VLAN to enable any features", then the answer is no, you don't (almost certainly, I'm sure there are some weird corner cases and exceptions).
What VLANs can help you do is stop your PoE camera from talking to your KNX and your Chromecast from talking to your Switch. But why would you want that? They don't normally talk to each other anyway. Right. That "normally" is exactly the case: one major benefit of having VLANs is not just stopping "normal" phone-homes but to contain any security incidents to as small a scope as possible. Imagine if someone figured out a way to hack your switch (maybe even remotely while you're out!). That would be bad. What would be worse is if that attacker then suddenly has access to your pihole (which is password protected and the password never flies around your home network unencrypted, right?!) or your PC or your phone ...
So having separate VLANs where each one contains only devices that need to talk to each other can severely restrict the actual impact of a security issue with any of your devices.
Just for an anecdote on functional vlans, I once knew someone that had their WAN sent into a managed switch, set it on a vlan with their router elsewhere in the network
And, circling back to ports, you can make firewall rules that prevent devices from talking across VLANs on certain ports. Your Nintendo Switch doesn’t need SSH access to your KNX server, to re-use your previous example, so you block your console’s VLAN from being able to talk to your server VLAN at all.
The best way to do it is to block literally everything between VLANs, and then only allow the ports you know you need for the functionality you want.
I don’t think XMPP is simpler than Matrix. With my insufficient knowledge; XMPP servers and clients have different standards. Some supports audio/video calls, some requires encryption while other maybe not etc.
Matrix has a standard set of features and all software around it built for those features. TBH I find Matrix pretty instable lately tho.
Yes, you can shoot me from there and you’re right but I don’t see much difference between Matrix clients. The experience is pretty common between them. Synapse is de facto standard.
There’s way more and I already tried three implementations while trying to get a set of features I need. It’s a wild west out there and the resource usage is way higher than e.g. hosting Prosody. Seemingly it has to do with chatrooms being a full mesh, but my single user server consumes about 700mb RSS and 2.4 gb VSZ which is kinda high.
I’ve been maintaining a self-hosted music library for so long (30+ years now), there used to not be any tools for editing metadata. I used to have to go into file properties and manually edit the data for each individual MP3 file. Nowadays, I use Mp3tag to manually edit entire albums at a time. I have ADHD though (the hyperfixation kind), so I’ve literally dedicated thousands of hours to manually fixing metadata.
I guess I never bothered to look for more advanced tools to auto-update metadata. I had to go in and manually fix stuff that updated automatically from the Internet in the past, so I guess I stopped trusting online databases. But they’ve really advanced since the last time I went searching for tools, and their databases are a lot more complete in this day and age. I’m gonna play around with some of these programs and see how well they work.
I host my music library through Plex, then use Symfonium on my phone if I want to stream my Plex music remotely, just because I like their interface a little better than Plex’s.
It’s only a little over a year old by now and even the first release was better than most of the stuff out there, but what it is today makes it better than anything I have ever used before on my phone and that includes premium apps like Spotify. At this point, I can’t even think of stuff I would need anymore, but I can’t wait to see what the next year brings.
Another note, the developer also created yatse, which I used over a decade ago as my remote control for kodi. Also equally as awesome as this is. He is very good at what he does, haha.
When you say Plex interface remotely, are you referring to the Plex app or PlexAmp app? I feel like PlexAmp fixed all of my complaints about listening to music through Plex (the same app I use for videos).
I was referring to PlexAmp. It’s decent, works well, but I just liked the interface for Symfonium better. It seemed more functional than PlexAmp when I switched over to it.
I actually haven’t used PlexAmp in a few years, so maybe it’s gotten better lately. I guess I’ll have to compare apps.
Easytag works pretty well for me on Linux, when I’m not just using Picard. I use EasyTag mostly for fixing and normalizing the tags on audiobooks these days.
The best way to say thank you is to pay it forward. Always be mindful of the time when you were the new kid, and freely share your knowledg & experience with the next new kid behind you in the spirit of community.
This doesn’t directly answer your question, but highly recommend checking out trash-guides.info
They have a ton of guides on how to configure and automate really detailed rules for sonarr/radarr. So, while it won’t help you verify the download matches the labels, it’ll make it more likely to get releases from reputable sources that are more likely to use accurate labels.
The preloaded spyware OS is half baked, horribly unfinished, and also locked to the hardware. You can work around it to install your own OS but they provide zero support and explicitly say it is not supposed to be allowed by ToS while intentionally making it as hard as possible by making the BIOS inaccessible and digitally signed to their own OS. Fuck that.
The crowdfunding fundraiser (where there are zero penalties if things are shipped broken, incomplete or not at all) is super fishy and the non-discount price is astronomical. While the hardware looks nice… Hard, hard pass right now, stinks of vendor lockin and illegal data vacuuming. Do not buy.
Yeah, I’ve got a bunch of Ugreen hardware (external HDD enclosures, USB hubs, adapters, etc.), but there’s no way I’d get their hardware with an OS on it. I don’t trust the brand that much.
I did order the 4800+. I have no need for the Ugreen OS and will replace it.
Every report I have read about say that the hardware looks very good for the (kickstarter) price
But if the EFI is locked and you have to use a workaround to boot?
I’d wait a real review before purchasing a “e-waste bomb”
The real reason the hardware is locked to their Linux distro is that the moment they discontinue security updates, it immediately becomes e-waste and you have to buy a new one instead of use it until it physically breaks. This approach works great on Apple devices, who have a 5-7 year lifetime from market launch
If Synology decides to not support your NAS it can’t even load anything else. Synology dexided for the DS218j (or DS220j) that it suddenly can’t use BTRFS anymore. If I remember it correctly it was due to not having enough memory.
But that was only after the upgrade to DSM 7.x
Yet I see only confused posts on the web instead of rage and “I wont bzy Synology anymore”.
I have zero trust in QNAP. QNAP knowingly sold several NASes with a known clock-drift defect in their Intel J1900 CPUs and then refused to provide any support. A bunch of community members had to figure out how to solder a resistor to temporarily revive their bricked NASes in order to retrieve their data. forum.qnap.com/viewtopic.php?t=135089
I had a TS-453 Pro and my friend had a TS-451. Both mine and his exhibited this issue and refused to boot. After this debacle and the extreme apathy from their support, I vowed to never buy a pre-built NAS.
Do it anyway and put an x86 OS on one of the “standard UEFI” versions. There’s no other Hardware better on the market for this - even self build isn’t going to come close, there’s simply no case with 8 hotswap slots (for example).
Not to mention the sheer amount of security vulnerabilities they constantly have in their products. I never recommend QNAP for that reason. Out of the box solutions I only recommend Synology. Selfbuild route is uraid and my personal fav. Truenas scale.
More than likely. Since the description clearly states “8x3.5 HDD Hot-Swap drive bays.” It’s not the only case of similar form factor that you can get 8 hot swap drive bays. There are literally tons of NAS case designs to choose from.
I’ve built every NAS/home server I’ve ever had. There’s lots of options out there for the case as well. You could take an SFF Mini ITX case with a single 5 1/4" drive bay and put an icy dock 8 x 2.5" SATA backplane in it. Don’t know if icy dock (brand) is widely available in Europe…
Just pointing out that if you imagine it (form factor with 8 hot swappable drives) there’s probably a solution to build it from scratch.
You could do all that, yes - but that’s not really “replacing” a Synology IMHO. The point is that you don’t really have to think about putting it all together correctly - put the drives in, install your OS of choice and that’s it.
Man, I have GOT to try Truenas Scale one of these days. I see it recommended so often, but I was just too used to a standard Linux ecosystem to bother learning something new. I am assuming it gets you closer to the feel of a pre-built NAS during administration tasks compared to Cockpit and a SSH session lmao.
I think I am just always afraid of being locked into a specific way of doing things by a vendor. I feel like I would get annoyed if something that I could do easily on standard Linux was harder to do on Truenas Scale.
For sure. It’s basically a NAS software appliance. You just need to bring your own x86 hardware. Truenas core was good, but they will stop actively developing soon in favor for scale.
I have it running both hardware (backup) as well as virtualized (with a special sas/sata card as PCI pass thru). Works like a charm.
As a comparison against Anker, the cables are thinner - almost as thin as the cheap unbranded cables. Or at least this is what my ugreen cables are like.
Nowhere in that video did it say this. I am all for DIY NAS and I have an Arch-based one at home, but saying this while implying that that’s what the source video you linked said is a bit disingenuous.
To be honest, nothing about this UGREEN is any different from any of the other off-the-shelf NAS solutions out there like QNAP, Synology, etc. If you don’t trust the UGREEN pre-installed OS, you shouldn’t trust any of the other ones either. I am not saying you should, but my point is that this pretty par for the course as far as pre-built NASes go.
Most companies do not provide support if you install a custom OS. That isn’t a sign of vendor lock-in, just a matter of keeping support feasible in the long-term, especially since they’re relatively new at this. If you want a custom OS, it is far easier and cheaper to just build your own.
Bummer, the formfactor / specs look okay but it’s kind of a dead end if I can’t just install & use a vanilla Debian OS or similar.
With all the NAS OS options probably Synology has the best one but even there I don’t actually want to get locked into that. I doubt this UGOS software can match Synology’s let alone Debian.
You can. But you need to circumvent the default settings and deactivate the watchdog in the UEFI.
There are already guides out there by reviewers. Youtube review about the NAS and how they replace the OS (around 11:00min)
“I bought an Umbrel.com home server hoping to have a dedicated device to run my favorite software on. I spent $500 and got an Umbrel.
Their “app store” is small, outdated (from an app update perspective), and filled with cryptocurrency junk. I should also mention that its difficult to use non-approved software, requiring your own GitHub repo with config files, docker setup, and a few other things. No one-click button to import software.
The hardware is half as good as a used 1L mini-PC that you can get on Amazon for $170, and itll give you more control.
The Umbrel has an HDMI port hidden inside, so if you want to use it you must cut a hole in the side for it. The only way to accees its interface is with a slow, buggy, and heavy web UI.
Don’t buy an Umbrel, buy a $100 used 1L machine and save yourself a headache and $400.
EDIT: I asked for a refund and was denied since they don’t offer them to anyone. Huge red flag!”
Their “app store” is…filled with cryptocurrency junk
I don’t consider that a negative. If you don’t want it, you don’t have to use it. Although being it is a for-profit company there is always the possibility that they start pushing this kind of software.
requiring your own GitHub repo
This isn’t really unusual. Yunohost does the same thing. Presumably to ensure compatibility and ease of use.
The hardware is half as good as a used 1L mini-PC that you can get on Amazon for $170
This really misses the point of the product entirely. It’s intended to be an “out of the box solution” and the hardware purchase funds development. Same goes for something like HomeAssistant yellow. If you have the capacity to build your own from scratch, this product is not for you. I assume the hardware is also intended to be efficient power consumption like a RPi.
Also the OS is FOSS and can be installed on whatever hardware you want.
The Umbrel has an HDMI port hidden inside, so if you want to use it you must cut a hole in the side for it.
Not ideal but I’ve never seen anyone use a server with anything but a web interface. They’re probably just using off the shelf hardware and putting it in a case.
I asked for a refund and was denied since they don’t offer them to anyone. Huge red flag!”
Energy consumption is essentially the same, as it’s using the same radios.
For what it’s worth, I have several SSIDs, each on a separate VLAN:
my main one
Guest. Has internet access but is otherwise isolated - Guest devices can’t communicate with other guest devices or with any other VLANs.
IoT Internet: IoT and home automation devices that need internet access. Things like Ecobee thermostat, Google speakers, etc
IoT No Internet: Home automation stuff that does not need internet access. Security cameras, Zigbee PoE dongle (SLZB-06), garage door opener, ESPHome devices, etc
(to remotely access home automation stuff, I use Home Assistant via a Tailscale VPN)
Most of these have both 2.4Ghz and 5Ghz enabled, with band steering enabled to (hopefully) convince devices to use 5Ghz when possible.
This is on a TP-Link Omada setup with 2 x EAP670 ceiling-mounted access points. You can create up to 16 SSIDs I think.
What do you say is the use case for separating guest Wi-Fi with the more “private” stuff on your network?
As far as I understand… Basically all communications, even inside a network, are encrypted… So I guess you do that to avoid someone trying to exploit some vulnerability?
Remember that once you give the password out, they likely have the password from now on. They will always have access until you change the password.
No, a lot of local traffic is not encrypted, especially residential. No, residential probably doesn’t use much authentication or separation of privileges.
I don’t want my guests to be able to access my home server or Omada controller for example, or spread malware (their phone may have malware without them even knowing). Also, I give the guest wifi to people other than friends, like contractors. Phone reception is horrible at my house so I give them the wifi so they can use wifi calling.
I’m not seeing anything there that says guests can’t see other guests - quite the opposite.
guests connected to your Hotspot Portal will be isolated from all other networks except the one they are assigned to.
Guests on this network are able to access the internet, and communicate with the UniFi gateway to obtain a DHCP lease and resolve names using DNS
I suppose a switch could be configured to prevent traffic going to other ports, which is how I would assume this would have to be done. This functionality would have to exist in the access point, I guess?
Does UniFi have a feature to isolate devices from each other on the same subnet? Seems like it would require some kind of Layer 2 routing?
A lot of access points, even consumer-grade ones, have this option. It’s usually accomplished via predefined firewall rules on the access points themselves.
Consumer-grade access points usually let you have just one isolated guest network, whereas fancier ones (Omada, Unifi, Ruckus, Aruba, etc) usually let you enable isolation for any SSID (ie the “guest network” is no different from any other SSID)
If there’s an option on the AP to not permit link local routing within a vlan/ssid, that will force all traffic up to the firewall. Then you can block intrazone traffic at the firewall level for that vlan.
I’ve seen this in Meraki hardware where it’s referred to as “client isolation”. Ubiquiti might be able to do this too.
I used to have a Netgear Nighthawk router/AP I bought from Costco, and if I remember correctly, its guest network automatically isolated guests from other guests. This router didn’t support VLANs so I think it was just a bunch of firewall rules.
The APs know who the Wi-Fi clients are and just drops traffic between them. This is called client/station isolation. It’s often used in corporate to 1) prevent wireless clients from attacking each other (students, guests) and 2) to prevent broadcast and multicast packets from wasting all your airtime. This has the downside of breaking AirPlay, AirPrint and any other services where devices are expected to talk to each other.
A refurbished tiny/mini/micro PC will use more power in terms of sheer numbers, but the cost is still so small on them that it's really not worth considering for most.
If you search ebay for Intel based thin clients, many are more powerful than RPi while being passively cooled and having very similar power consumption.
Thin clients based on J5005 or J4105 generally idle under 5W. (Futro S740, Wyse 5070,…) They consume a bit more when 100% loaded (11W vs 8W), but they also provide about 2x performance of Pi4.
(That article you shared is measuring power consumption on the USB port, which does not take into account overhead of USB adapter itself)
Pls, provide some proof for those numbers. The ‘under 5W mark’ gets often claimed but i still have not seen a valid proof (a simple measurement with a wattmeter) of it other than some spec sheet.
The overhead does not matter really. USB 5V power supplies are cheap and efficient these days, yes you need to look out for an efficient one but even one with only 50% efficiency (which is really really bad) would only add 1W to the (lower than) 2W power in idle. That would still result in lower power in idle.
Thank you. Would love to see the true idle. The difference between idle and light load is often not that high. I imagine the CPU supports virtualization?
And would also love to know some more specs of the NUC.
The power usage in idle is within 2W from Pi 4 and the performance is about double compared to overclocked Pi 4. It’s really quite viable alternative unless you need really small device. The only alternative size-wise is slightly bigger WYSE 3040, but that one has x5-z8350 CPU, which sits somewhere between Pi3B+ and Pi4 performance-wise. It is also very low power though and if you don’t need that much CPU it is also very viable replacement. (these can be easily bought for about €60 on eBay, or cheaper if you shop around)
Also each W of extra idle power is about 9kWh extra consumed. Even if you paid 50c/kWh (which would be more than I’ve ever seen) that’s €5 per year extra. So I wouldn’t lose my sleep over 2W more or less. Prices here are high, 9kWh/y is rounding error.
selfhosted
Hot
This magazine is from a federated server and may be incomplete. Browse more on the original instance.