How safe am I? (self hosting)
I have a server running Unraid at home. I have ~20 docker containers running at the moment with almost all of them only available within my local network. I just stood up an instance of Seafile on the server to act as a google drive replacement. Still in the early test phase before I commit to throwing important stuff on there. I have my domain proxied through Cloudflare so none of my local ports are exposed to the internet. Seafille has complicated passwords set for admin and user accounts (generated with Bitwarden, hot damn I love that app). I also enabled 2FA on each account. I know that I can further clamp it down using some of Cloudflare's extra access controls but in my admittedly limited experience, those all cause issues getting an app to authenticate with the service. Web apps don't have this issue of course.
So am I ok with this setup? I can encrypt the data before uploading easily as it's a built in feature of Seafile. Or would it be better to just run with local only and run a VPN to access when I'm outside?
I figure just about any effort along these lines I trust more than Google with my data. But I may be overconfident in that perhaps. I'm still learning the ropes with Linux and self-hosting in general.
I think if you care about security the best option is to use a VPN. HackerNews raves about TailScale. Their free tier might be enough for your needs - https://tailscale.com/pricing/
I just want to add a vote for tailscale for exposing local services to the web to select parties or just yourself. I have a Nas with some services running and I just don't trust my knowledge now a days to put them past my router like I used to years ago. I found Tailscale from some of the posts here and I had it up and running in minutes on my phone, Nas, and pc. I then had a friend set up in the network as well and it just worked amazing well.
I don't have anything else to compare it with but the reccomendations for using it to get to you services away from home are not exaggerating about how well it works.
I suspect @teaearlgraycold is talking about only making services like Seafile available on the local network, and then running a VPN server so that you can access those servers while your out and about. This is much safer than actually exposing your services to the Internet; VPN technology like OpenVPN and Wireguard (Tailscale is build on Wireguard) is much easier to implement safely than a public-facing web service.
I don't think you know what a VPN really is. When you see an ad for a "VPN" what you're actually being sold is an encrypted network tunnel. VPN stands for Virtual Private Network. Where's the network with an encrypted tunnel?In OP's case a VPN would put some of their computers on their home network into a virtual network. Then OP could flip on the VPN on their phone/laptop/whatever when elsewhere and get that mobile device entered into the virtual network. The connection would be encrypted and require authentication. That authentication, as long as its sufficiently secure, is the extra security layer that I am recommending.
Edit: Scratched out salty behavior
Then I'm sorry for the attitude in my response.
It's best to click through to a link in a comment before making a contradictory response. Arguments won't make this site any better. Needless ones even less so.
Edit: To the unnamed commenter above - cleaning up the thread by deleting your comments is alright. But I also don't think there's as much risk here to leaving up a mistaken comment as there would be on most other sites.
In this case I think a Virtual Private Network (VPN) is also the correct solution for a sysadmin concerned about opening even proxied traffic to the Internet. Not all VPN technologies are about egress traffic and while Tailscale can be configured with exit nodes, its default configuration is a secure network between your computers running the tailscale client anywhere you have internet access through some fairly ingenious NAT busting tooling.
To answer your question about what it gives that the other software the OP has mentioned does not. It would allow OP to not proxy traffic or open ports. Using their magic DNS you’d access computers by their name on the tailnet and all the traffic would be routed over the virtual private network encrypted instead of directly over the Wide Area Network (WAN)
However, as someone who uses tailscale in this fashion I’d like to warn OP that adding a VPN to your setup comes with configuration concerns and some additional management.
I personally use a bit of a hybrid approach with a small VM in a cloud provider acting as my web proxy for services that are better completely exposed to the internet. Routing traffic back to my computers hosting software at home or in other cloud providers over the tailscale VPN. With this setup my private networking between home and the proxy is self healing with NAT busting and my traffic between the proxy and downstream servers is encrypted. As a benefit I can SSH directly to each machine in the tailnet and use tailscale to authenticate that connection instead of having to keep my selection of private keys on each device or clutter my authorized keys with dozens of rarely used keys (https://tailscale.com/tailscale-ssh/).
Have you had the chance to play around with this, would know how complicated it is? One thing holding me back on tailscale is because I have a "traditional" VPN service (mullvad) connected 24/7 on my home server. Back then when I researched tailscale there wasn't an easy way to have both services on without some heavy tinkering.
You really can't get more safe than using a WireGuard or OpenVPN connecting and tunneling into your home network from that. You'll only have a single point of exposure to the internet that way, literally only one way for attackers to get in. It really would simplify your security.
That said, I've been running a private server on a home network connection with a bunch of services exposed to the internet for at least 10 years no with no problem. But even writing this made me think I should probably just shut it all behind my WireGuard VPN connection that I use 90% of the time.
I guess that is my main thing at least with Seafile. If the data is encrypted and behind a complex password and 2FA authentication, what use would that data be to any snoopers? But maybe I'm not thinking big picture enough. From my understanding the metadata is not encrypted so file size, names, and some other stats could be seen, but not the contents.
Do you have experience running a Linux server? Are you following any kind of protocol to ensure that your patches are up to date? Something you really shouldn’t do is put a server online with access to the internet and just leave it alone.
Personally, for something like this, I might not use cloudflare but rather connect directly and use either a port knocking protocol to open the firewall or VPN, but it depends on how much inconvenience you are willing to accept.
Since you and @Octofox asked a similar question...
as far as updates and patches are concerned, unraid has notifications built in for both the OS itself, any installed plugins, and any docker containers installed. I am emailed when there are updates to any of the those items and generally will immediately fire off the update. With the exception of the OS updates because I need to stop all dockers, spin down the drives, then apply the update. Otherwise it might have an unclean shutdown and trigger a parity check with takes about 15 hrs on the 14TB parity drive I have.
I am still learning, so ignore any subtext or pretense of the above paragraph that might make you think I'm super confident. Its why I ask. I wanted outside perspective so thank you for the input. All valid concerns.
Part of the reason for wanting to have it open to a user outside of my network is to let my family use it as part of their 3-2-1 backup strategy to meet the offsite criteria. Unless there's a way to let them VPN to just that container to move data around on their account, I may have to just stand it up long enough for them to authenticate with Seafile, load their data, then shut down outside access. I certainly wouldn't want them using or accessing any of my other containers though.
Just to perhaps put a finer point on this:
The attack vector that would be most concerning for a system like this (and to be clear, this is coming from someone who hosts several Internet-accessible web services on his homelab) would be that Seafile contains a vulnerability that allows an attacker to gain some amount of access to your home network. An example might be some specific unprotected API endpoint that allows a user to run some arbitrary code, or something similar. This would be quite scary, and is not something to take lightly, and this is why a lot of the responses are about system administration generally, rather than about the risk of someone getting access to your Seafile account, specifically.
Running services in containers gives you some amount of... containment if such a vulnerability is exploited, but I think (from a brief skim of the repo) that the Seafile container runs as root by default, and Unraid defaults to running containers on the "bridge" network, which makes it challenging to wall off containers from the rest of the devices on your network. This is all to say: what you've got is considerably safer than running Seafile as the root user on your personal desktop, but some combination of unknown vulnerabilities could still conceivably cause considerable damage.
Especially if this service is meant to only be used by you/members of your household, I agree with other folks suggesting you set up a VPN. Unraid has a nice little UI for Wireguard built in. There's a nice guide on setting it up on the forum: https://forums.unraid.net/topic/84226-wireguard-quickstart/. You can get a Wireguard client on your phone or laptop, and even configure it to automatically connect to your VPN whenever you're off of your home network. There are other advantages to this setup, too: I have Adguard Home (backed by an Unbound server) set as my network's DNS server, so I get DNS-level ad blocking on my phone and laptop even when I'm not home!
You know I remember reading about it running as root and must've not clicked until you mentioned it here. So thank you for that. I have seen the wireguard integration in unRAID so I'll give it a closer look. Better safe than sorry, for sure.
If a new exploit was found and published for any of the software you use, how long do you think it would take for you to find out and patch your system? To be safe you'd at worst want to have your system patched immediately, at best you'd want to be part of internal communications that tip you off before the issue is published.
How familiar are you with each part of the system? How well do you understand the details of docker, linux, sea file, etc? What is your monitoring system? How would you be alerted if something abnormal was happening indicating an attack in progress?
This and a lot more would be the bare minimum to be considered somewhat safe. IMO it's just not worth self hosting if you care about security and the data being stored. Better to just encrypt and dump on a commercial cloud storage.
I also recommend Wireguard, really easy to setup and it works like a charm.
Thanks! I set it up last night so I'll give it a shot and see if it does what I want it to.
With everything people said, is it really bad to not be behind a VPN? I have 443 open then a reverse proxy.
If you are opening ports it does put you more at risk than having none open. You must keep in mind that you are only in danger if an attack can exploit the service that is using that port.
To conclude, I recommend a VPN such as wireguard. It is not hard to setup and secure.