44
The first publicly open instance
(lemmy.world)
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 31 May 2026
44 points (92.3% liked)
Selfhosted
59604 readers
1156 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
-
No low-effort posts. This is subjective and will largely be determined by the community member reports.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 3 years ago
MODERATORS
What do you want to expose, something static or dynamic?
It would be a service you wrote or some stablish project?
I would recommend running whichever service you want to expose through a reverse proxy, traefik or caddy. That way you have some sort of "chocking point" where you can control what's going and it's already handling some security for you.
The service should be kept updated.
Then you need a ips (intrusion prevention system). Most famous are fail2ban or crowdsec. You feed the ips the service logs and the reverse proxy logs, and ban ips that try to do something strange. I use crowdsec with a bunch of scenarios and their block lists.
At the end you should only have a couple of ports open to the internet. Usually 80 and 443, and whichever port you use for the vpn, i recommend wireguard. So people should only connect to you via 80 or 443 and those ports should be binded to the reverse proxy. Everything else should never be able to enter your network.
If you have all that and keep everything updated the attack surface becomes really small. You'll get spam bots trying to probe for vulnerabilities but if you keep everything updated they won't find anything.
Depending on how many people you want to access your service you could also do some aggressive geoblocking, to reduce the number of bot attacks.
The biggest risk here would be a vulnerability on the reverse proxy or the service you use. Keep an eye out for cve and update things regularly. If a vulnerability allows for remote code execution, then mitigation becomes almost impossible besides a good backup plan. If your vpn fails on you you are also fucked. But wireguard is pretty well secured. Bot scans shouldn't even be able to know you have wg because pings and connections attempts fail silently without proper authentication.
Public server - Pixelfed ;)
I think Pixelfed can sit nicely behind a reverse proxy, to reduce exposure.
I don't know if there are prebuilt scenarios for pixelfed in crowdsec or fail2ban but it shouldn't be so hard to at least write something to prevent bruteforce.