What is the best practice on exposing apps to internet?

Hello

Im looking for some tips, examples or best practices on how to expose different services to family members/internet…
I plan to provide an alternative where family can backup their files to my NAS somehow, along with a couple of other services.

I have a domain I wish to use for the purpose of easy access.

Services im planning on hosting:

  • Immich
  • Plex (up and running)
  • rust-desk (Working locally on LAN, have been unable to get it working over WAN/Internet)
  • NextCloud (having issues installing, will wait for TrueNAS 25.x before retrying)
  • FileBrowser? Might be that NextCloud is enough, will see…

Might be other tings as time goes, or if any other better apps are suggested here :slight_smile:

So, how would/should this be exposed the safest and most practically?
I have been looking at a couple of videos on Nginx Proxy Manager, is that the “smartest” way to go?
At the moment im just using port forwarding on router.

Im new at proxy/reverse proxy stuff, so that’s something I would need to learn…

Router: Unifi UDM Pro
DNS: PiHole on a separate host from TrueNAS (planning on trying hosting it on TrueNAS when 25.x is in stable release)
TrueNAS Scale 24.10.2

How many family members? Because if the number isn’t large, the easiest and safest way would be to use Tailscale. In that case, only those individuals you give access would have access; the rest of the Internet would be completely blocked from reaching (and thus potentially exploiting vulnerabilities in) any of those apps. No ports to forward or open to the Internet.

OTOH, if you want or need public access to any or all of these, then yes, you’ll need to set up a reverse proxy. You’ll also need a domain (they start around $10/yr) and either a static IP address or some kind of dynamic DNS service, and you’d need ports 80 and 443 open (ISPs often block them, especially port 80). In general terms, you’d then forward ports 80 and 443 to your reverse proxy, and configure it to handle TLS termination and to forward requests to the various apps based on their hostnames (so nextcloud.yourdomain goes to Nextcloud, immich.yourdomain goes to Immich, etc.).

If you want an app you can point and click to install for the reverse proxy, that would need to be Nginx Proxy Manager. I prefer Traefik, but that’s going to take come CLI setup. Caddy is another good one. Neither of them have web-based interfaces to configure them, but both are more flexible, powerful, and reliable in my experience than is NPM.

1 Like

Would probably only be 2-4 people using it.

Its not that i “need” it to be public, just the way im used to do it now with port forwarding.
Will take a look at what Tailscale is, and see if i understand what it is :slight_smile:

A couple of resources:

Thanks :+1:

Hey! This is a family place. No exposing here :clown_face:

1 Like