+- Jellyfin Forum (https://forum.jellyfin.org)
+-- Forum: Support (https://forum.jellyfin.org/f-support)
+--- Forum: General Questions (https://forum.jellyfin.org/f-general-questions)
+--- Thread: Remote access with Caddy, Duckdns vs Tailscale for security? (/t-remote-access-with-caddy-duckdns-vs-tailscale-for-security)
RE: Remote access with Caddy, Duckdns vs Tailscale for security? - Balinus - 2025-04-08
(2025-04-08, 09:57 AM)InTrusta Wrote: Don't have a solution, just wanted to give an fyi for tailscale. You can only add 3 users to tailscale, but you can add a lot more users through direct access to your NAS/Server. I think its around 100 or so. And it's even better, because normally i don't want my friends to see all my machienes in my taislcale network. I only want to give them access to my NAS.
I had the same problem as you and was about to set up the whole duckydns/reverse proxy setup, but then i read i can just add way more friends directly to the machiene. And i prefer tailscale because it's just super secure.
I initially tried with sharing my jellyfin node but, somehow, my brother wasn't able to connect. It worked as soon as he joined my Tailnet though. Perhaps it was only a mistake on our part. I might retry this approach one day though!
(2025-04-08, 01:20 PM)Duvel Wrote: If you want to use a DNS module you should build your own caddy image that includes the stuff for your specific DNS provider.
All custom images for all supported DNS providers are there : https://github.com/orgs/caddy-dns/repositories?type=all
You can add any other module you'd like to build the image you need
For instance my DNS provider is Infomaniak, and I also use the Crowdsec bouncer module on my Caddy to detect and block known attacks scenarios and offenders IPs, and so I build my caddy image with this docker command :
Code:FROM caddy:builder AS builder
RUN xcaddy build \
--with github.com/caddy-dns/infomaniak \
--with github.com/hslatman/caddy-crowdsec-bouncer/http
FROM caddy:latest
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
But all this will be tedious if you hardly master docker. And you will have to learn the fundamentals.
Once your image done, you should also configure properly the DNS parameters using a tls{} in your Caddyfile, for instance this is mine for infomaniak
Code:*.domain.tld, domain.tld {
crowdsec # this executes the CrowdSec module; if an IP is denied, it won't get access to the reverse proxy
tls {
dns infomaniak my_very_long_api_key_provided_by_infomaniak
propagation_delay 60s
propagation_timeout -1
}
The parameters for your DNS might be different than mine, and you should find how to configure yours by yourself. There's generally some explanations on the readme of each caddy-dns sub-github
Thanks!
Do you "automate" your Caddy build somehow? Or you execute your Docket command once there is a new version? Any benefit to using Docker here? Right now, I mostly run "directly" on the system. It is only hosting Jellyfin and Caddy in the end.
I will add "crowdsec", seems like a nice addition to the Caddy software.
RE: Remote access with Caddy, Duckdns vs Tailscale for security? - Duvel - 2025-04-08
Sorry I assumed you were in docker. If you use a normal apt install I dont really know how modules works.
I rebuild my image manually every month or so
Crowdsec require another component. In caddy there's only the bouncer running, you also need the LAPI component (local API) that has to be run aside it.
https://github.com/crowdsecurity/crowdsec
That's the official image: crowdsecurity/crowdsec:latest
SO basically the bouncers communicate with the LAPI, which communicates with Crowdsec servers, and handle the local database of scenarios, alerts, decisions etc...
That's some config to make all this running... Have fun :-)
RE: Remote access with Caddy, Duckdns vs Tailscale for security? - Balinus - 2025-04-08
Thanks!
No worry, I'll be able to adapt for my case. As far as I understand, this is mostly manual install for updating Caddy with add-on, either in Docker or through xcaddy approach. Thanks for the additional information about crowdsec, I'll take a look!
RE: Remote access with Caddy, Duckdns vs Tailscale for security? - Duvel - 2025-04-08
Crowdesc on the reverse proxy is the ideal last line of strong defense.
I have the first lines on my pfSense router (geoip firewall rules, IP blacklists, Snort) that stops 95% of all bad traffic, but cant stop everything https related. This should be done on the reverse proxy handling the certs.
Results guaranteed if you get it running, especially against malicious bots :-)
RE: Remote access with Caddy, Duckdns vs Tailscale for security? - Balinus - 2025-04-08
Seems like a nice add-on to have indeed. I think I might have succeed in installing everything, but I'll have to read more to be able to run it correctly. I am not sure where I should get the "api_key" or how to let crowdsec to connect to the LAPI server (I get a failed to connect "{"level":"error","ts":1744143712.4026,"logger":"crowdsec","msg":"failed to connect to LAPI, retrying in 10s:"). Probably due to the fact that I haven't entered the api_key in the "crowdsec" section of the Caddyfile.
No worries if you don't have the answers to that, I'll take a deeper look at the end of the week.
RE: Remote access with Caddy, Duckdns vs Tailscale for security? - Balinus - 2025-04-10
So, I have read a little bit on Crowdsec. Very nice indeed, not super user friendly for someone that has limited knowledge about cybersecurity and networking like me. From what I understand:
- Install Crowdsec engine (done)
- Build Caddy with duckdns and crowdsec plug-in (done)
- Install Remediation Components (aka bouncers, blocklist, etc...)
This last point is a little bit obscure for me, there is so much blocklists, etc. The items I think I should install through Crowdsec engine are:
- Caddy collection: https://app.crowdsec.net/hub/author/crowdsecurity/collections/caddy
- Jellyfin collection: https://app.crowdsec.net/hub/author/LePresidente/collections/jellyfin
Once installed, I need to get an api somehow, this part is not very well documented. I tried using the "Service API key" in the settings of Crowdsec, but I'm not sure is this is the good one. Anyhow, I then configured the Caddyfile with:
Code:
# CROWDSEC
{
debug # this is optional; makes Caddy log more details
order crowdsec first # this ensures that the CrowdSec module is executed before any other HTTP handlers
crowdsec {
api_url http://localhost:8080 # the URL where your CrowdSec LAPI can be reached, somewhere on your network/system
api_key SERVICE-KEY-API-FROM-CROWDSEC-CONSOLE-SETTINGS # the secret API key for the bouncer to authenticate against LAPI
}
}
jellyfin-philipperoy.duckdns.org:9000 {
reverse_proxy 127.0.0.1:8096
crowdsec
tls {
dns duckdns DUCKDNS-API
}
}I still do get the error when looking at "systemctl status caddy"
Code:
{"level":"error","ts":1744243579.8556097,"logger":"crowdsec","msg":"failed to connect to LAPI, retrying in 10s:so, that's where I'm at!
So, I have read a little bit on Crowdsec. Very nice indeed, not super user friendly for someone that has limited knowledge about cybersecurity and networking like me. From what I understand:
- Install Crowdsec engine (done)
- Build Caddy with duckdns and crowdsec plug-in (done)
- Install Remediation Components (aka bouncers, blocklist, etc...)
This last point is a little bit obscure for me, there is so much blocklists, etc. The items I think I should install through Crowdsec engine are:
- Caddy collection: https://app.crowdsec.net/hub/author/crowdsecurity/collections/caddy
- Jellyfin collection: https://app.crowdsec.net/hub/author/LePresidente/collections/jellyfin
Once installed, I need to get an api somehow, this part is not very well documented. I tried using the "Service API key" in the settings of Crowdsec, but I'm not sure is this is the good one. Anyhow, I then configured the Caddyfile with:
Code:
# CROWDSEC
{
debug # this is optional; makes Caddy log more details
order crowdsec first # this ensures that the CrowdSec module is executed before any other HTTP handlers
crowdsec {
api_url http://localhost:8080 # the URL where your CrowdSec LAPI can be reached, somewhere on your network/system
api_key SERVICE-KEY-API-FROM-CROWDSEC-CONSOLE-SETTINGS # the secret API key for the bouncer to authenticate against LAPI
}
}
jellyfin-philipperoy.duckdns.org:9000 {
reverse_proxy 127.0.0.1:8096
crowdsec
tls {
dns duckdns DUCKDNS-API
}
}I still do get the error when looking at "systemctl status caddy"
Code:
{"level":"error","ts":1744243579.8556097,"logger":"crowdsec","msg":"failed to connect to LAPI, retrying in 10s:so, that's where I'm at!
RE: Remote access with Caddy, Duckdns vs Tailscale for security? - Duvel - 2025-04-10
This thread is turning into a "how to protect Jellyfin with Crowdsec" :-)
First of all in your config, you need 2 different API keys, because you have 2 components locally:
The LAPI server
The Caddy Bouncer
1. Your LAPI server should be registered with Crowdesc central servers, and you use the API key provided on your crowdsec.org CP
2. Your Caddy Bouncer should be registered with your LAPI server. It looks like you are stuck on that one.
In order to register your bouncer to your LAPI, you need to use the crowdsec CLI using cscli commands ( https://docs.crowdsec.net/docs/cscli/ )
If you have a normal install, you just do:
Code:
sudo cscli <commands>If you have a docker container, then you should do :
Code:
sudo docker exec crowdsec-container cscli <command>Example : list the machines
Code:
tom@cerbere:/opt/caddy$ sudo docker exec crowdsec cscli machines list
[sudo] password for tom:
-------------------------------------------------------------------------------------------------------------------------------
Name IP Address Last Update Status Version OS Auth Type Last Heartbeat
-------------------------------------------------------------------------------------------------------------------------------
localhost 127.0.0.1 2025-04-10T06:38:05Z ✔️ v1.6.8-f209766e Alpine Linux (docker)/3.21.3 password 39s
-------------------------------------------------------------------------------------------------------------------------------Code:
tom@cerbere:/opt/caddy$ sudo docker exec crowdsec cscli bouncers list
---------------------------------------------------------------------------------------------------------
Name IP Address Valid Last API pull Type Version Auth Type
---------------------------------------------------------------------------------------------------------
caddy-bouncer@172.21.0.1 172.21.0.1 ✔️ 2025-04-10T06:49:58Z caddy-cs-bouncer v0.8.1 api-key
---------------------------------------------------------------------------------------------------------I believe you are stuck there, and your list is probably empty. You have not added your caddy bouncer, which should have generated an API key for your bouncer to connect to the LAPI.
To register your caddy bouncer, use the <cscli bouncers add caddy-bouncer> command:
Code:
$ sudo docker exec crowdsec cscli bouncers add caddy-bouncer
API key for 'caddy-bouncer':
Q8iKI+FuQc7SGG2vXQWx7WMpxKeGj2UA0Baw5lUf5Zc
Please keep this key since you will not be able to retrieve it!This is the API key that you should specify in your CaddyFile, there:
SERVICE-KEY-API-FROM-CROWDSEC-CONSOLE-SETTINGS
Once Caddyfile is adapted, restart caddy.
And then recheck your bouncers list and status with cscli bouncers list
--> You should now see your caddy-bouncer connected
RE: Remote access with Caddy, Duckdns vs Tailscale for security? - Balinus - 2025-04-10
Wow, THANKS! It worked! I'm very happy with it.
We should sticky your post really, it's mostly "Guide" ready imho.
On my bouncers list, there is another one listed, can't remember if I installed that or not. Is there a way to "test" this bouncer?
Code:
sudo cscli bouncers list
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Name IP Address Valid Last API pull Type Version Auth Type
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
cs-firewall-bouncer-1744226856 127.0.0.1 ✔️ 2025-04-10T12:29:06Z crowdsec-firewall-bouncer v0.0.31-debian-pragmatic-amd64-4b99c161b2c1837d76c5fa89e1df83803dfbcc87 api-key
caddy-bouncer 127.0.0.1 ✔️ 2025-04-10T12:28:32Z caddy-cs-bouncer v0.8.1 api-key
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────RE: Remote access with Caddy, Duckdns vs Tailscale for security? - TheDreadPirate - 2025-04-10
If you're a bit of a Crowdsec Guru, feel free to write a guide in the Walkthrough subforum. Does Crowdsec have modules for Nginx and Apache? I currently use fail2ban, but I'm always open to try other apps.
(2025-04-10, 07:14 AM)Duvel Wrote: This thread is turning into a "how to protect Jellyfin with Crowdsec" :-)
First of all in your config, you need 2 different API keys, because you have 2 components locally:
The LAPI server
The Caddy Bouncer
1. Your LAPI server should be registered with Crowdesc central servers, and you use the API key provided on your crowdsec.org CP
2. Your Caddy Bouncer should be registered with your LAPI server. It looks like you are stuck on that one.
In order to register your bouncer to your LAPI, you need to use the crowdsec cscli ( https://docs.crowdsec.net/docs/cscli/ )
If you have a normal install, you just do:
Code:sudo clsci <commands>
If you have a docker container, then you should do :
Code:sudo docker exec crowdsec cscli <command>
Example : list the machines
Next, list the bouncers:Code:tom@cerbere:/opt/caddy$ sudo docker exec crowdsec cscli machines list
[sudo] password for tom:
-------------------------------------------------------------------------------------------------------------------------------
Name IP Address Last Update Status Version OS Auth Type Last Heartbeat
-------------------------------------------------------------------------------------------------------------------------------
localhost 127.0.0.1 2025-04-10T06:38:05Z ✔️ v1.6.8-f209766e Alpine Linux (docker)/3.21.3 password 39s
-------------------------------------------------------------------------------------------------------------------------------
Code:tom@cerbere:/opt/caddy$ sudo docker exec crowdsec cscli bouncers list
---------------------------------------------------------------------------------------------------------
Name IP Address Valid Last API pull Type Version Auth Type
---------------------------------------------------------------------------------------------------------
caddy-bouncer@172.21.0.1 172.21.0.1 ✔️ 2025-04-10T06:49:58Z caddy-cs-bouncer v0.8.1 api-key
---------------------------------------------------------------------------------------------------------
I believe you are stuck there, and your list is probably empty. You have not added your caddy bouncer, which should have generated an API key for your bouncer to connect to the LAPI.
To register your caddy bouncer, use the <cscli bouncers add caddy-bouncer> command:
Code:$ sudo docker exec crowdsec cscli bouncers add caddy-bouncer
API key for 'caddy-bouncer':
Q8iKI+FuQc7SGG2vXQWx7WMpxKeGj2UA0Baw5lUf5Zc
Please keep this key since you will not be able to retrieve it!
This is the API key that you should specify in your CaddyFile, there:
SERVICE-KEY-API-FROM-CROWDSEC-CONSOLE-SETTINGS
Once Caddyfile is adapted, restart caddy.
And then recheck your bouncers list and status with cscli bouncers list
--> You should now see your caddy-bouncer connected
RE: Remote access with Caddy, Duckdns vs Tailscale for security? - Duvel - 2025-04-10
(2025-04-10, 12:34 PM)Balinus Wrote: Wow, THANKS! It worked! I'm very happy with it.Looks like the default firewall bouncer of crowdsec : https://github.com/crowdsecurity/cs-firewall-bouncer
We should sticky your post really, it's mostly "Guide" ready imho.
On my bouncers list, there is another one listed, can't remember if I installed that or not. Is there a way to "test" this bouncer?
Code:sudo cscli bouncers list
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Name IP Address Valid Last API pull Type Version Auth Type
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
cs-firewall-bouncer-1744226856 127.0.0.1 ✔️ 2025-04-10T12:29:06Z crowdsec-firewall-bouncer v0.0.31-debian-pragmatic-amd64-4b99c161b2c1837d76c5fa89e1df83803dfbcc87 api-key
caddy-bouncer 127.0.0.1 ✔️ 2025-04-10T12:28:32Z caddy-cs-bouncer v0.8.1 api-key
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Unsure if you got it installed by default or if you installed it manually...
So basically that one acts like fail2ban and modifies the iptables of your Linux to block the alerted IPs. That's a nice addition that would prevent an IP blocked to reach the whole Linux server.
This is only a little plus depending on your architecture.
If the only way to reach your webfacing server is through Caddy, then it's mostly useless because the caddy bouncer will block all those IPs.
Now if you have other ports opened, not using http(s), it might become usefull.
For my architecture it is useless, because I have a crowdsec bouncer on my main gate, with is the pfsense router, and both the router bouncer and caddy bouncer are connected to my Crowdsec Lapi. So whenever something is detected on any of my machines running Crowdsec, the LAPI will propagate it to the pfsense bouncer, which will block the IP on its firewall, and will thus prevent access from that IP to my whole network.
On top of this, your LAPI also propagate your detected IPs to the central servers and everyone can benefit it.
That's the beauty of Crowdsec approach: CROWD security.
@TheDreadPirate not considering myself as a guru but I am using Crowdsec for like 2 years on several different machines so I understand how it works.
Yes there's a nginx bouncer. Unsure for Apache
I might do a guide if it becomes necessary
