I’ve been researching different ways to expose Docker containers to the internet. I have three services I want to expose: Jellyfin, Omnivore (Read-it-later app), and Overseerr.
I’ve come across lots of suggestions, like using Nginx with Cloudflared, but some people mention that streaming media goes against Cloudflared tunnel TOS, and instead recommend Tailscale, or Traefik, or setting up a WireGuard VPN, or using Nginx with a WireGuard VPN.
The amount of conflicting advice has left me confused. So, what would be the best approach to securely expose these containers?
Yeah it’s wireguard under the hood iirc, so you probably could put in effort in order to achieve roughly what tailscale does, if you have the knowledge and time involved in doing that. I don’t think there’s any secret sauce that would be impossible to someone to DIY.
I don’t blame people for being skeptical, especially those of us in the Linux, FOSS, and self-hosted world. I was skeptical too, because part of the reason I wanted to self-host was to move away from a dependency on companies, and I’m weary of the mere possibility of tailscale’s eventual capitalist enshittification. But after trying it, I have to admit that it’s been a game changer for me.
For me personally, tailscale is just an easy out-of-the-box solution that works well for what I want it to do (give me encrypted access to my server from anywhere in the world). I’m not so good at networking that I could get anywhere near the level of convenience that tailscale affords me, and I have too many other projects that I want to do before reinventing tailscale for myself. So instead I have a small free tailnet with all of my devices (and a couple other users’ devices), and it has totally changed my relationship with self-hosting and my server.
In my view, It’s a pretty good deal, for now at least.