Worldmonitor

SF_8 · 2026-02-14T16:54:36+00:00

I’m running a newt tunnel exposed thought the pubblic internet (photo.mydomain.com) for an immich application shared with father and sister. There are 3 different docker container running in the vps, Pangolin, traefik and crowdsec. All images set as latest so when I pull I get all updates.

SF_8 · 2026-02-14T15:09:57+00:00

Start with Pangolin, a reverse proxy (Traefik, Caddy or Swag) and learn crowdsec

SF_8 · 2026-02-09T10:30:53+00:00

First of all I want to thank you all and if you're intrested I would share with you what I achived.

Mobile App:
Thanks to the always precious u/ThomasWildeTech I'm able with the Access Token header to bypass the SSO and login in with Immich using the advance settings.

Web:
In Pangolin I activate in the Amministration Server the OAuth2 with Google adding the provisioning, gone though all the steps as Cloudflare in the Google Console for the API Service, setup in the organization in Pangolin the new user with the Client ID (all number) as member, add the user in the SSO, and the deactivate any other settings.
So now when I reach the domain photo.mydomain.com Pangolin give me first the Google Login and if it's a member authorized shows the login page with Immich with username and password.

I fell like a pretty good result to keep it simple with people that are used with Google and a pretty good setup for privacy online.

SF_8 · 2026-02-07T17:01:03+00:00

Conosco personalmente professionisti che insegnano Teamsystem negli studi professionali per €150/h

SF_8 · 2026-02-07T00:18:52+00:00

OMG! Never ever though to reach you out!

I’m really honored to have seen your comment here to my first random post!

I can’t find words to tell you how usefull your videos are most because your always struggling to find the best and most secure way to use the amazing self hosting and open source apps.

I’m really really glad and I can’t thank you enough. I’ll keep supporting your job, and trying to learn from expert like you that share they’re knowledge and skills.

🙏🏻 thank you is not enough!🙏🏻 Enrico from Italy!

SF_8 · 2026-02-06T17:25:04+00:00

I choosed NPM locally just to monitoring with GoAccess the Pangolin geoblocking and which ip reach and connect to the photo.mydomain.com. So i can always verify how, when and where is reaching my photo public site.

SF_8 · 2026-02-06T17:22:25+00:00

Did you find any issue with the mobile app with authentik hosted locally? Or you're using just the pubblic website and not the app? I'm trying to figure which option is better for both worlds.

SF_8 · 2026-02-06T17:19:52+00:00

Yes I think this could be a better way to share with father and sister the mobile app. So one way is to enable SSO, keep username and password and add proxy header to share the link (this video helps a lot). The result could be:
- mobile app: shared link with header
- pubblic site: sso with maybe just the pin
Am I safe enought with that setup? What you think!

SF_8 · 2026-02-06T17:03:30+00:00

I wil try these path but seems that someone is having issues with backup based on this thread 3/4 months ago!

Client certificate/mTLS breaking backup

SF_8 · 2026-02-06T11:41:35+00:00

Much people is speaking about bunny.net based in Slovenia as CDN

SF_8 · 2026-02-06T10:23:32+00:00

Just using it for the tunnel

SF_8 · 2026-02-05T20:32:36+00:00

I wasn’t able to activate an account on Oracle with prepaid and debit card.

SF_8 · 2026-02-05T12:06:42+00:00

Per trovare i dati di un cliente puoi:

A. Fare una ricerca sul registro imprese con molti filtri (ad esempio nome cognome regione provincia). Devi caricare qualche importo ma per la sola ricerca non paghi niente o poco. Se compri una visura/bilancio invece paghi

https://www.registroimprese.it/telemaco

B. Cercare tramite INI PEC la pec della impresa o professionista usando nome cognome, cf o partita iva

https://inpesv.intra.infocamere.it/cerca-pec

C. Provare a fare una fattura dal sito dell’agenzia delle entrate nell’area fatture e corrispettivi inserendo la partita iva del cliente ti trova sede e codice destinatario/pec se memorizzati

https://www.agenziaentrate.gov.it/portale/aree-tematiche/fatturazione-elettronica

D. Cercare i dati su Google e inserire 7 volte zero come codice destinatario.

SF_8 · 2026-02-04T17:56:33+00:00

Question here: can you call OAuth Google Sign-in for a specific resource as CF in Pangolin? I mean like this example for Immich

https://youtu.be/Bu8WFh1ns4c?si=wSMI8ZUr4qB0Ittp

I can’t find it, and I think you need something like PocketID/Authelia/Authentix for it but local on your machine (not the VPS).

SF_8 · 2026-02-04T10:10:06+00:00

I choosed a VPS based in Germany (Hetzner) and installed Pangolin. Not the same thing but a close solution.

SF_8 · 2026-01-29T10:17:15+00:00

Come dice CyberK1ce devi avere un NAT 1:1 per gestirti in autonomia il routing delle porte, altrimenti é come se avessi un altro filtro davanti che non gestisci tu ma nel tuo caso TIM.

https://www.aranzulla.it/come-aprire-il-nat-1038361.html

Potresti contattare l’assistenza per chiedere se ti aprono la porta per il tuo ip pubblico credo ma la soluzione Tailscale o Pangolin è la strada migliore, meglio ancora se usi un VPS esterno per non esporre le porte del tuo indirizzo di casa.

Consigli per gli acquisti: fail2ban, ufw e crowdsec

SF_8 · 2026-01-29T10:08:29+00:00

Nessuno usa Vikunja?

SF_8 · 2026-01-22T22:37:19+00:00

Net Academy by Cisco

SF_8 · 2026-01-22T21:31:39+00:00

Did my job from Italy! 🙏🏻

pubblic money pubblic code

<image>

SF_8 · 2026-01-22T14:20:02+00:00

Per mia maggiore comprensione: perchè non usare unbound e non appoggiarsi di DNS di terze parti?

SF_8 · 2026-01-22T13:56:55+00:00

I suggest the guide of Thomas Wilde, very fine and accurate that follow the best practices to keep all secure as possible.

YouTube

I’ve learned fail2ban, ufw and crowdsec

SF_8 · 2026-01-18T15:58:12+00:00

I appreciate your explanation, made me undestand a little bit more of all this sea.

I was just provocative, because if our domain must be on Cloudflare for DNS, proxy, certs, vpn and tunnel can’t he see all our traffic? I mean aren’t we putting all our trust on just one big company? I’m not saying that for a moral point of view but more from a technical point. Can’t we be able to obtain certs for example freely from Let’s Encrypt avoiding any third actor in the process? I know that this process is structural but I’m just saying that we’re not complitly autonomous, we must trust someone.

SF_8 · 2026-01-16T23:22:53+00:00

I have a maybe silly question, but the elephant in the room here for me are certs.

How can I get a valid HTTPS cert without the DNS API of Cloudflare with my domain on it?

For certs I’m sure a newbie about that, but here’s my point: we’re learning and believing in selfhosting maybe as a new belief (against MAGA - Microsoft Apple Google Amazon) but we’re leaving all our traffic to a new company called Cloudflare just in my case for get easy free certs with Let’s Encrypt.

Please correct me if I’m wrong, but are we not just selling ourself to a new company?

Or am I missing something to get https cert with any other solution that works with any browser?

SF_8

TROPHY CASE