Hey all, I’m relatively new to the selfhosting game the most I’ve done to date is own and maintain a plex server for the last few years, but that mainly handles all of the networking for me so I’d say it doesn’t really count.

Recently, due in part to the ongoing controversy with audibles royalty and streaming model I’ve decided to try my hand at setting up an Audiobookshelf server of my own. For reference I’m running on a machine with Ubuntu 20.04. Ive managed to get Audiobookshelf and nginx running through docker and accessible via the localhost:port, but now I feel like I’m missing some key understandings.

I assume I need to have a domain name through a DNS service like cloudflare in order to make use of it, but I’m not sure what to do after that and the documentation that I have read doesn’t outright answer my questions.

Once I have my DNS setup, how do I associate it with my server or point it through the nginx reverse proxy?

I know I’ll have to setup a .conf file for nginx at some point and I found the example .conf in the audiobookshelf documentation, but I just feel like I’m missing the step between getting a domain name and establishing the reverse proxy.

Any help would be greatly appreciated, thanks!

  • mic_check_one_two@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    8
    ·
    edit-2
    1 month ago

    I assume I need to have a domain name through a DNS service like cloudflare in order to make use of it

    Yes, you’re correct here.

    Once I have my DNS setup, how do I associate it with my server or point it through the nginx reverse proxy?

    You begin by forwarding ports 80 and 443 to your Nginx proxy server’s external ports. These are the standard ports for http and https requests, respectively. So your Nginx will immediately be able to tell if a request is http or https based on which port it is coming in on.

    Next, you would set an A name record on your domain manager. This A name record will point a subdomain to a specific IPv4 address. So for instance, maybe the name is “abs” and the IP is your home WAN IP. So whenever an http or https request comes in on “abs.{your domain}” it will get redirected to your WAN IP. If you wanted to use IPv6, that would be an AAAA name record instead… But if this is your first foray into self-hosting, you probably don’t want to use IPv6.

    On Nginx’s side, it receives all of those incoming http and https requests because the ports are forwarded to it. You configure it to take requests for those subdomains, and route them to your various devices accordingly. You’ll also need to do some config for SSL certificates, which will allow https requests to resolve successfully. You can either use a single certificate for the entire site, or an individual certificate for each subdomain. Neither is “more” correct for your needs, (though I’m sure people will argue about that in responses to this).

    So for instance, you send a request to https://abs/%7Byour domain}. The domain manager forwards this to your WAN IP on port 443. Nginx receives this request, resolves the SSL certificate, and forwards the request to the device running abs. So your ABS instance isn’t directly accessible from the net, and needs to bounce off of Nginx with a valid https request in order to be accessible.

    You’ll want to run something like Fail2Ban or Crowdsec to try and prevent intrusion. Fail2Ban listens to your various services’ log files, and IP-bans repeated login failures. This is to help avoid bots that find common services (like ABS) and try to brute-force them by spamming common passwords. You can configure it to do timeouts with increasing periods. So maybe the first ban is only 5 minutes, then 10, then 20, etc…

    Lastly, you would probably want to run something like Cloudflare-DDNS to keep that WAN IP updated. I’m assuming you don’t have a static IP, and you don’t want your connections to break every time your IP address changes. DDNS is a system that routinely checks your WAN IP every few minutes, and pushes an update to your provider if it has changed. So if your IP address changes, you’ll only be down for (at most) 5 minutes. This will require some extra config on your provider’s part, to get an API key and to configure the DDNS service to point at your various A name records.

    If you need any help setting the individual services up, let me know. I personally suggest docker-compose for setting up the entire thing (Nginx, DDNS, and Fail2Ban) as a single stack, but that’s purely because it’s what I know and it makes updates easy. But this comment is already long enough, and each individual module could be just as long.

    • TheBlindPew@lemmy.dbzer0.comOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 month ago

      Thank you so much this is very helpful, I’ll definitely be taking a run at it with all of this advice in mind this week. When you mention running the whole thing as a single stack does that mean getting all of it running inside a single docker container such that it only takes the 1 docker run command? Is it a requirement to get them able to talk or just a more elegant way to have the entirety of the server running in a singular container instead of spread across several?

      • mic_check_one_two@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        1 month ago

        A stack is a group of containers that were all started together via a docker-compose.yml file. You can name the stack and have all of the containers dropped down below it. Compose is simply a straightforward way to ensure your containers all boot with the same parameters each time.

        Instead of needing to remember all of the various arguments for each container, you simply note them in the compose file and run that. Docker Compose reads the file and runs the containers with the various arguments.

        Moving from docker to docker-compose is the single largest ease-of-use change I made in my setup. If you want some help in how to use it, I can post a quick example and some instructions on setting it up. You would use cd [directory with your docker-compose.yml] to select the proper directory, then docker-compose up -d to run the compose file.

        Updating would be docker-compose down to stop the stack, docker-compose pull to pull updated images, docker-compose up -d to start your stack again, then docker image prune -f to delete the old (now outdated and unused) images.

    • Lyra_Lycan@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      1 month ago

      I have a router given to me by my ISP, which incidentally has less features than their older model, so I was wondering, if you know: Would some ‘aftermarket’ gateways also be a DNS server? Sometimes it’d be great to have the resolution handled completely by the gateway instead of a separate machine - especially as some of my services just don’t seem to declare their names. And my stock router has a terrible downside - no NAT loopback. And - the reason I’m in this pickle - they’ve removed custom DNS settings.

      • mic_check_one_two@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 month ago

        That’s called split DNS. You can probably use that term to figure out if a particular router supports it. Basically, you would tell the router “if a DNS request for a specific URL is coming from a local IP, use a different (usually local) DNS table”. So like you can tell it “if a device asks for this URL, route it to this local IP instead.” So the DNS request never actually leaves your network.

        It can be handy for cases where you don’t always want to be reliant on an external DNS server. For instance, if your internet is spotty. You don’t want your Jellyfin to stop working just because your internet went out; Everything is local, so it should be able to connect. But if you’re only using an external DNS provider, it won’t be able to connect without internet. So split DNS will allow you to connect to local services even when your internet is out.

        The big downside to split DNS is that you often run into DNSSEC (DNS over https) warnings. Since the URL was intercepted before it actually reached an external DNS server, the traffic isn’t taking the path that the service “expected” it to take. So it may throw some warnings, or refuse to connect because it thinks your traffic is being intercepted, (because… Well… It is being intercepted… By you.)

        • Lyra_Lycan@lemmy.blahaj.zone
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 month ago

          Thank you! Definitely looking into that. That’s another thing I’ve never understood, why I lose connection to a local service when the broadband cuts out.

          If I get a router with split DNS, and not need an Internet connection… That would be huge.

          So that’s DNSSEC… I do have to occasionally let my browser know it’s okay aha, but that’s how Google (I used to use Chrome) added my old admin password to a list of breached passwords…

  • Lyra_Lycan@lemmy.blahaj.zone
    link
    fedilink
    English
    arrow-up
    4
    ·
    edit-2
    1 month ago

    On your DNS provider, the domain name must point to the public IP of your router. All devices connected to your network use the same public IP.

    On the router, ports 80 and 443 must be forwarded to the (local IP of) the machine running Nginx.

    Nginx must have the domain name point to the local IP of the machine running ABS.

    Are you using Nginx or Nginx Proxy Manager?

    Edit: If Nginx, as they’re on the same docker setup, instead of the Nginx config pointing to ABS’ local IP you can use 172.17.0.1 (iirc) and the port you used, or the container_name from compose.yaml, e.g. audiobookshelf:3748

    I use NginX Proxy Manager so my methods may differ slightly.

    Note about domains: It’s always good to buy one.

    RIP DuckDNS… it used to be a fairly reliable Dynamic DNS (DDNS) and it cost nothing to make an account and five domains… However, apparently, it was shut down without notice under a month ago.

  • mountaincalledmonkey@sopuli.xyz
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 month ago

    Not familiar with cloudflare. But generally speaking, purchase and register a domain and point the DNS to cloudflare. Configure the A record of your domain to your home’s public IP address. In your firewall you want to set up a translation rule to send any traffic on a port you assign externally to whatever IP and port your nginx server is internally.

    You can also consider not exposing any of your services publicly - keeping your home server more secure. Instead set up a wireguard (or other) VPN, expose just that and point your domain or subdomain to it. Then, while you’re away, connect to your VPN and have your audiobookshelf client on your phone connect to you lan IP address /port.

    • TheBlindPew@lemmy.dbzer0.comOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 month ago

      I had considered the VPN route, but i think its enough of a technical hurdle for other people that it would stop my parents and friends from being able/willing to get onto the audiobookshelf server

  • pfr@piefed.social
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 month ago

    I’ll suggest you look into tailscale. It makes the process a whole lot easier

  • thenose@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 month ago

    I think you only nginx and dns sorted if you want to go public and or super secure. I acces my servers via their tailscale host name. That includes ios linux android clients. If you don’t know what tailscale is in a few words the easiest way to access your services/servers.

    • TheBlindPew@lemmy.dbzer0.comOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 month ago

      I had considered not using nginx for precisely those reasons, but like the plex server i want to make it available to my family and friends and so the nginx reverse proxy build seemed to be the most widely applicable and still secure option so I only need to tell them to download audiobookshelf and point it at the correct domain name.

      • thenose@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 month ago

        I seee. That’s a 100% valid reason. Im nerd(or naive) enough to grab their phones tabs etc and just add them to my tailnet and it works pretty well however I’m not sure if I cloud explain some non tech the not so technical tailscale setup either. So yeah I hear you but too noob to help lmfao

        • Lyra_Lycan@lemmy.blahaj.zone
          link
          fedilink
          English
          arrow-up
          3
          ·
          edit-2
          1 month ago

          Currently I only have my fiancée on board, but the moment something requires more than setting a custom login domain and user+pass, her patience dwindles. She’s a good baseline for me to know that most people won’t be happy with a manual cryptographic handshake between contacts (Matrix/XMPP) or fucking with IP:port settings. I dont like to damage someone’s feeling of independence but sometimes these things need someone who can blitz through the settings themselves, especially if you have to troubleshoot why it didn’t just work.

  • communism@lemmy.ml
    link
    fedilink
    English
    arrow-up
    2
    arrow-down
    1
    ·
    1 month ago

    You get a domain name, and use an A record to point it towards your server’s public IP address.

    You tell nginx to forward requests to a given domain. For instance, you could tell nginx to forward requests to foo.bar.com to 127.0.0.1:1337. To do this:

    http {
        server {
            server_name foo.bar.com;
            listen 80;
            
            location / {
                proxy_pass http://127.0.0.1:1337$request_uri;
            }
        }
    }
    

    Note that this is a very basic setup that doesn’t have HTTPS or anything. If you want an SSL certificate, look into Let’s Encrypt and Certbot.

    Also, the service you’re hosting (which I’m not familiar with) may have an example reverse proxy config you should use as a starting point if it exists.

    • TheBlindPew@lemmy.dbzer0.comOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 month ago

      Ive got a reverse proxy config that was available in the Audiobookshelf github documentation, I was mainly struggling to understand how to get all of the parts working together. Thanks for the help