I’m planning on porting my Wordpress site to this. I haven’t used it yet but based on what I’ve read it will be easier than Hugo.

Typically the ones advertised as “tested” or “working” have only had the player tested. Not the record functionality.

My MD players still play but no longer record. I can’t find anyone in my country to repair / replace the record head.

Thank you again for the response. The summary is very helpful too.

It looks like I don’t need the reverse proxy, since the sensitive services* support authentication and HTTPS.

I would need the lighttpd service to be available over unsecured HTTP too, but if that’s not possible I could always use a different subdomain.

• A small music and film library

That is such a clear explanation and makes a lot of sense, thank you again.

Since the services I’m interested in serving are authenticated then it sounds like HTTPS is what I need (which is what originally made the most sense to me). That’s a relief. I just need to figure out how to have separate HTTP and HTTPS services hosted from the one ARM service.

Thanks! Is the point of reverse-proxying your public-facing services to make them private?

I have a general idea. I appreciate the info :). I’ve made a point of having nothing sensitive in the contents or the requests (I don’t have any forms, for example. It’s all static pages).

Thank you for the very informative reply.

The HTTP and Gemini services are for vintage clients, but I would like the reverse proxy to keep my media collection private (and maybe SSH and SMB too). So I’m serving to modern clients in the case of reverse proxy. I was told that port forwarding is no longer considered secure enough and that if my media gets publicly exposed I could be liable for damages to license holders.

Linux running HTTP and Gemini servers. This is fine from home using port forwarding and afraid.org’s dynamic DNS.

They’re lightweight sites that exist to be accessed by vintage computers which aren’t powerful enough to run SSL.

That’s reassuring. Thanks, I was struggling with the concept and where to start but I should be fine now since I’m handy enough with a terminal.

Wonderful. Thank you!

Thanks, that’s a great explanation. I’m looking forward to being able to SSH in without port forwarding.

So those ports that I don’t put in the config remain publicly accessible? That would be perfect.

Thanks. You’re right about Navidrome supporting authentication. I’m using HTTP instead of HTTPS, though. I was advised to use a reverse proxy to avoid potential legal issues.

The standard is that everything gets captured by the proxy? I want to leave the HTTP and Gemini servers public. I also want those and SMB to remain accessible on the LAN.

Thank you so much. That clears up all my doubts. I’m running an ARM server ok the lan with port forwarding for HTTP (80) Gemini (1965) and SMB (not forwarded).

I made a typo in my original question: I was afraid of taking the services offline, not online.

That sounds promising, thanks! You say LAN, but I can share this with people over the internet too, right?

I don’t know what kind of authentication it uses, but it dots appear to be susceptible to brute force https://github.com/navidrome/navidrome/issues/242

But if I add a reverse proxy I would need it to just affect that one service/port. I’m running a publicly facing static (amateur/hobby) website - and other services - from there too and I’d prefer it to remain public.

Thanks again! Do I understand right that once I:

1. Run tail scale on each machine
2. Register those with my account

The machines will be able to see each other, but the machines can not be seen outside of the network of those machines?

Also, my Raspberry Pi is hosting some other publicly exposed services that need to remain that way. Will tail scale take over those too?

I found a nice overview video here for anyone who might want it: https://invidious.nerdvpn.de/watch?v=Kzyolu9yn0E