s8n/ARRFLIX
s8n/ARRFLIX
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ARRFLIX/docs/09-wan-exposure.md

257 lines
8.9 KiB
Markdown
Raw Normal View History

Restrict non-admin users + 3 imports landed - EnableUserPreferenceAccess=false on guest + 5 (hides Display, Home, Playback, Subtitles pref pages — owner controls UX centrally). - Wrapper bin/add-jellyfin-user.sh updated to bake this into all future non-admin user creations. - ROADMAP entries (added by sibling import agents): - Imported: The Incredible Hulk (2008), TMDB 1724, 4 images - Imported: Idiocracy (2006), TMDB 7512 (NOT 1542 = Office Space) - Imported: American Dad! (2005) S01-S04, 58 eps, TMDB 1433 - WAN exposure docs added (doc 09, 256 lines): Gandi A record live, no-guest middleware dropped, lockout=5 baked in. Owner still must port-forward 80/443 on home router for actual public access.
2026-05-08 03:18:58 +01:00
# 09 — WAN Exposure (Public Internet)
> **Status:** server-side changes applied 2026-05-08. Owner router-side
> port-forward still **TODO** — until the router rules are added, the
> WAN A record points to a closed port and arrflix.s8n.ru remains LAN-only
> in practice.
This document covers the move from **LAN-only** to **public-internet**
access for `arrflix.s8n.ru`. It records what was changed, what the owner
must still do on their home router, the risks they accept by opening the
service, and the rollback procedure.
---
## 1. What changed server-side (already applied)
### 1.1 Public DNS A record (Gandi LiveDNS)
A record added under `s8n.ru`:
| Field | Value |
|-------|-------|
| Name | `arrflix` |
| Type | `A` |
| Value | `82.31.156.86` (current home WAN IP) |
| TTL | `300` |
Applied via Gandi LiveDNS API:
```bash
curl -X PUT "https://api.gandi.net/v5/livedns/domains/s8n.ru/records/arrflix/A" \
-H "Authorization: Bearer $GANDIV5_PERSONAL_ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{"rrset_values":["<wan-ip>"],"rrset_ttl":300}'
```
Verified with `dig @1.1.1.1 arrflix.s8n.ru +short``82.31.156.86`.
The Pi-hole local override (`192.168.0.100 arrflix.s8n.ru`) is **kept
in place** so LAN clients bypass NAT hairpin and hit the LAN IP
directly — see `feedback_s8n_hosts_override.md` for why hairpin is
problematic. Public users get the WAN IP via 1.1.1.1 / Gandi.
### 1.2 Traefik middleware change
`/opt/docker/jellyfin/docker-compose.yml`:
```diff
- "traefik.http.routers.jellyfin.middlewares=security-headers@file,no-guest@file"
+ "traefik.http.routers.jellyfin.middlewares=security-headers@file"
```
The `no-guest@file` middleware (which restricted source IPs to
`127.0.0.0/8 + 192.168.0.0/24 + tailnet + 82.22.5.233`) is dropped from
the Jellyfin router. `security-headers@file` is kept.
Container recreated:
```bash
ssh user@192.168.0.100 'cd /opt/docker/jellyfin && docker compose up -d'
```
### 1.3 Brute-force lockout policy
`POST /Users/{id}/Policy` applied with `LoginAttemptsBeforeLockout=5`
on every existing user (`s8n` admin, `guest`, `5`). After 5 failed
login attempts the user is locked out and only an admin can unlock.
The wrapper `bin/add-jellyfin-user.sh` is updated to apply this
automatically to every future user so we never forget it.
---
## 2. What the OWNER must still do (router-side)
The home router controls whether traffic from the public internet
reaches nullstone. Until the owner adds the rules below, the public
DNS record points at a closed port.
### 2.1 Port-forward rules
Two rules needed on the home router admin UI (typically reachable at
`http://192.168.0.1` or similar — varies by ISP-supplied router):
| External port | Protocol | Internal IP | Internal port | Purpose |
|---------------|----------|------------------|---------------|---------|
| 443 | TCP | `192.168.0.100` | 443 | Traefik HTTPS (main entrypoint) |
| 80 | TCP | `192.168.0.100` | 80 | Traefik HTTP (LE redirect to HTTPS) |
Generic steps (the labels vary by router brand):
1. Log into the home router admin UI.
2. Find the section called **Port Forwarding**, **Virtual Servers**,
**NAT**, or **Applications & Gaming**.
3. Add a new rule: external port `443` TCP → internal host
`192.168.0.100` port `443`.
4. Add a second rule: external port `80` TCP → internal host
`192.168.0.100` port `80`.
5. Save / apply.
6. Reboot the router only if the UI doesn't apply rules live.
### 2.2 Do **NOT** forward
- Port `22` (SSH) — never expose. Tailscale or LAN only.
- Any port to anything other than `192.168.0.100`.
### 2.3 Verify from outside the LAN
From a phone on mobile data (or any non-home network):
```bash
curl -I https://arrflix.s8n.ru/health
# expect: HTTP/2 200
```
If you get a connection timeout or refused, the port-forward isn't live.
---
## 3. Risks the owner must accept
By moving from LAN-only to public-internet:
### 3.1 Login page is on the open internet
Anyone on the internet can hit the login form. Mitigation:
`LoginAttemptsBeforeLockout=5` plus strong passwords. **There is no
fail2ban or rate-limiting at the Traefik layer** — the lockout is
purely application-level (Jellyfin's own counter). Consider adding a
Traefik rate-limit middleware later if abuse shows up in logs.
### 3.2 Copyrighted media exposure
The library contains commercial movies and TV. Hosting it on a
public-resolvable domain raises legal heat (rights-holder C&D,
ISP terms-of-service action). This is an information note, not
legal advice — only the owner can decide whether to accept it.
### 3.3 Dynamic WAN IP (Virgin Media)
Home WAN IPs on consumer ISPs change without notice. When the WAN IP
changes, the Gandi A record must be refreshed or arrflix.s8n.ru will
point at someone else's IP.
A simple cron-driven updater (run every 15 min on nullstone):
```bash
#!/usr/bin/env bash
# /opt/scripts/gandi-arrflix-updater.sh
# Refreshes arrflix.s8n.ru A record if WAN IP changed.
set -euo pipefail
TOKEN="$(grep ^GANDIV5_PERSONAL_ACCESS_TOKEN /opt/docker/traefik/.env | cut -d= -f2)"
WAN=$(curl -s --max-time 10 https://ifconfig.me)
[[ "$WAN" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]] || exit 1
CUR=$(dig @1.1.1.1 +short arrflix.s8n.ru | head -1)
[[ "$WAN" == "$CUR" ]] && exit 0
curl -s -X PUT "https://api.gandi.net/v5/livedns/domains/s8n.ru/records/arrflix/A" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d "{\"rrset_values\":[\"$WAN\"],\"rrset_ttl\":300}" \
> /var/log/gandi-arrflix.log 2>&1
logger "gandi-arrflix-updater: changed $CUR -> $WAN"
```
Cron:
```
*/15 * * * * /opt/scripts/gandi-arrflix-updater.sh
```
The Gandi token in `/opt/docker/traefik/.env` is already scoped to
LiveDNS-only on `s8n.ru`, so even if the script leaks it can't change
nameservers or add other domains (per `reference_gandi_api.md`).
### 3.4 **Weak password warning — read this**
The new user `5` has password `1234`. This is **fine for a private
LAN-only service shared with one friend**. It is **dangerous on the
public internet**:
- A botnet hits common username/password combos within hours of the
domain becoming reachable. `5/1234` is in every basic password list.
- The lockout fires after 5 attempts but a distributed attacker
rotates source IPs faster than that.
- Even if Jellyfin login holds, weak creds normalise weak creds —
the next person added gets `6/1234` and the bar drops further.
**Recommendation** before the owner opens the router:
- Reset user `5`'s password to something strong (12+ random chars).
- Reset the `guest` user's password as well (or disable it).
- Consider whether the `s8n` admin account password is strong.
- Owner decides whether to keep the `5/1234` username/pw memorable
for the friend at the cost of being an obvious target.
The owner accepted `5/1234` for the Forgejo friend account, but
Forgejo on git.s8n.ru holds no copyrighted media. Jellyfin does.
Different threat profile, same friend, different decision.
---
## 4. Rollback (revert to LAN-only)
If the public exposure goes wrong (abuse, legal pressure, anything):
1. **Close the router ports.** Remove the port-forward rules for
`443/tcp` and `80/tcp` on the home router admin UI. This is the
fastest single-action shutoff — no internet traffic reaches Traefik.
2. **Re-add the no-guest middleware.** Edit
`/opt/docker/jellyfin/docker-compose.yml`, change
```yaml
- "traefik.http.routers.jellyfin.middlewares=security-headers@file"
```
back to
```yaml
- "traefik.http.routers.jellyfin.middlewares=security-headers@file,no-guest@file"
```
then `cd /opt/docker/jellyfin && docker compose up -d`. Even if a
port stays open by mistake, only LAN/tailnet/owner-IP hits succeed.
3. **Remove the Gandi A record.**
```bash
curl -X DELETE "https://api.gandi.net/v5/livedns/domains/s8n.ru/records/arrflix/A" \
-H "Authorization: Bearer $GANDIV5_PERSONAL_ACCESS_TOKEN"
```
Pi-hole's LAN override remains, so LAN clients keep working.
4. **Disable or delete the cron updater** if installed.
5. **Optional:** set `LoginAttemptsBeforeLockout` back to `-1` if
the lockout is causing friction and there's no public exposure
to defend against. (Not required — keeping `5` is harmless.)
After steps 13 the service is back to its pre-exposure posture
(LAN + tailnet + owner home IP only).
---
## 5. Change log
| Date | Change | By |
|------------|--------|----|
| 2026-05-08 | Gandi A record `arrflix.s8n.ru → 82.31.156.86` (TTL 300) | server-side |
| 2026-05-08 | Drop `no-guest@file` middleware on Jellyfin router | server-side |
| 2026-05-08 | `LoginAttemptsBeforeLockout=5` on s8n / guest / 5 | server-side |
| 2026-05-08 | Wrapper `bin/add-jellyfin-user.sh` bakes in lockout=5 | server-side |
| TODO | Home router port-forward 443+80 → 192.168.0.100 | owner |
| TODO | Strong passwords on user `5` and `guest` | owner |
| TODO | (Optional) Gandi WAN-IP cron updater on nullstone | owner |
Reference in a new issue Copy permalink