Looking for best practice for a Public-Facing Jail or VM

[GJSchaller]

I have my iXsystems TrueNAS online, and am working on setting up local shares, etc. I am coming off an old ReadyNAS that is long in the tooth and no longer really supported, so I will be copying my data over, and want to mimic some of the functionality of the old NAS on the new one.

At the moment, my old NAS is in the DMZ on my home network, and can be accessed from outside. I have a DynamicDNS domain pointing to it (via the Router), and this lets me share some basic functionality - mostly NextCloud and Piwigo (wedding photos, etc.) on the Internet - so I can share photos with my family and also access my NextCloud from outside my home.

I'd like to replicate this setup on my TrueNAS - basically, create either a Jail or a VM with a local IP on my internal network, then put that IP in the DMZ. From there, I can point to my domain on the Internet, and connect back to https://(domain)/piwigo and https://(domain)/nextcloud. The separation of these applications in a Jail or VM would mean my other data (in local Shares) would be isolated from the Internet in a separate IP / instance.

What's the best way to accomplish this? Is a Jail with multiple plugins possible, or should I roll my own VM? I'd prefer to keep things as simple as possible with the URLs (no port numbers), to keep it easy for family members and the like, and consistency of bookmarks that are already established.

Thank you for any input and advice!

 

[danb35]

I'd think the way to go would be to set up each of those applications in its own jail, and a third jail for a reverse proxy. For the latter, you have a few options:

• You could use my resource for Caddy:
  

  Reverse Proxy using Caddy (with optional automatic TLS)

  Many users install a variety of web applications in jails on their FreeNAS servers, and often those applications run on non-standard ports like 6789, 8181, 7878, etc. These port numbers are far from intuitive, and the applications often either...

  www.truenas.com
• You could manually set up a jail and manually install your dedicated reverse proxy of choice (Traefik, HAProxy, etc.) or Nginx Proxy Manager
• You could manually set up a jail and install Apache, Nginx, or whatever other general-purpose web server you like that also acts as a reverse proxy
• Set up a virtual machine (under TrueNAS or otherwise) to handle the reverse proxy
• Or if your router supports it (like pfSense and OPNsense do), dispense with the third jail/VM and use your router as the reverse proxy.

In any of the first four options, you'd forward ports 80/443 to the reverse proxy jail/VM, rather than to Nextcloud or piwigo.

 

[GJSchaller]

I'd think the way to go would be to set up each of those applications in its own jail, and a third jail for a reverse proxy. For the latter, you have a few options:

Oh, thank you! I wasn't aware of Reverse Proxies before now... I am running a FreshTomato Router at home, which will let me do this (looked it up, it'll take some work, but seems well documented).

Thank you, Mr. Encounter Suited Fortune Cookie!

 

[danb35]

I have always been here.

But something I really like about Caddy is how easy it is to configure, and also that it handles SSL/TLS automatically.

 

[GJSchaller]

I'm reading up on that now... it's nice to have options as needed. Thank you again!