How I Self Host My Own Sites and Applications With Unraid, Docker, Authelia, and Cloudflare.
EDIT 6/6/2021 — You can now avoid portforwarding by following this IBRACORP Cloudflare tutorial on AgroTunnel — https://www.youtube.com/watch?v=RQ-6dActAr8
These days, everything requires a paid cloud subscription to do just about anything. If you want to access anything remotely, you have to pay a monthly subscription. These services hook you in with a free tier and then hit you with the charge when you want to do anything useful. Don’t get me wrong I happily pay for some services like Google Photos as it provides me with a lot of useful features for a reasonable cost. However, the final line has been crossed when home security cameras require a monthly subscription to record data on servers, likely hosted somewhere overseas where the nature of privacy laws is questionable. Sure, you can often use an SD card, but you are still accessing your cameras remotely from some server you can't necessarily trust. This is where my journey down the self-hosting route began.
Most good IP cameras you can buy offer a protocol called RTSP ( real time streaming protocol ), which lets you directly access the video with an IP and a port. Using any browser or a media player like VLC will let you view the stream. But what if you want to record? What if you want to access remotely? What if you want to use Object Detection to record when motion and objects are in the scene? Some IP cameras offer this, others require you to purchase a cloud subscription to use these features. That’s lame and no fun, especially if you are a developer like myself and you enjoy tinkering in the space of AI.
Before we get into the details of the software I use to solve my IP camera issue, let's talk about some of the core fundamentals that let me self-host. At a bare minimum, we need a computer and an internet connection. I've seen people use Raspberry Pi’s to self-host and I've seen full-on server racks full of thousands of dollars worth of equipment. The choice is yours, I personally am using an old PC Gaming Rig with an AMD Ryzen 1600 CPU, 32 GB Ram, and a hand full of hard drives and solid-state drives. It suits my needs.
Next, we need to choose an OS. You could choose Ubuntu Server, FreeNas, Windows, ESXi, but I chose Unraid.
Unraid is one of those rare pieces of software that only require a one-time license purchase to use their software, which I happily paid for and would pay for over again.
So what exactly is Unraid? Well, its official summary states…
Unraid OS allows sophisticated media aficionados, gamers, and other intensive data-users to have ultimate control over their data, media, applications, and desktops, using just about any combination of hardware.
But what does it really do? It lets you add any number of hard drives, solid-state drives of any particular size and Unraid automatically creates single continuity of space so you don't need to worry about where each file lives on each drive. It’s like a RAID array, except there is no requirement that all drives need to be the same exact size. I also threw in SSD’s for Cache storage for fast data access for applications like Docker. The best part of Unraid is the parity drive. As long as the parity drive size is equal to or larger than the largest drive in the array, you can have full data backups in case of drive failure. So let's say you have 4 TB of total space of combined hard drives, where two drives are 1TB and 4 drives are 500GB. If your parity drive ( backup drive) is equal to 1TB or larger, you can fully restore your entire 4TB array if any disk fails. I do highly recommend adding 2 parity drives or more for the ultimate data protection.
Once you have Unraid up and running you can run VM’s, Docker container, SMB shares, FTP shares, set up user access control, run Plex, store backups, you name it!
There are plenty of guides out there on how to use and set up Unraid. I highly recommend Space Invader One’s YouTube channel as he provides very easy to follow in depth-guides for almost every use case. https://www.youtube.com/channel/UCZDfnUn74N0WeAPvMqTOrtA
Once you have Unraid setup, there is an entire community of user-created applications you can install that run in Docker containers on your server. These applications come with a small configuration page where you can set up your initial parameters for application-specific configuration. Below you can see a basic outline for Plex Media Server.
If you made it this far, you probably are starting to notice the power of Unraid. Simple drive setup, file shares, and now Apps powered by Docker. You also can set up VM’s too if you want, I do.
Going back to my original problem. I have a bunch of IP home security cameras, all of which have RTSP video streaming available. There are a few really great open-source Network Video Recorders (or NVR for short ) out there. My favorite is Shinobi CCTV which offers very robust and customizable NVR open-source software solution. There is also a new up-and-coming NVR for use in Home Assistant called Frigate which currently offers a basic web interface for viewing IP cameras with object detection powered by a Google Coral Accelerator. The motivation for this article was finding a way to securely self-host Frigate and also provide a login interface since Frigate does not natively have authentication.
Simply going to the App section on Unraid and installing Frigate is all you need to get running on Unraid locally.
Now I can run Frigate locally!
So now begs the question, how do I host this off my home network and access it off my network? Sure I could set up a VPN and call it a day, but why go through the hassle of setting up a VPN on every device I own. What if I'm on a friend's computer? Borrowing someone else’s phone to check in on home if my Phone dies? That's where we can solve this problem with a Reverse Proxy. Also, we can secure Frigate with SSO to prevent unauthorized users from accessing my hosted site. Frigate does not provide any form of authentication today, maybe in the future it will, but currently, its exposed. Luckily there's a solution.
Let's start off with a diagram to help explain the concepts here.
We are going to use a few tools here.
- Unraid ( obviously )
- Nginx Proxy Manager ( our reverse proxy )
- Authelia ( our SSO )
- Duck DNS ( our dynamic DNS to pin domain name to dynamic ISP )
- MySQL ( to support Authelia )
- Frigate ( our NVR solution )
- Cloudflare ( DDOS protection and Region Blocking )
A reverse proxy like Ngnix is a type of proxy server that typically sits behind the firewall in a private network and directs client requests to the appropriate backend server. Instead of port forwarding, where you directly expose your hosting server to the internet, a reverse proxy sits in front of your application servers and directs traffic. It plays traffic cop and can provide security benefits like blocking requests, redirecting invalid requests, and proper redirect routing.
Authelia is an open-source authentication and authorization server providing 2-factor authentication and single sign-on (SSO) for your applications via a web portal. It acts as a companion of reverse proxies like nginx, Traefik or HAProxy to let them know whether queries should pass through. Unauthenticated users are redirected to Authelia Sign-in portal instead. -citation via https://github.com/authelia/authelia
Since we have an insecure app like Frigate, we can front it with Authelia to provide authentication. You might ask, how does Authelia know about Frigate? How Does Frigate know about Authelia without any development integration?
Simple! Ngnix is our reverse proxy, it's the one playing traffic cop. Authelia is the first in line for Nginx before re-routing you to your app, in this case, Frigate. Authelia can use many forms of authentication like two-factor, but in my use case, I'm dealing with simple email/pass with JWT tokens. If Authelia does not see this JWT token, it “informs” Nginx and causes a redirect back to the auth page for sign-in. If it determines you are signed in, it then “informs” Ngnix that you are authorized and can be redirected to your application.
There is a really good tutorial on how to set this up by IBRACORP on YouTube. It's a must-watch. https://youtu.be/kw_pohbKE3Y
Now we can further protect ourselves using HTTPS and Cloudflare. Both Cloudflare and Ngnix Proxy manager offer HTTPS certs.
Cloudflare offers a free tier service that lets us protect our hosted site by sitting in front of your domain name service. I am using a purchased domain name via Go Daddy and pointing my name servers at Cloudflare. That way when traffic comes to mysubdomain.mysite.com, Cloudflare is the first layer to be hit. In Cloudflare, I can set up GeoBlocking rules to prevent specific countries from even accessing my application. Pretty cool for a free service!
Yet again IBRACORP has a great video on how to set up Cloudflare with Ngnix and Unraid. https://youtu.be/c6Y6M8CdcQ0
I hope you readers enjoyed this article and learned something new. Drop a comment if you feel there are improvements to this setup! I'm always eager to learn more.