• 0 Posts
  • 10 Comments
Joined 1 year ago
cake
Cake day: October 8th, 2023

help-circle
  • My primary ‘backup’, or easy recovery method is that I use ZFS, and take snapshots via sanoid frequently. I have a mydumper jump making backups of my mariadb server. I use syncoid to doing sends to external storage. So most things can just be fixed by copying the files from an older snapshot.

    I also have a completely separate backups of my system made using borg to storage I have at borgbase.com, but this only happens a couple times a week, and is only my ‘important’ data and not large things like downloaded video/music/etc. I am thinking about switching borg out for restic though, since restic is also compatible with borgbase.


  • There are risk, that a newer version of an image will accidentally, break things, apply breaking changes and so on.

    Good, frequent, tested backups, could be a mitigation to this. If an image breaks, you just restore your data from the backup, and pull the older image.

    I use the klausmeyer/docker-registry-browser, and that recently broke, but it just needed me to provide an additional configuration variable.

    I use advplyr/audiobookshelf, which upgraded to a different database engine and schema a couple months ago. For some small subset of people (including me) the migration to the new database didn’t go well. But I had a backup from 6 hours before the update, so restoring and then using the older image until the fixes were released was easy.

    Even with the occasional issues I prefer letting watchtower automatically update most of my images for my home. I don’t really want to spend my time manually applying updates when 98% of the time it will be fine. But again, having a reliable and tested backup system is an essential part of why I am comfortable doing this.



  • From the perspective of the stuff you are transporting over the VPN tunnel or ssh proxy. There is not much difference. The payload is encrypted and can’t be seen in transit assuming the underlying VPN, or SSH tunnel is secure.

    There are functionality difference. For an SSH proxy, you have to be able to use a different IP port, or you have to use a browser and configure a SOCKS proxy.

    There are potential performance differences. Last time I tried using them for large transfers, I found the performance over a SOCKS via ssh tended to kinda suck. At least compare with a transfer over a VPN. It is possible this had nothing to do with SSH, and was problems with the browser I was using at the time. But this might not matter much for your usage.

    How things could potentially leak might be different with a proxy. Depending on how you configure SSH and the implementation, your DNS might be resolved on your original DNS servers, or via the tunnel.



  • Why don’t people use client certificates

    The difference is that the client certificates are usually implemented as part of the web server. If there is a issue with either configuration, or bug in the web server, you potentially immediately can bypass the certificate requirement. On the other hand a VPN is often a completely separate piece of software, that is operating at the network layer.

    Another thing. If you run a simple port scan against the Internet it is easy to find http/https servers. Some VPN protocols that have been strongly configured will be more or less invisible to any kind of port scans. This eliminates a lot of the scanning and probing get for basically thing that is visible on the Internet.

    Not saying client certs don’t have their place. Just not sure I would choose them, when I think a VPN provides stronger protection, and is potentially pretty easy to implement for a selfhosted environment.