Yeah, it’s definitely faster, but I’m not sure it’s going to make too much of a difference for a Minecraft server.

With setting it up being a bit annoying by hand, I’d still rank the router option higher even if it’s a worse VPN. Otherwise you risk ending up in that yak shaving situation where you’re fighting with routing tables and DNS when you wanted a Minecraft server.

Oh for sure. What I meant was “check router for a built in VPN and use it if it has one, otherwise use wireguard because it’s the easiest”.

The specific VPN doesn’t really matter so much. The built-in one would be the easiest, so checking for a solution that took a few clicks is worth it. :)

I would use something like wireguard, or another VPN service you can host yourself if your router supports it natively.

From the looks of it Minecraft servers seem to have dogshit authentication, so using some form of private network setup is going to be your best move.

Yup, that’s a really good pattern to follow. Not only does it minimize your exposure behind a secured entry, it also makes sure that all of your access is uniformly authenticated.

You have to do some shenanigans to do something similar with other, non-http based services, but it’s possible with most of them.

It’s not a simple task, so I won’t list many specifics, but more general principles.

First, some specifics:

• disable remote root login via ssh.
• disable password login, and only permit ssh keys.
• run fail2ban to lock people out automatically.

Generally:

• only expose things you must expose. It’s better to do things right and secure than easy. Exposing a webservice requires you to expose port 443 (https). Basically everything else is optional.
• enable every security system that you don’t have reason to disable. Selinux giving you problems? Don’t turn it off, learn how to write rules to let your application do the specific things it needs. Only make firewall exceptions where needed, rather than disabling the firewall.
• give system users the minimum access they require to function.
• set folder permissions as restrictively as possible. FACLs will help, because it lets you be much more nuanced.
• automatic updates. If you have to remember to do it, it won’t happen. Failure to automate updates means your software is out of date.
• consider setting up a dedicated authentication setup like authellia or keycloak. Applications tend to, frankly, suck at security. It’s not what they’re making so it’s not as good as a dedicated security service. There are other follow on benefits.
• if it supports two factor, enable it.

You mentioned using cloud flare, which is good. You might also consider configuring your firewall to disallow outbound connections to your local network. That way if your server gets owned, they can’t poke other things on your network.

So, you’re going to run into some difficulties because a lot of what you’re dealing with is, I think, specific to casaOS, which makes it harder to know what’s actually happening.

The way you’ve phrased the question makes it seem like you’re following a more conventional path.

It sounds like maybe you’ve configured your public traffic to route to the nginx proxy manager interface instead of to nginx itself.
Instead of having your router send traffic on 80/443 to 81, try having it send the traffic to 80/443, which should be being listened to by nginx.

Systems that promise to manage everything for you are great for getting started fast, but they have the unfortunate side effect of making it so you don’t actually know what it’s doing, or what you have running to manage everything. It can make asking for help a lot harder.

You’ll be fine enough as long as you enable MFA on your Nas, and ideally configure it so that anything “fun”, like administrative controls or remote access, are only available on the local network.

Synology has sensible defaults for security, for the most part. Make sure you have automated updates enabled, even for minor updates, and ensure it’s configured to block multiple failed login attempts.

You’re probably not going to get hackerman poking at your stuff, but you’ll get bots trying to ssh in, and login to the WordPress admin console, even if you’re not using WordPress.

A good rule of thumb for securing computers is to minimize access/privilege/connectivity.
Lock everything down as far as you can, turn off everything that makes it possible to access it, and enable every tool for keeping people out or dissuading attackers.
Now you can enable port 443 on your Nas to be publicly available, and only that port because you don’t need anything else.
You can enable your router to forward only port 443 to your Nas.

It feels silly to say, but sometimes people think “my firewall is getting in the way, I’ll turn it off”, or “this one user needs read access to one file, so I’ll give read/write/execute privileges to every user in the system to this folder and every subfolder”.

So as long as you’re basically sensible and use the tools available, you should be fine.
You’ll still poop a little the first time you see that 800 bots tried to break in. Just remember that they’re doing that now, there’s just nothing listening to write down that they tried.

However, the person who suggested putting cloudflare in front of GitHub pages and using something like Hugo is a great example of “opening as few holes as possible”, and “using the tools available”.
It’s what I do for my static sites, like my recipes and stuff.
You can get a GitHub action configured that’ll compile the site and deploy it whenever a commit happens, which is nice.

I’m pretty sure half the people in these comments are trolling, because no one is seriously that shit at security. Or at least that’s what I tell myself…

Why wouldn’t you just use the ruby functions for adding a month to a date?

https://ruby-doc.org/stdlib-2.5.1/libdoc/date/rdoc/Date.html#method-i-3C-3C

It seems really weird that there’s so much pushback against “date time math is tricky, read the manual to find out exactly which compromise your library chose”.

So, you’re talking about throwing exceptions if adding a month yields an invalid date if done without nuance, but then you’re showing an example of just trying to instantiate an invalid date in java.

I believe java has an addMonths method, that in the situation we’re talking about doesn’t throw an exception, but rather limits the output to the 28th/ 29th/30th.

Which illustrates my point: intuitive Datetime math involves choosing how you handle edge cases that are routine and not exceptional, like “a month from January 31st”.

The rest of your comment arguing about how people expect months to work just makes me feel like you’ve never actually talked to a business stakeholder about requirements.

If I say to add four days, will it throw an exception if it’s the 31st? No month has 35 days, so I should get an exception, right?

Yeah, it’s how months work.

That’s just insane. An API that doesn’t increment the month when you pass the end while adding days is just broken.

Have you never done Datetime math before?

You didn’t run new Date(2019, 02, 31), you asked it for one month from January 31st.
One month after any given day of the month is, by most people’s intuition, a valid thing to ask for.

Your solution of making the API throw an exception for every 31st of the year is vastly less intuitive to me than “a month is 31 days in January, and 28 or 29 in February, so adding a month does different things in different months”, because at least for those is can also query how many days are in the month.

If I say to add four days, will it throw an exception if it’s the 31st? No month has 35 days, so I should get an exception, right?
Or is it just this weird caveat around months? Does it apply to time?

So, the flip side to that is that sometimes you need to add one month to a date, because that sometimes how human systems are written.
By not providing a function that does that, you’re just pushing the confusion down to the developer, who is more likely to make terrible errors in the process, get frustrated, or use one of N different competing libraries, each of which chose a different answer.

Omitting functionality that can behave unintuitively in certain circumstances means leaving out a lot of functionality that people need.

Like, “decimal numbers” go pathological in certain cases. So do Unicode characters. Don’t even bother thinking about connecting to the network.

What behavior do you expect? Specifically.

I’m arguing that every answer is wrong, and will return bizarre results, be aggravating, useless or some combination therein for some conditions.
Therefore you have to know the API, because every language will fuck you, and JavaScript isn’t special in this specific case.

Adding the number of days in the month to the date as “add one month” is just as rational as any other choice.

Except it’s not nonsense. If you ask for 31 days after January 31st, you don’t get February 28th.

A month is a malformed concept to use in conjunction with arithmetic, except for the part where people do it all the time and just ignore the fact that it often gets weird.

Do you really think you’d be happier if the answer for "what’s a month from 01/31?” was “InvalidDateException”? That every other month the concept of “a month from today” is just undefined?

Saying “adding a month means adding the number of days in the starting month” is one choice of many, all of which have terrible downsides.

In this case though, it’s consistent, and is just one of the annoying ways the problem could be solved. Datetime math is just fucked up.

You can just not support that functionality, which gives you people making their own mistakes and forgetting leap years or hard coding all sorts of insanity.

You can clamp the value to the end of the month, but that gives you the odd case where date + month - month != date in some days, which is also a weird pitfall.

If I see any code dealing with adding and subtracting months, I’m either checking the manual or I already know it’s behavior from doing so before.
I’m all about not liking how JS does stuff, but Datetime math is the one area where in willing to forgive most insanity of outcomes.

It’s because there’s no right answer, and this way gets you the intuitive answer most often.

A month isn’t a proper unit of time. Adding a month to a date can’t be done without specifying which month you’re adding.

You could argue that one month from January 31 is February 28, 29 (depending on the year), March 2, or 3.

Should one month from the last day be the last day of the next month? That would mean that the 30th and the 31st of march are both the same duration from April 30th, and a month before April 30th could logically map to either one.

So they chose the path that, for anything other than the 31st, and the 29th and 30th if it comes near February, works as you expect. "A month after 17 days from the first of January is 17 days after the first of february.”

The other alternatives involve not allowing the addition and subtraction of irregular time intervals, but then you get frustrated that you can only deal with seconds, since those don’t change in length.

Unix based systems tend to be able to be hardened to a higher level than windows devices. Apple provides a lot of apis for preventing unsigned code from running, which can go a long way beyond a locked down bootloader.

It’s less that they’re intrinsically more secure, it’s just that it’s a bit easier for a determined admin to lock it way further down while also not irritating the user.

I seem to recall Chromebooks are even better, but you sacrifice a lot more.