this post was submitted on 28 Mar 2026
31 points (100.0% liked)

Selfhosted

60543 readers
385 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Detailed Rules Post

  1. Be civil.

  2. No spam.

  3. Posts are to be related to self-hosting.

  4. Don't duplicate the full text of your blog or readme if you're providing a link.

  5. Submission headline should match the article title.

  6. No trolling.

  7. Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details. Tags [CBH] or [AIP] are required, see the link in Rule 8 for details.

  8. AI-related discussions and AI-involved promotional posts have additional requirements for tagging, as noted in Rule 7 and the AI & Promotional Post Expanded Rules post. )

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
 

I am experimenting with using forgejo instead of GitHub for my personal projects. So far I like it, however I would like to make it available to the outside world at some point.

I was wondering what kind of traps I should avoid. The following things come to mind so far:

  • Forgejo Actions seem like a massive potential security risk, however I do not intend to enable sign up for other
  • OpenID appears to be a thing for forgejo, I do not know how it works and it seems like it would allow access to my instance even with registering disabled
  • I would put the instance behind a nginx as reverse proxy, but how do you keep bot traffic to a minimum? Anubis?

I feel like there are a ton of things I have not thought of, which is why I am holding off on making anything available without a VPN so far.

you are viewing a single comment's thread
view the rest of the comments
[–] hendrik@palaver.p3x.de 8 points 3 months ago* (last edited 3 months ago)

If it's just you, and you're fine with the regular login... Just disable signup and don't add more authentication mechanisms like oauth/openID.

I'm using nginx as a reverse proxy as well. For now, I added a lot of "deny" directives to ban all the address ranges from Tencent, Alibaba, OpenAI. It's not a 100% solution, but works well enough for me. I'm mostly worried about AI crawlers causing too much load on my server. And it stopped since, so I don't think I'm gonna need Anubis and all these extra things in front if my applications. If you like you can look into solutions like a web application firewall like Crowdsec.