Just because the destination IP address is not a LAN address? That’s not misconfiguration, that’s a legitimate use of NAT reflection/loopback. If that’s how it determines who is streaming remotely then just run it behind nginx that forgets to set the correct headers.

Edit: Apparently Plex centrally relays all the traffic? Self-hosted my 🍑, it’s not self-hosted if you need to rely on their server.

Needs more vibe.

I explained why. Misconfiguration and caching.

Not two A records. From what I understand, OP has an A record pointing to their public IP address (which Nginx is listening on behind a NAT). Then, on the local network, OP uses their own DNS server to ignore that entry and instead always serve the local IP when a host on the LAN queries it.

Aside from OP’s devices potentially using a different DNS server (I was only able to solve it for my stock Android by dropping outgoing DNS in my firewall), this solution is a nightmare for roaming devices like mobile phones. Such a device might cache the DNS answer while on LAN or WAN respectively and then try to continue using that address when the device moves to the other network segment.

These are the most likely scenarios in my opinion - OP’s devices are ignoring the hacky DNS rewrite (either due to using a different DNS server or due to caching) and try to access the server via the public IP. This is supported by the connection timeout, which is exactly what you would see when your gateway doesn’t do loopback.

Never point your DNS at two different IP addresses like this. It will only cause you pain and unexpected behaviour.

What you are experiencing is solved by so-called “NAT reflection” or “NAT loopback”. It’s a setting that - in the optimal case - you should just be able to activate on the appropriate interface on your gateway.

If you do not have that setting or do not have access to the edge router, but only some intermediate router, you can do a nasty hack. You can point static routes to your public IP address to point at your local IP address instead. In that case, you also need to tell your server to accept packets with your public IP address as the destination.

Is the Euro bad because it’s only accepted within the Eurozone?

I pay for the whole VPS, I use the whole VPS.

Aqara H1 switches have a version with and without neutral wire.

Look into the Aqara H1 suite of wall switches. They’re fantastic!

Other comment have gone way more in-depth, but there’s also a difference between using commercial VPNs and ones you set up yourself. I have a few private VPNs set up on servers I physically own in different countries and that offers different protections than just using NordVPN.

That’s the problem. You paid only once. The companies want you to pay indefinitely. And if they control your OS, well, they can shove ads or broatware into your face all they wish gaining more revenue.

Bold of you to assume they read the book.

deleted by creator

You’re right, my bad.

OP’s security concern is valid. Different CAs may differ in the challenges used to verify you to be the domain owner. Using something that you could crack may lead to an attacker’s public key being certified instead.

This could for example be the case with HTTPS verification (place a file with a specific content accessible through your URL) if the website has lacking input sanitization and/or creates files with the user’s input at an unfortunate location that collides with the challenge.

This attack vector might be far-fetched, but there can certainly be differences between different signing authorities.

Do you still need help with docker?

How close to vim’s functionality is evil mode? I’ve been toying with the idea of learning Emacs but I rely on Vim’s langmap and that is rarely implemented in Vim emulations / bindings.

You can learn Emacs in one day. Every day.

Even if you use arrows, you still have to reposition your hand.

Which of us didn’t crack the school firewall multiple times as they made it more and more annoying each time!