this post was submitted on 29 Nov 2023
11 points (86.7% liked)

Selfhosted

40152 readers
435 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I currently host several services on my docker swarm, all of which are exposed to the internet but protected by Authelia and routed through Traefik.

I'd like to improve security and split my network into several vlans, one of which would be a DMZ for services exposed to the internet (Foundry VTT, Matrix, Searx, maybe some others), and another vlan for services that are only accessible while on a vpn (*arrs, Jellyfin, Nextcloud, etc.).

I'm not sure what is the safest and easiest way to do this. Some ideas I have:

  1. Setup a specfic server for my external services and connect it to a DMZ tagged vlan port.
  2. Run all of my services in the same docker swarm on the internal VLAN, and only have my Traefik service running in the DMZ (I don't know if this is possible with physical vlan ports)
  3. Run all of my services in the DMZ, but with an IP whitelist to control access for services I only want accesible from the VPN
  4. Something else I haven't thought of?

Thanks, and I appreciate the help.

top 3 comments
sorted by: hot top controversial new old
[–] TheButtonJustSpins@infosec.pub 4 points 11 months ago (1 children)

I'd have all your services internal and have an additional reverse proxy in the DMZ that connects back to the internal services for anything that you expose.

[–] mhzawadi@lemmy.horwood.cloud 2 points 11 months ago (1 children)

This is kind of how my setup looks, only without the DMZ. PFSense NAT to nginx lxc, terminates the SSL/TLS and then uses both my swam nodes as upstream for docker services. Docker services are behind traefik, each service is its own network in docker. If its a webby service you hit treafik not a port.

[–] TheButtonJustSpins@infosec.pub 1 points 11 months ago

I have exposed endpoints hitting HAProxy in pfSense, which then reverse proxies as needed. Same thing, basically.