this post was submitted on 29 Nov 2023
5 points (72.7% liked)

Selfhosted

39947 readers
463 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I currently host several services on my docker swarm, all of which are exposed to the internet but protected by Authelia and routed through Traefik.

I'd like to improve security and split my network into several vlans, one of which would be a DMZ for services exposed to the internet (Foundry VTT, Matrix, Searx, maybe some others), and another vlan for services that are only accessible while on a vpn (*arrs, Jellyfin, Nextcloud, etc.).

I'm not sure what is the safest and easiest way to do this. Some ideas I have:

  1. Setup a specfic server for my external services and connect it to a DMZ tagged vlan port.
  2. Run all of my services in the same docker swarm on the internal VLAN, and only have my Traefik service running in the DMZ (I don't know if this is possible with physical vlan ports)
  3. Run all of my services in the DMZ, but with an IP whitelist to control access for services I only want accesible from the VPN
  4. Something else I haven't thought of?

Thanks, and I appreciate the help.

you are viewing a single comment's thread
view the rest of the comments
[–] TheButtonJustSpins@infosec.pub 1 points 11 months ago

I have exposed endpoints hitting HAProxy in pfSense, which then reverse proxies as needed. Same thing, basically.