DON'T Expose Internal Applications To The Internet! Restrict Access NOW!

Excellent information! One addition thing I have done is restrict the entry of my NAT rules for ports 80 and 443 to the Cloudflare ASN in Opnsense. It doesn't even appear to be an open port any longer.

danielcronk

Thanks for the video. I went with the dual traefik instances approach. Separation of concerns and less chance of adding mistakes to config.

nemac

I'd recommend everyone use logically seperated traefik instances for internal and external. Yes it does require a bit more configuration but it's going to be the most secure.

fronix

I think the biggest flaws is in the volume mountpoint, mounting the Docker socket directly is not recommended, even the traefik documentation state you should not do that in prod. If somehow an external user get access to your traefik instance even through CloudFlare, they will have root access to your Docker, unless you are running traefik as nonroot

haidars

I run the two instance setup. I have my docker compose set up so I use environment variables for configuration, then there is a merge feature where I have most of the config in a section that is then referenced and the internal/external portions only specify their unique elements (such as the IP whitelist).

Additionally, on the external point, I have an additional docker constraint tag, so by default enabling items only registers them on the internal instance, but i can add an additional label to list them on the external provider as well.

My setup is is all about doing as much of the work in the traefik configuration itself as possible, then the services themselves only have to specify a bare minimum, typically only a hostname and to enable (i have exposedByDefault set to false). I even have them sharing a cert store by mounting the same file, but only giving the external instance read-only access to it. Now THAT is something I wish I had a better way of managing, especially as most acme providers can run into conflict if you request multiple certs at the same time, and I don't want any internal subdomains explicitly listed on my publicly served cert.

MegaJugganot

Once again, another amazing video. Already waiting for the next one.

joelfrojmowicz

Jim is always there when I'm lost, thanks man for ideas!

qhzzdyh

Godsent! Could not have come at a better moment in time for me. I just hope I can manage the complexity. I love the idea of docker-compose, but I've already let blood for a decent amount of time with the docker + docker compose documentation. And man if you already only half know what you're doing docker / compose / volumes /networking sure ain't gonna help that. The worst part is: it's difficult to diagnose. Is it fw rules? Is it vlan? Is it DNS? (it's always DNS) etc. I love the tinkering, but it to be a harsh mistress .. and hard on free time and money on top.

koloblicin

Chapter title “demonstrating the problem”,
…
Opens a VM on screen share and talks 😄

Joking aside, great stuff on your channel! Thanks for sharing good info

AlyYouTubePresence

Thanks for highlighting this point. It should be the most overlooked security flaw for most homelabbers. Updating my traefik config tonight!

overman

Thank you very much for this video ! Hardest part was to do the port forwarding/translation and not mess with docker iptables.

ethernaelis

Amazing video, your explanations are so clear and your talking flow is just perfect. I choose solution 2 for now. Thanks a lot for all your work.

jinseventwonine

You're missing what I think is the best option. Just run 2 Traefiks. One on an internal-only IP, and one that's exposed to the outside world running your public projects. You can (and should) even put them on their own vlans.

corbosman

The most secure option for home networks is to only use remote access vpn solutions such as wireguard to connect to your home resources. And with the wireguard connect on demand feature you don't have to manually enable your wireguard when away from home WiFi networks.

sitostickdeluxe

Great video, though I would use different ports for the external, something like 8080 and 8443

VanillaPachi

A nice idea, another idea is to run two instances of reverse proxies (either Traffik or NPM) external services are hosted on the traffik-external, and internal services are hosted on the traffik-internal and just configure the firewall (pfSense etc) to forward ports 80, 443 to just the traffik-external reverse proxy.

apainter

Still learning along the way, mostly because of your videos! So, if you would like to expose only certain apps to certain users/ip-adresses, would it not be safer to just use something like Twiingate or OpenZiti? So you would not have to open any port whatsoever? Or would that be too strict and hamper usability?

robertfichtinger

hey great video!
Qustion, out of curiosity, if you are not exposing your password manager (vaultwarden - I use it as well), how do you you it on your phone or when your are not connected to your local network?

yairabc

4:55 Yes there is!
I know of a source where i get a list of all current DNS records. It's updated every 24 hours. And so it only takes a simple grep to get a list of your sub-domains - all of them.

Shocker

Great videos 👍 i just have a question about jellyfin. Will cloudflare not shut it down after time. Would love to stream my music through my jellyfin app on my mobile remotely. Is there so many mb you have?

t