this post was submitted on 11 Jan 2025
1 points (100.0% liked)

homelab.

199 readers
1 users here now

Welcome to your friendly /r/homelab, where techies and sysadmin from everywhere are welcome to share their labs, projects, builds, etc.

founded 2 years ago
MODERATORS
[email protected]
1
How to secure reverse proxy for homelab? What's your go-to resource for learning this? (old.reddit.com)
submitted 3 weeks ago by [email protected] to c/[email protected]
0 comments fedilink hide all child comments
 
This is an automated archive made by the Lemmit Bot.

The original was posted on /r/homelab by /u/Fallyfall on 2025-01-11 15:40:39+00:00.

Hey r/homelab,

I have recently decided to enter the world of homelabbing, more specifically self-host some services that I want to use. Since I'm waiting for some hardware to arrive, I started thinking a bit more about security. While I found this video by RaidOwl to be easy to follow and understand, I'm none-the-wiser when it comes to actually securing the services to the web.

Then I found this video by Techno Tim talking about security, and some mentions of an internal proxy. I don't completely understand the concept of that. However, one of the comments, wrote this:

The only minor disagreement I have is with setting up the proxy authentication after everything else is working. Set it up from the start and apply it to all services behind the proxy. You're in a much better spot if everything on your home-lab requires authentication on the proxy. Even if it means logging-in twice (to the proxy and the back-end service). This drastically lowers the attack surface. You can later exclude any services you'd like to remain public.

Also, use some type of split DNS; where you serve the internal IP of the proxy to all internal clients. That way you can skip the hop to Cloudflare internally. And you can still access all your home-lab services if your internet connection goes out.

So, that got me curious about what steps I'd need to do in order to secure the services that I eventually will expose to the web. Given that I know exposing services to the web can be "dangerous" I want to read up on the topic while I'm waiting for the hardware to arrive.

TL;DR (I guess):

  • How to go about setting up an internal proxy for the sake of security to publically exposed services?
    • Would that be to use for instance some kind of dashboard service with hardened log-on options, and then redirect from there? Or I'm I thinking this the wrong way?
  • Any good resources on split DNS? I'm using PfSense for router.
  • How to validate and verify that security is actually setup and working as intended?
no comments (yet)
sorted by: hot top controversial new old
there doesn't seem to be anything here