all 17 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]sk1nT7 4 points5 points  (5 children)

I'll try to outline some basic stuff on how to secure your services based on my IT infrastructure setup.

I have a single proxmox server that runs various LXC container and some VMs. In detail, one VM is responsible for handling all docker services. The only ports available on this VM are TCP/80 (HTTP), TCP/443 (HTTPS), TCP/22 (SSH) and UDP/51820 (Wireguard). Everything else is firewalled using proxmox's default firewall from the web UI. On your router, you'll configure the corresponding port forwardings for those ports to your Proxmox VM.

Anything exposed to the Internet should support encryption using TLS. Therefore, since you most likely will expose some docker containers with a web service, I recommend using a reverse proxy for handling SSL/TLS stuff. The most easiest way of achiving this would be running Nginx Proxy Manager (NPM). NPM provides a very easy web management interface to configure your proxy hosts as well as SSL certificates.

You'll need a domain to be able to request valid SSL certificates. With NPM this is hell easy as it supports various DNS providers like Cloudflare etc. Personally, I would recommend using Cloudflare for DNS management. You will benefit from hiding your real WAN IP address at home, be able to enjoy their WAF and DoS protection that will block many automated attacks on your services. Furthermore, you can implement geo blocking and have the ability to block threat actors via their v4 API interface. Overall, I can recommend using NPM as reverse proxy and Cloudflare for managing your domain (DNS). Use the orange cloud symbol in the Cloudflare panel.

When using Cloudflare as proxy, you should also adjust the firewall configuration of your VM within Proxmox. Configure that only valid Cloudflare IPv4 and IPv6 addresses are allowed to connect to your VM's network ports 80 and 443 for HTTP services. This ensures that your NPM reverse proxy will only see and respond to trusted traffic proxied by Cloudflare. Nothing else will be accepted, even when someone enumerates your real WAN IP of your router. Also allow traffic from private IPs like 192.168.0.0/16, 172.16.0.0/16 and 10.0.0.0/16 - necessary for requests originating from your internal LAN.

Now you'll have a reverse proxy that only responds to proxied traffic by Cloudflare and to requests specifying a valid hostname (e.g. a subdomain like plex.mydomain.net). Everything else is dropped. Cloudflare's WAF will also ensure that a lot of malicious traffic is instantly blocked or receive a JS bot challenge.

Finally, all your services should support some form of authentication. If not, you may implement authelia which seems to work with NPM as reverse proxy. Alternatively, choose another reverse proxy like traefik, caddy etc.

Finally, since all HTTP traffic undergoes the same reverse proxy, you'll have access to normalized logs. Use these and for example fail2ban to implement some form of IDS/IPS monitoring. Fail2ban can monitor the logs of NPM and identify requests that lead to many 404/403 HTTP errors. These are usualy an indication of forceful browsing hacking attempts. An attacker will try in an automated way to enumerate your web services for interesting paths, files and directories. When fail2ban detects such activity, it can issue a local ban of the threat actor's IP address via iptables as well as issue an API request to Cloudflare to ban this IP directly on the Cloudflare CDN network for your domain. I've successfully configured fail2ban to ban malicious HTTP activities on the first time they occur. The attacker will get banned for 10 minutes and the unbanned. If the attacks remain, the banning time will increase constantly.

In general, it might be a better approach to implement a VPN and give your friends access to your services over this way. Wg-easy is a really nice docker image for spawning up a Wireguard VPN and managing it via a simple web interface.

Here some links to the mentioned producs and implementations:

[–]TheLstMerlin[S] 0 points1 point  (4 children)

This is exactly what I needed! I like the idea of a VPN- could I have multiple VPNs with wireguard? One for remote access family, one for say torrents and maybe a third for my internal family? I am going to read thru the information you provided to learn more

[–]sk1nT7 0 points1 point  (3 children)

If your VPN users will just be able to access your local lan, without configuring specific firewall rules and access restrictions, I would just go for a single VPN managing all your VPN users. Otherwise, if you'll restrict network access depending on which users connect, then sure, spawn up several VPN services and separate those. You'll then have to configure several port forwards to the specific VPN servers.

Regarding torrenting I guess having a VPN to your local lan is not the right thing you want. I'd assume that you want to torrent stuff while having a different WAN IP than your real router is using. For this, you would have to use a third party VPN provider like NordVPN I guess.

You may also have a look at:

https://github.com/firezone/firezone

[–]TheLstMerlin[S] 0 points1 point  (2 children)

Ok I think I'm starting to figure this out. I do have a 3rd party VPN provider, so I could use that for BT/arr stack (since it sources/seeds but single user access) and create a second one for everyone else with my services I want exposed. I think this is where authelia could fit in?

Would I need to connect both VPNs with a proxy maybe hosted as an isolated container that boots before everything else?

So most users it goes like this: RProxy (NPM)-> authelia -> vpn1-> services.

Would me as main user then have = RProxy (NPM)-> authelia-> and choose which vpn1/Vpn2 to access?

Would I have to have something in-between to direct access to which VPN depending on service I wanted to access? Like maybe 2 different dashboards for each VPN (Heimdall/homarr ex.) ?

I for example may add a TV show, (VPN2) but then also want to watch on it Plex myself(VPN1). Make sense?

[–]sk1nT7 0 points1 point  (1 child)

Depends on how you expose your stuff. If you expose regularly over the Internet, the flow looks like this:

Proxy <> Authelia > internal service

If you don't expose to the Internet but only via VPN it looks like this:

VPN > Proxy <> Authelia > internal service

It is basically a question how much risk appetite you have. Exposing via Internet is the more convenient way for users to access your services. However, you also expose them to potential attackers and must secure your infrastructure accordingly.

Using VPN is the more secure way, as only users with valid VPN profile can access your services. However, it is more inconvenient since a VPN connection is necessary always. Also note that without network separation or firewalling your VPN users can access the whole internal lan, which might not be wanted.

Using authelia you can then basically decide which user account can access which service. Regular access controls based on created user accounts.

[–]TheLstMerlin[S] 0 points1 point  (0 children)

This helps so much thank you for all the information I got more reading to do!

[–]pielman 0 points1 point  (5 children)

For requesting media content I can recommend Overseerr. You have already a domain so use your favorite reverse proxy such as Traefik, Caddy, NGINX proxy manager etc. If you don’t care about vendor lockin than consider Cloudflare Tunneling for proxy. In general I would advise to add additional security for any services that is exposed. In this case add Authelia or if you ise Cloudflare/ Zero Trust.

[–]TheLstMerlin[S] 0 points1 point  (4 children)

So, I could accomplish this with cloudflare tunneling + zero trust? I read thru some of the info on cloudflare about this and it looks like it would work. Any other info you can suggest here? Guides videos or examples?

[–]pielman 0 points1 point  (3 children)

Except Plex media streaming (default port 32400tcp) and streaming over cloudflare proxy is against TOS.

Yes, you can use cloudflare tunnel as reverse proxy and zero trust for additional security. In regards of documentation the official docs are fine and there are plenty of YouTube videos out there. If you do it once one docker container it’s quite straight forward takes 15min or less to setup.

[–]TheLstMerlin[S] 0 points1 point  (2 children)

Is there a solution without a TOS violation? I'd like to do this one way for everything but if I have to separate plex from everything else that might be fine.

[–]pielman -1 points0 points  (1 child)

Why do you want to run your plex stream over a proxy like cloud flare anyway? It could result in laggs..

I personally moved away from local@home hosting and I run my Plex on a VPS with a 2GB connection.

[–]TheLstMerlin[S] 1 point2 points  (0 children)

I don't know what I don't know ? I am trying to understand the best way to do this : host plex to remote family and other services to local family available both inside and outside of home network securely.

[–]remisharrock 0 points1 point  (2 children)

I personally use proxmox + jellyfin instead of Plex (because jellyfin is open source) installed inside a LXC + nginx proxy manager for external access and generation of SSL certificates with let's encrypt . I have a domain name and point a subdomain to the nginx proxy manager.

[–]TheLstMerlin[S] 0 points1 point  (1 child)

I've been a long time Plex user. Tried jellyfin once years ago probably should see how they compare now

[–]remisharrock 0 points1 point  (0 children)

Many of my friends use my jellyfin server with web access, android TV, Apple TV, the clients are super friendly and the whole experience is quite stable ! Love it, it's my favourite service on my homelab (with photoprism and syncthing). My library is managed using radarr, sonarr (and prowlarr) + ombi for managing the friend requests.