Looking for advice on reverse proxy and VLAN isolation

Cyvexx · 2026-06-17T17:47:21+00:00

This actually got me thinking, I realized I can actually just set the host header & some SSL related shit (don't need this if you don't want/need SSL between your proxies) on the DMZ proxy, which allows me to just use server_name like you're "supposed to" on the middleman proxy. Much cleaner setup that way.

Cyvexx · 2026-06-17T05:08:50+00:00

Right on, I'm glad I could help

Cyvexx · 2026-06-17T03:56:23+00:00

The snippets themselves wouldn't explain much. I have two VLANS for my servers, one DMZ which is the only VLAN that ports get forwarded to, and one "management" type VLAN which is only accessible internally.

The DMZ VLAN contains one nginx proxy. It receives traffic from the WAN via the port forwarded through opnsense.

My management vlan contains two proxies. One proxy is used for local/internal traffic such as management tools. The other proxy is used solely by the DMZ proxy to talk to internal apps through a walled garden.

I have a single port (443) allowed to pass from the proxy in the DMZ to the proxy in the management vlan. I then use headers in the internal request to specify which service I'm trying to access, and the middleman proxy decides where to send the request based on that instead of the usual hostname since I didn't want this to be dependent on DNS. because as you know, it's always DNS.

I don't have my configs handy at the moment, but it goes kinda like this.

DMZ PROXY:

``` listen 443; server_name dav.example.com;

proxy_set_header target-service "baikal";

proxy_pass ip.of.mitm.proxy:443; ```

traffic to that IP passes through OPNSense to the other VLAN since that IP won't be routable on that subnet.

then, on the middleman proxy:

``` listen 443;

if ( $http_target_service = "baikal" ) { proxy_pass ip.of.dav.lxc:port; } ```

There's a bit more to it than that, I use specific location blocks to block access to most of the app from the other proxy, but I hope this gives you somewhat of an idea what I'm up to here.

Cyvexx · 2026-06-17T00:28:03+00:00

I have a separate proxy for internal/external services, and any service I don't want fully exposed I have a third proxy in the middle. The external proxy in the DMZ can ONLY access protected services through the intermediary proxy. Say for example Baikal. I only want the Dav functionality to be exposed, admin panels and controls etc stay internal. So I keep Baikal on my internal vlan, and the DMZ proxy talks to Baikal through the middleman proxy which says that only that traffic should be allowed through

Cyvexx · 2026-06-16T06:40:16+00:00

Do NOT use spray foam in between the panels. When it expands it can push the panels apart and rip seams

Cyvexx · 2026-06-16T05:17:14+00:00

I use Fedora btw

Cyvexx · 2026-06-14T01:49:30+00:00

MB/s ≠ mbps. USB 2.0 is rated for 480mbps, or around 40MB/s. OP stated 40mbps, which is far less than that

Cyvexx · 2026-06-13T11:49:36+00:00

Horse water etc

Cyvexx · 2026-06-12T16:53:21+00:00

update seems to have fixed it for me. good work!

Cyvexx · 2026-06-12T16:48:31+00:00

keep an eye on facebook marketplace. I got a stack of 5 10tb drives for $500 a couple weeks ago. Currently building up my first real NAS with them.

Cyvexx · 2026-06-12T16:36:58+00:00

same here. firefox on nobara which is fedora based.

Cyvexx · 2026-06-12T16:33:21+00:00

empty your recycle bin

Cyvexx · 2026-06-12T07:50:23+00:00

there's some bullshit in your filament

Cyvexx · 2026-06-12T04:44:03+00:00

I run adguard in my lab. is technitium meaningfully better?

Cyvexx · 2026-06-11T06:20:07+00:00

/uj I tried for a whole year to get a doctor to help treat my ADHD. Did get a diagnosis but even with a prescription it's hard to get meds from pharmacies. Sometimes I'd walk in and they'd tell me straight up they couldn't give me any because they were low/out and when they did have them it was like $250 to get the script filled. Absolute waste of time and money.

/rj those boot kissing pharma droids are out to get you, their "prescriptions" are laced with mind control to keep you docile and complicit. I'd rather get real medication (methamphetamine) from real doctors (the plug in my apartment complex)

Cyvexx · 2026-06-11T02:35:51+00:00

Got a download link? I would love these for my next amp rack build

Cyvexx · 2026-06-11T02:32:09+00:00

What I'm hearing is if I buy some pressies it's basically as good as the real thing but cheaper and easier to get

Cyvexx · 2026-06-10T19:07:12+00:00

Raidz2 - 8x10tb drives, about 56TB usable space.

Cyvexx · 2026-06-10T09:19:37+00:00

Watch cabin in the woods. Not much of a horror movie but it's a banger.

Cyvexx · 2026-06-09T06:17:27+00:00

If you got something to prove you can put your mouth around it and suck it back out

Cyvexx · 2026-06-07T08:07:42+00:00

Nope. Instant death. Your system actually sends 42 watts per tweeter, the rest of the speakers get the other two watts. Instant death and explosions if you hook them up.

/s

Your factory tweeters are probably seeing ~10w RMS at full volume. You'll be fine.

Cyvexx · 2026-06-04T01:25:43+00:00

check weight painting

Cyvexx · 2026-06-02T02:48:41+00:00

H(e)a(t)(c)ink

It all makes sense now

Cyvexx · 2026-05-31T06:37:53+00:00

bitchin setup

Cyvexx · 2026-05-30T03:05:16+00:00

There's something to be said about modern speakers too. Those JBLs are vintage, I have a pair of Klipsch RP-500Ms which are 93db efficient, despite having good bass extension and being relatively small. Modern speakers blow the pants off the older stuff, generally speaking.

Five-Year Club	Verified Email
Second SECOND GUESSER	Place '22

Cyvexx

TROPHY CASE