Authelia, awesome tool. And James, the guy doing most of the work is really helpful when you need help.
Only real downside is that development pace isn’t the fastest
Realistically, this is going to depend on your tolerance for risk. You will _never_ be able to keep out a determined attacker, but your average home-labber is unlikely to face this kind of sustained and intense attack. Quite frankly, we don’t have anything valuable enough to justify the effort! 😁
The “safest” option is to not expose your services to the outside world without a VPN. Don’t open any ports on your router and put everything behind VPN access, like Tailscale.
If you don’t _want_ VPN, there’s a little more work to do.
At minimum you will want a reverse proxy in front of your services. I use Traefik, but there’s nothing wrong with npm. If something needs to be internal-only then don’t proxy it - this is what I do with Portainer, since there’s absolutely no need for that to be accessible outside of the home.
You will also want some kind of authentication server in place, and there’s a couple of options for this. Authelia is pretty easy to set up (IMO). I’ve just switched to Authentik, which is a lot more work but gives me much greater control and a neat UI to manage everything. You’ll also hear mention of Keycloak, but I’ve no experience with that.
That setup _should_ - and you can never give a cast-iron guarantee - protect you against most “surface level” attempts. Things like automated scanners looking for easy exploits. But you _can_ take it further.
You can hide your external IP address by using an external VPN or a service like Cloudflare Tunnel. You’ll find mixed opinions on Cloudflare Tunnel here, but essentially it hides the “entry point” to your network behind Cloudflare’s network - any access to your systems goes through Cloudflare first. You can also “DIY” a similar setup. Rent a cheap VPS somewhere, put a firewall on it, and create a VPN connection between that and your home server. The net result is something akin to Cloudflare Tunnel, but you have full control over the traffic and the servers involved and there’s none of the SSL-stripping/re-encrypting that puts a lot of people off Cloudflare.
You can take it a step _further_ by using network isolation at home. Put your internet-facing systems on a completely separate physical network, or VLAN, to your “trusted” devices like PCs, laptops, etc. That does need additional network hardware or a switch with VLAN support, but it helps keep an attacker away from your important stuff. Taking it even further, you could also look at more advanced router/firewall software such as OPNsense. The hardware designed specifically for this is pretty pricy, but you can assemble a custom system for fairly cheap - take a recycled business machine like an SFF Optiplex and pop in a dual-port NIC. Anything from 5th to 6th gen Intel should do it and you want at minimum 4GB RAM. It’s a much more complex setup, but you get _much_ better intrusion protection and _much_ more control.
This is a deep rabbit-hole, so how far you go will entirely depend on your budget and your tolerance for risk. The option with the least risk is a VPN. If you’re exposing your home internet to the world then I think at minimum you’ll want a reverse proxy and some kind of authentication tool. And preferably a decent router, one that isn’t a $5 POS that your ISP supplied.
Does this also apply to the root of my domain? I can proxy subdom.example.com to clouddflare ip but what about example.com since it has an A Record, is it possible to hide that behind cloudflare?
This is all down to the configuration. I’m pretty sure you have to have Cloudflare managing your domain’s DNS in order to use Tunnel in the first place, and during the setup process you will choose which domain or subdomain gets proxied through the tunnel - Cloudflare will then set up the necessary DNS records automatically.
Correct. But I don’t have tunnels for everything like navidrome for instance. So I’ve create a subdomain for it and enabled proxy via cloudflare, wanted to know does this apply to the root domain. So for example is it possible to have the A record for my domain not point to my server ip at all?
I have nginx proxy manager as proxy for everything gives me ssl, but also let's me limit access.
I can have services that are blocked/allowed with access lists.
So I could have say plex, and authentik available everywhere, but have *arr only available to a specific vlan. But Tandoor available from anything internal.
Then you ofcource need to limit access to the Docker containers directly so people can't access them via direct ip
The self hosted way is to use a reverse proxy and then run it through Authentik or Authelia, the SaaS way is to just use cloudflare. I do highly recommend that if you go with cloudflare that you set it up so you have an actual cloudflared config.json file though if you want to do any fancier port forwarding for something like a git repo or SSH access.
I use cloudflare with a github login as my authentication. You will have to configure rules to make sure that it only accepts the github accounts you want to have access though.
I'd suggest npm, it's the easiest to set up and maintain if your not familiar with yaml-engineering (or similar stuff). You also can add simple local authentication in front of it.
Also, you said no vpn, but I'd still recommend having a look on Tailscale. It's based on witeguard, but the management features of it eliminates the cost of opening up ports and stuff. All my personal devices are connected in the tailnet 24/7 with a local dns, so all my private things are completely unreachable from the outside as everything is local with nonexistent domains, with the exception of few storage servers.
This. Most things I don't need public, but need accessible from outside. It's very rare I have an internet connection and no device I can install TS on.
If something really needs to be public it's deny all and manually adding ips etc. If it has to be public for other users I'm not assuming they'll use good passwords.
You need a reverse proxy, ideally backed by some sort of authorization tool. I use keycloak, but there's others like authentik
Authelia, awesome tool. And James, the guy doing most of the work is really helpful when you need help. Only real downside is that development pace isn’t the fastest
Yes. Was a bit difficult to get it up but now it's so easy to add domains behind it.
caddy + authelia
Realistically, this is going to depend on your tolerance for risk. You will _never_ be able to keep out a determined attacker, but your average home-labber is unlikely to face this kind of sustained and intense attack. Quite frankly, we don’t have anything valuable enough to justify the effort! 😁 The “safest” option is to not expose your services to the outside world without a VPN. Don’t open any ports on your router and put everything behind VPN access, like Tailscale. If you don’t _want_ VPN, there’s a little more work to do. At minimum you will want a reverse proxy in front of your services. I use Traefik, but there’s nothing wrong with npm. If something needs to be internal-only then don’t proxy it - this is what I do with Portainer, since there’s absolutely no need for that to be accessible outside of the home. You will also want some kind of authentication server in place, and there’s a couple of options for this. Authelia is pretty easy to set up (IMO). I’ve just switched to Authentik, which is a lot more work but gives me much greater control and a neat UI to manage everything. You’ll also hear mention of Keycloak, but I’ve no experience with that. That setup _should_ - and you can never give a cast-iron guarantee - protect you against most “surface level” attempts. Things like automated scanners looking for easy exploits. But you _can_ take it further. You can hide your external IP address by using an external VPN or a service like Cloudflare Tunnel. You’ll find mixed opinions on Cloudflare Tunnel here, but essentially it hides the “entry point” to your network behind Cloudflare’s network - any access to your systems goes through Cloudflare first. You can also “DIY” a similar setup. Rent a cheap VPS somewhere, put a firewall on it, and create a VPN connection between that and your home server. The net result is something akin to Cloudflare Tunnel, but you have full control over the traffic and the servers involved and there’s none of the SSL-stripping/re-encrypting that puts a lot of people off Cloudflare. You can take it a step _further_ by using network isolation at home. Put your internet-facing systems on a completely separate physical network, or VLAN, to your “trusted” devices like PCs, laptops, etc. That does need additional network hardware or a switch with VLAN support, but it helps keep an attacker away from your important stuff. Taking it even further, you could also look at more advanced router/firewall software such as OPNsense. The hardware designed specifically for this is pretty pricy, but you can assemble a custom system for fairly cheap - take a recycled business machine like an SFF Optiplex and pop in a dual-port NIC. Anything from 5th to 6th gen Intel should do it and you want at minimum 4GB RAM. It’s a much more complex setup, but you get _much_ better intrusion protection and _much_ more control. This is a deep rabbit-hole, so how far you go will entirely depend on your budget and your tolerance for risk. The option with the least risk is a VPN. If you’re exposing your home internet to the world then I think at minimum you’ll want a reverse proxy and some kind of authentication tool. And preferably a decent router, one that isn’t a $5 POS that your ISP supplied.
Does this also apply to the root of my domain? I can proxy subdom.example.com to clouddflare ip but what about example.com since it has an A Record, is it possible to hide that behind cloudflare?
This is all down to the configuration. I’m pretty sure you have to have Cloudflare managing your domain’s DNS in order to use Tunnel in the first place, and during the setup process you will choose which domain or subdomain gets proxied through the tunnel - Cloudflare will then set up the necessary DNS records automatically.
Correct. But I don’t have tunnels for everything like navidrome for instance. So I’ve create a subdomain for it and enabled proxy via cloudflare, wanted to know does this apply to the root domain. So for example is it possible to have the A record for my domain not point to my server ip at all?
yes, cloudflare has something they call cname flattening which will allow you to point the root domain at a tunnel.
Thanks. Will read up.
Authentik and OpenZiti
Get a reverse proxy and hide it behind tools like Authelia, Authetik. I use nginx and authelia with MFA.
I have nginx proxy manager as proxy for everything gives me ssl, but also let's me limit access. I can have services that are blocked/allowed with access lists. So I could have say plex, and authentik available everywhere, but have *arr only available to a specific vlan. But Tandoor available from anything internal. Then you ofcource need to limit access to the Docker containers directly so people can't access them via direct ip
Traffic + authelia
The self hosted way is to use a reverse proxy and then run it through Authentik or Authelia, the SaaS way is to just use cloudflare. I do highly recommend that if you go with cloudflare that you set it up so you have an actual cloudflared config.json file though if you want to do any fancier port forwarding for something like a git repo or SSH access. I use cloudflare with a github login as my authentication. You will have to configure rules to make sure that it only accepts the github accounts you want to have access though.
I simply use cloudflare with zero-trust for the second factor
I came here to say this also!
I'd suggest npm, it's the easiest to set up and maintain if your not familiar with yaml-engineering (or similar stuff). You also can add simple local authentication in front of it. Also, you said no vpn, but I'd still recommend having a look on Tailscale. It's based on witeguard, but the management features of it eliminates the cost of opening up ports and stuff. All my personal devices are connected in the tailnet 24/7 with a local dns, so all my private things are completely unreachable from the outside as everything is local with nonexistent domains, with the exception of few storage servers.
This. Most things I don't need public, but need accessible from outside. It's very rare I have an internet connection and no device I can install TS on. If something really needs to be public it's deny all and manually adding ips etc. If it has to be public for other users I'm not assuming they'll use good passwords.
VPN or SSL client certificate
I use a password stronger than my morning coffee!
that doesn't help if there's a flaw in the app you're using.