I'd recommend everyone use logically seperated traefik instances for internal and external. Yes it does require a bit more configuration but it's going to be the most secure.

Excellent information! One addition thing I have done is restrict the entry of my NAT rules for ports 80 and 443 to the Cloudflare ASN in Opnsense. It doesn't even appear to be an open port any longer.

Once again, another amazing video. Already waiting for the next one.

I think the biggest flaws is in the volume mountpoint, mounting the Docker socket directly is not recommended, even the traefik documentation state you should not do that in prod. If somehow an external user get access to your traefik instance even through CloudFlare, they will have root access to your Docker, unless you are running traefik as nonroot

Thanks for the video. I went with the dual traefik instances approach. Separation of concerns and less chance of adding mistakes to config.

I run the two instance setup. I have my docker compose set up so I use environment variables for configuration, then there is a merge feature where I have most of the config in a section that is then referenced and the internal/external portions only specify their unique elements (such as the IP whitelist). Additionally, on the external point, I have an additional docker constraint tag, so by default enabling items only registers them on the internal instance, but i can add an additional label to list them on the external provider as well. My setup is is all about doing as much of the work in the traefik configuration itself as possible, then the services themselves only have to specify a bare minimum, typically only a hostname and to enable (i have exposedByDefault set to false). I even have them sharing a cert store by mounting the same file, but only giving the external instance read-only access to it. Now THAT is something I wish I had a better way of managing, especially as most acme providers can run into conflict if you request multiple certs at the same time, and I don't want any internal subdomains explicitly listed on my publicly served cert.

Jim is always there when I'm lost, thanks man for ideas!

Just don't do it. If you want to access internal apps externally, come into your home network with your own VPN. It's the only safe way.

Chapter title “demonstrating the problem”, … Opens a VM on screen share and talks 😄 Joking aside, great stuff on your channel! Thanks for sharing good info

You're missing what I think is the best option. Just run 2 Traefiks. One on an internal-only IP, and one that's exposed to the outside world running your public projects. You can (and should) even put them on their own vlans.

Thank you very much for this video ! Hardest part was to do the port forwarding/translation and not mess with docker iptables.

Amazing video, your explanations are so clear and your talking flow is just perfect. I choose solution 2 for now. Thanks a lot for all your work.

Godsent! Could not have come at a better moment in time for me. I just hope I can manage the complexity. I love the idea of docker-compose, but I've already let blood for a decent amount of time with the docker + docker compose documentation. And man if you already only half know what you're doing docker / compose / volumes /networking sure ain't gonna help that. The worst part is: it's difficult to diagnose. Is it fw rules? Is it vlan? Is it DNS? (it's always DNS) etc. I love the tinkering, but it to be a harsh mistress .. and hard on free time and money on top.

Nice video! What should I do if my router doesn’t support port translation? Thank you for your hard work!

Great video, though I would use different ports for the external, something like 8080 and 8443

The most secure option for home networks is to only use remote access vpn solutions such as wireguard to connect to your home resources. And with the wireguard connect on demand feature you don't have to manually enable your wireguard when away from home WiFi networks.

4:55 Yes there is! I know of a source where i get a list of all current DNS records. It's updated every 24 hours. And so it only takes a simple grep to get a list of your sub-domains - all of them.

Please keep in mind, that only applications which have 'Routers' in traefik are exposed... Like your SQL, Redis, Elastic, etc containers is probably not exposed to the public... I have two middlewares that I reference in my labels, public@file and private@file depending on if I want it exposed to the public or not, then in that middleware is the crowdsec bouncer and whitelist depending on which middleware

Thanks for the demo and info, have a great day

Thanks for highlighting this point. It should be the most overlooked security flaw for most homelabbers. Updating my traefik config tonight!

Why not Authelia/Authentik to add 2FA to your endpoints and use it as the middleware and make them have to go through multifactor authentication in order to get to the service?

the problem here is that you need a local DNS or modify the hosts file, both the external client and the internal client. Is not there a way so that the proxy redirect it?

Could you please explain a bit more under what circumstances this security issue exists? And which local services are accessible? Do you mean services that are considered only for local usage and still have a config within traefik or how how does the infrastructure look when vulnerable?

Would there be a point to doing a setup like this if you keep everything internal and access it externally only via Tailscale?

What about using Keycloak or something similar and having all applications OAuth2/OIDC enabled? All apps without a valid login session will redirect to the Keycloak login page...

What I done, open remote port for once, get certbot do its things (filling my acme.Json) after that close the port, is I am doing wrong?

hey great video! Qustion, out of curiosity, if you are not exposing your password manager (vaultwarden - I use it as well), how do you you it on your phone or when your are not connected to your local network?

Very nice hints in this video. I'm improving a lot of my homelab based on your videos. It would be nice if you could do a video explaining with more detail how to create firewall rules in Sophos-XG and how to apply IPS and any other improved security mechanisms.

I love the ideas, and I'm trying to implement them all! I can't seem to get the cloudflare proxy service to play right with my hairpin NAT. It works great if my service is not behind cloudflare proxy, but if I put my service behind cloudflare proxy my NAT rules don't seem to catch it. Any tips?

Its so great! Thinking about switching from nginx proxy to full on traefik like you.. One thing is holding me back is the thought of having managment interfaces/services accessable on the untrusted vlan. My internal services are on the same docker host as the traefik instance so puting those service on untrusted is a bit of a no go. for traefik to be able to access the gui's from different ip's would need to use a lot more "complicated" firewall rules. How did you do it or still doing it?

A nice idea, another idea is to run two instances of reverse proxies (either Traffik or NPM) external services are hosted on the traffik-external, and internal services are hosted on the traffik-internal and just configure the firewall (pfSense etc) to forward ports 80,443 to just the traffik-external reverse proxy.

Thank for the tutorial though I don't know if I am missing something. I appreciate you hairpin NAT explanation but I'm unable to access my (https-external) service on my LAN. I have NAT reflection enabled on my OPNSense router but get a 404. My DNS overrides still list the internal IP's of all services. Is this correct?

Another thing you can do is find out your cellular provider's IP address ranges (e.g. find one public IP address used by your phone and then use Hurricane Electric BGP Tools to find ASN and ranges), and apply these as Allow rules on your firewall. Then, when you are away from your house, only access your home network from your laptop when it is tethered to your phone's Internet connection. You will have limited your attack surface a lot with just that step. I also use a VPN with this so my firewall will only accept the VPN connection when it is coming from an IP address used by my cellular provider.

great video! So informative. Is there anything wrong with have all traffic (both internal and external) routed through the external entrypoint?

Does this problem exist when running traefic on K3S?

I did two seperate traefik installs, but with the cloudflare proxy (Make sure to translate to the actual IP) and then I put up security software to monitor the traefik install behind it as well both internal and external. IE things like crowdstrike. i do have authelia but I'm lookint at oauth2 I'm not terrbily set on it though.

Thank you, great video, Jim! There is one thing, I realized. When setting the sourcerange of ipwhitelist to my local network (eg. 192.168.0.0/24), it is for some reason not considered. Going on the Service in the Browser I get an "Forbidden". In trafik-log I saw that traefik "only sees" my WAN-IP, which is dynamic. Is there a workaround to constantly check the WAN-IP and alter the rule on the fly? Or is there another hint to make that work?

Hello Jim, any recommendations on improving the security of the Traefik docker container? Like it’s exposing the docker socket and no internal user this could lead to some security concerns, please share you’re thoughts, thanks

Love your videos. instead of opening up ports can you set up a cloudflare tunnel directly to traefik and let traefik manage which subdomain should go to which ip and port ? Something like NginxProxyManager behind a cloudflare tunnel but cooler

I'm still trying to understand why using Traefik is superior to just setting port forwards with port translation and IP whitelists in the firewall (in my case pfSense) itself?

My thought is, can I ipwhitelist services to private addresses for my internal services as a middleware on traefik, and for my external services allow any ip? and throw in Authlia in front of all my services anyway so it is blocked with auth to begin with for an additional layer. Would something like this work?

Still learning along the way, mostly because of your videos! So, if you would like to expose only certain apps to certain users/ip-adresses, would it not be safer to just use something like Twiingate or OpenZiti? So you would not have to open any port whatsoever? Or would that be too strict and hamper usability?

Tha ks very muchbfor the video, like someone commented have been trying to read ducumentation to understa d but is a task. Have two questions , so is tgos the way to protect the traefik dashboard? Also how can point traefik to another docker host for other applications? What i would like to do is have one docker with just traefik and crowdsec for enamplle and host the other apps on another docker host. What are youbthoughts on this eg which security apps beed to be on the same host as traefik and which ones dont. Thanks for any feedback

super tutorial. thanks Jim. i try to do. but it isn't work. have i do crowdsec (your tutorial video) first? than after traefik-secure tutorial video? thanks

What about using cloudflare tunnel? Do i have the same issues when only defining some public hostnames? Is it also possible to access to internal apps, which have in my case slso another subdomain as my external apps?

Great videos 👍 i just have a question about jellyfin. Will cloudflare not shut it down after time. Would love to stream my music through my jellyfin app on my mobile remotely. Is there so many mb you have?

Don’t you want your vaultwarden accessible to outside? What happens when you’re out and need to update a password? My partner won’t deal with VPNs

How about assigning an extra network interface to the docker vm, plug in an extra network cable (the port on the Switch of course assigned to a different vlan) and just let all the internal traffic go through that cable?

Would really love a video about caddy.

I'm having an issue where using the http-external tag works fine (sending traffic through port 81). As soon as I add the https-external label, the site is no longer reachable. Port 81 and 444 are routed correctly. Has anyone else run into this or have any advise?

ive foolllowed your steps but after adding the ports ans the external parts i cant long in to the traefik dashboard i get 404 page not found error

Does this vulnerability also apply to NGINX proxy manager? Eg port 443 coming from WAN routed to port 443 on nginx proxy manager which then redirects it to jellyfin for example?

I like to keep my admin interfaces on my admin VLAN/subnet. It's surprising how few tutorials cover this, and how buried in documentation it is. Even Debian is doing its best to make sure the ListenAddress option of sshd does not work:( Anyway, I wonder if i can use some similar approach to limit Docker stuff to particular subnets internally.

I solve this issue with Authelia, only specified services are allowed either by bypass, one_factor or two_factor.

i have trouble getting my dashboard to show up. i got a error message of 404 not found

Excellent video! I feel really dumb right now because I'm re-watching the video to find out why I couldn't get this setup to work on my end then I tried it a couple of days ago, and at the 5-minute mark I see why... I forgot to route ports 81 and 444 to Traefik in the docker-compose file. >_

If I may: Does JC21 Reverse Proxy have the same issue?

While whitelisting seems to be the right thing, it doesn't seem to work. If I whitelist my LAN addresses and try to open the site, it says forbidden, and the log says that is not allowed to access. If I try to use the depth of ipstrategy, the log says that the IP is empty. Does anyone know a solution?

If I proxy through Cloudflare, or use their Tunnels service, can they see the data that's being transmitted in plain text? Can the decrypt the data on their side?

Great video. I use option 3 with the whitelists and restrict access for my internal apps to my local subnet and my vpn subnet ranges. Im currently trying to work out how i can have it give a 404 rather than a 403. I also want to create a custom error page. Would be great if you could explain and show something with ref to this

Can't you make IP rules lists within Cloudflare (free)? Am I missing something?

Sure but why proxy your internal apps at all? Most guys suggest running a proxy docker network for traefik. Ideally you have separate networks for your dbs internal apps and one for the socket proxy. Then your internal apps only sit in the internal where there is no traefik endpoint. Meanwhile because these are all custom networks you can still call apps by their container name.

I dont understand how to access internal services. Can someone explain?

traefik and crowdsec how do i reserve proxy outside docker

Why not add a whitelist to the cloudflare tunnel as well?

Where is your traefik full tutorial?

I think you could also use MAC VLAN and have a separate ip for external, no ports needed.

You don't need to guess a subdomain, It's really easy to get all subdomains just by knowing the main domain name. I would do this to yours, as a test to prove it to you but here in the UK without your explicit permission to do so it would be illegal under computer misuse laws.

Very interesting, and meanwhile so complicated for noobs as me

Thanks for the good video. Option 4 would be not do a port forwarding at all and use eg. Cloudflare tunnels to expose selected services instead.

I wonder how this setup would look like with NGINX.

thanks. pls make a video how to access your services only via vpn (h. how to config firewall and how to config headscale for it.

Wouldn’t it be easier to setup ip whitelists?

You should run two proxies on diffrent vlans.

Considering method 3, is it possible to a hacker spoof its IP and pass as a whitelisted ip? My gut feeling is that option 2 is safer, but as I said, I’m not an expert, just curious hahaha

OPNsense, and you're good to go

I just can't help it, but this is how this video reads to me: 'Are you using this proxy to expose services to the internet? Well, guess what, there is a significant security flaw, and you are probably not aware of it. You have exposed services to the internet.' And yes, I know there might be people who simply don't understand the concepts and just slap in a Traefik instance in the middle of their stack because they read one tutorial and want this specific thing accessible from the internet. But who are these people who 'have a stack' and then 'accidentally' expose it to the internet as a whole? I just cannot fathom the cross-section between these two groups of people who seemingly have knowledge of running a server with a stack but then don't realize what the Traefik instance they just added to the stack does. But again, I might be biased as I have an IT background.

Go ahead, restrict it, see what happens when YOU can't connect to the internet.

How is possible that people thinks is a good practice to expose services to the exterior

The NSA just has to be all up inside Cloudflare.

Why would you want to poke holes in your firewall? Just run a cloudflare tunnel and get rid of that proxy and firewall openings. Those are serious attack vectors.

I don’t understand the port forwarding part, I don’t have a firewall like sophos are you saying I need to do a port forward from port 444 to 443 & 80 to 81 I found this video for UFW will this apply kzbin.info/www/bejne/fGq3ppuEot-tacksi=0wt8V8T0eItAIDsf

will you update this on opnsense? 👀

dont you think that is too overhead? why not just play with rules for eg Host(`resource.lan`) && ClientIP(`192.168.88.0/24`)