I currently host several services on my docker swarm, all of which are exposed to the internet but protected by Authelia and routed through Traefik.

I’d like to improve security and split my network into several vlans, one of which would be a DMZ for services exposed to the internet (Foundry VTT, Matrix, Searx, maybe some others), and another vlan for services that are only accessible while on a vpn (*arrs, Jellyfin, Nextcloud, etc.).

I’m not sure what is the safest and easiest way to do this. Some ideas I have:

  1. Setup a specfic server for my external services and connect it to a DMZ tagged vlan port.
  2. Run all of my services in the same docker swarm on the internal VLAN, and only have my Traefik service running in the DMZ (I don’t know if this is possible with physical vlan ports)
  3. Run all of my services in the DMZ, but with an IP whitelist to control access for services I only want accesible from the VPN
  4. Something else I haven’t thought of?

Thanks, and I appreciate the help.

  • TheButtonJustSpins@infosec.pub
    link
    fedilink
    English
    arrow-up
    3
    ·
    11 months ago

    I’d have all your services internal and have an additional reverse proxy in the DMZ that connects back to the internal services for anything that you expose.

    • Matt The Horwood@lemmy.horwood.cloud
      link
      fedilink
      English
      arrow-up
      2
      ·
      11 months ago

      This is kind of how my setup looks, only without the DMZ. PFSense NAT to nginx lxc, terminates the SSL/TLS and then uses both my swam nodes as upstream for docker services. Docker services are behind traefik, each service is its own network in docker. If its a webby service you hit treafik not a port.