I have looked into quite a few ways that I could access services from my homelab. Currently I am using Wireguard that works well. The issues are that I want to expose services that are in my lab to the outside world. I am not sure how to go about it in a secure manner. For example I would like to host a Minecraft server (maybe other game servers), a blog, Nextcloud and wiki. How would I go about this?
Right now Nextcloud is fine over Wireguard, the wiki I am using cloudflare tunnel. The blog hasn’t been created yet and Minecraft server is security though obscurity.
The things I have no idea how to work around is the public blog and the Minecraft server. Blog I could buy a vps that would be fine or Cloudflare tunnel but games servers I have not a clue.
I am also interested in other ways to do the same things and how to expose apps like Jellyfin or Kavita.
Some VPN providers offer external inbound ports which can be used as a reverse proxy of sorts. It would take some creative use of ACLs, but those could be reasonably good as a reverse proxy, assuming they don’t ruin the latency. The only one I know anything about only offers one port though, so that would be limiting.
For HTTPS connections you already have cloudflare reverse proxy, so that’s good. You can put all your servers behind an NGINX reverse proxy and then use that system as the DMZ to Cloudflare. Again, with some ACLs you can expose the NGINX system to the internet, but only allow requests from Cloudflare if you’re trying to avoid direct access.
I’m sure there are reverse proxy services out there if you’re looking for something a little more purpose-built.
If you are using docker I would look at swag I am running it and it seems to work well. There is no gui but the files are well labeled and work well for me.
I feel like Cloudflare is good enough for https traffic. Iean no open ports keeps me from being low hanging fruit. NGINX prxoy isn’t something I thought about but sounds like a good idea.
Crowdsec I know very little about but will look into. And DMZ isn’t something I completely understand how to utilize properly. I get the idea but most time I have seem people suggest it on other post it is quickly shot down. I need to do more research on how to properly use a dmz
I am using docker at the moment baked into TrueNAS scale I will give this a look. I maybe moving over to Ubuntu/RHEL and Podman so need to see if it would work with Podman I assume it would.
DMZ is a generic term for ‘separating one set of infrastructure from another’
it can be really advanced with multiple routers and all sorts of wizardry, or, IPTables, some static DNS, and NOT using the same root password on everything.
don’t over complicate things for the sake of ‘security by complexity’.
Crowdsec does seem to offer another layer, i have had it catch a dozen ‘known bad IPs’ in the last 30 days.
Ideally VPS and reverse proxy. VPS to home lab is connected by wireguuard. Vps ip is what is the front end. The ip you connect to or domain attached to the vps.
There are mutliple ones. HA, Traffek, nginx, apache.