Once again, another amazing video. Already waiting for the next one.

Very nice hints in this video. I'm improving a lot of my homelab based on your videos. It would be nice if you could do a video explaining with more detail how to create firewall rules in Sophos-XG and how to apply IPS and any other improved security mechanisms.

Thanks for the demo and info, have a great day

Excellent information! One addition thing I have done is restrict the entry of my NAT rules for ports 80 and 443 to the Cloudflare ASN in Opnsense. It doesn't even appear to be an open port any longer.

Another thing you can do is find out your cellular provider's IP address ranges (e.g. find one public IP address used by your phone and then use Hurricane Electric BGP Tools to find ASN and ranges), and apply these as Allow rules on your firewall. Then, when you are away from your house, only access your home network from your laptop when it is tethered to your phone's Internet connection. You will have limited your attack surface a lot with just that step. I also use a VPN with this so my firewall will only accept the VPN connection when it is coming from an IP address used by my cellular provider.

Thank you, great video, Jim! There is one thing, I realized. When setting the sourcerange of ipwhitelist to my local network (eg. 192.168.0.0/24), it is for some reason not considered. Going on the Service in the Browser I get an "Forbidden". In trafik-log I saw that traefik "only sees" my WAN-IP, which is dynamic. Is there a workaround to constantly check the WAN-IP and alter the rule on the fly? Or is there another hint to make that work?

Godsent! Could not have come at a better moment in time for me. I just hope I can manage the complexity. I love the idea of docker-compose, but I've already let blood for a decent amount of time with the docker + docker compose documentation. And man if you already only half know what you're doing docker / compose / volumes /networking sure ain't gonna help that. The worst part is: it's difficult to diagnose. Is it fw rules? Is it vlan? Is it DNS? (it's always DNS) etc. I love the tinkering, but it to be a harsh mistress .. and hard on free time and money on top.

Still learning along the way, mostly because of your videos! So, if you would like to expose only certain apps to certain users/ip-adresses, would it not be safer to just use something like Twiingate or OpenZiti? So you would not have to open any port whatsoever? Or would that be too strict and hamper usability?

Great video, though I would use different ports for the external, something like 8080 and 8443

I run the two instance setup. I have my docker compose set up so I use environment variables for configuration, then there is a merge feature where I have most of the config in a section that is then referenced and the internal/external portions only specify their unique elements (such as the IP whitelist). Additionally, on the external point, I have an additional docker constraint tag, so by default enabling items only registers them on the internal instance, but i can add an additional label to list them on the external provider as well. My setup is is all about doing as much of the work in the traefik configuration itself as possible, then the services themselves only have to specify a bare minimum, typically only a hostname and to enable (i have exposedByDefault set to false). I even have them sharing a cert store by mounting the same file, but only giving the external instance read-only access to it. Now THAT is something I wish I had a better way of managing, especially as most acme providers can run into conflict if you request multiple certs at the same time, and I don't want any internal subdomains explicitly listed on my publicly served cert.

I'd recommend everyone use logically seperated traefik instances for internal and external. Yes it does require a bit more configuration but it's going to be the most secure.

Thanks for highlighting this point. It should be the most overlooked security flaw for most homelabbers. Updating my traefik config tonight!

great video! So informative. Is there anything wrong with have all traffic (both internal and external) routed through the external entrypoint?

super tutorial. thanks Jim. i try to do. but it isn't work. have i do crowdsec (your tutorial video) first? than after traefik-secure tutorial video? thanks

Its so great! Thinking about switching from nginx proxy to full on traefik like you.. One thing is holding me back is the thought of having managment interfaces/services accessable on the untrusted vlan. My internal services are on the same docker host as the traefik instance so puting those service on untrusted is a bit of a no go. for traefik to be able to access the gui's from different ip's would need to use a lot more "complicated" firewall rules. How did you do it or still doing it?

Does this vulnerability also apply to NGINX proxy manager? Eg port 443 coming from WAN routed to port 443 on nginx proxy manager which then redirects it to jellyfin for example?

Great videos 👍 i just have a question about jellyfin. Will cloudflare not shut it down after time. Would love to stream my music through my jellyfin app on my mobile remotely. Is there so many mb you have?

What about using Keycloak or something similar and having all applications OAuth2/OIDC enabled? All apps without a valid login session will redirect to the Keycloak login page...

You're missing what I think is the best option. Just run 2 Traefiks. One on an internal-only IP, and one that's exposed to the outside world running your public projects. You can (and should) even put them on their own vlans.

hey great video! Qustion, out of curiosity, if you are not exposing your password manager (vaultwarden - I use it as well), how do you you it on your phone or when your are not connected to your local network?

I think the biggest flaws is in the volume mountpoint, mounting the Docker socket directly is not recommended, even the traefik documentation state you should not do that in prod. If somehow an external user get access to your traefik instance even through CloudFlare, they will have root access to your Docker, unless you are running traefik as nonroot

I'm having an issue where using the http-external tag works fine (sending traffic through port 81). As soon as I add the https-external label, the site is no longer reachable. Port 81 and 444 are routed correctly. Has anyone else run into this or have any advise?

ive foolllowed your steps but after adding the ports ans the external parts i cant long in to the traefik dashboard i get 404 page not found error

I like to keep my admin interfaces on my admin VLAN/subnet. It's surprising how few tutorials cover this, and how buried in documentation it is. Even Debian is doing its best to make sure the ListenAddress option of sshd does not work:( Anyway, I wonder if i can use some similar approach to limit Docker stuff to particular subnets internally.

Tha ks very muchbfor the video, like someone commented have been trying to read ducumentation to understa d but is a task. Have two questions , so is tgos the way to protect the traefik dashboard? Also how can point traefik to another docker host for other applications? What i would like to do is have one docker with just traefik and crowdsec for enamplle and host the other apps on another docker host. What are youbthoughts on this eg which security apps beed to be on the same host as traefik and which ones dont. Thanks for any feedback

traefik and crowdsec how do i reserve proxy outside docker

Why not add a whitelist to the cloudflare tunnel as well?

What I done, open remote port for once, get certbot do its things (filling my acme.Json) after that close the port, is I am doing wrong?

Could you please explain a bit more under what circumstances this security issue exists? And which local services are accessible? Do you mean services that are considered only for local usage and still have a config within traefik or how how does the infrastructure look when vulnerable?

Would really love a video about caddy.

Why not Authelia/Authentik to add 2FA to your endpoints and use it as the middleware and make them have to go through multifactor authentication in order to get to the service?

Thank for the tutorial though I don't know if I am missing something. I appreciate you hairpin NAT explanation but I'm unable to access my (https-external) service on my LAN. I have NAT reflection enabled on my OPNSense router but get a 404. My DNS overrides still list the internal IP's of all services. Is this correct?

I solve this issue with Authelia, only specified services are allowed either by bypass, one_factor or two_factor.

If I may: Does JC21 Reverse Proxy have the same issue?

Great video. I use option 3 with the whitelists and restrict access for my internal apps to my local subnet and my vpn subnet ranges. Im currently trying to work out how i can have it give a 404 rather than a 403. I also want to create a custom error page. Would be great if you could explain and show something with ref to this

Can't you make IP rules lists within Cloudflare (free)? Am I missing something?

Excellent video! I feel really dumb right now because I'm re-watching the video to find out why I couldn't get this setup to work on my end then I tried it a couple of days ago, and at the 5-minute mark I see why... I forgot to route ports 81 and 444 to Traefik in the docker-compose file. >_

What about using cloudflare tunnel? Do i have the same issues when only defining some public hostnames? Is it also possible to access to internal apps, which have in my case slso another subdomain as my external apps?

Considering method 3, is it possible to a hacker spoof its IP and pass as a whitelisted ip? My gut feeling is that option 2 is safer, but as I said, I’m not an expert, just curious hahaha

Don’t you want your vaultwarden accessible to outside? What happens when you’re out and need to update a password? My partner won’t deal with VPNs

I think you could also use MAC VLAN and have a separate ip for external, no ports needed.

Please keep in mind, that only applications which have 'Routers' in traefik are exposed... Like your SQL, Redis, Elastic, etc containers is probably not exposed to the public... I have two middlewares that I reference in my labels, public@file and private@file depending on if I want it exposed to the public or not, then in that middleware is the crowdsec bouncer and whitelist depending on which middleware

If I proxy through Cloudflare, or use their Tunnels service, can they see the data that's being transmitted in plain text? Can the decrypt the data on their side?

thanks. pls make a video how to access your services only via vpn (h. how to config firewall and how to config headscale for it.

Why would you want to poke holes in your firewall? Just run a cloudflare tunnel and get rid of that proxy and firewall openings. Those are serious attack vectors.

Sure but why proxy your internal apps at all? Most guys suggest running a proxy docker network for traefik. Ideally you have separate networks for your dbs internal apps and one for the socket proxy. Then your internal apps only sit in the internal where there is no traefik endpoint. Meanwhile because these are all custom networks you can still call apps by their container name.

While whitelisting seems to be the right thing, it doesn't seem to work. If I whitelist my LAN addresses and try to open the site, it says forbidden, and the log says that is not allowed to access. If I try to use the depth of ipstrategy, the log says that the IP is empty. Does anyone know a solution?

You don't need to guess a subdomain, It's really easy to get all subdomains just by knowing the main domain name. I would do this to yours, as a test to prove it to you but here in the UK without your explicit permission to do so it would be illegal under computer misuse laws.

I dont understand how to access internal services. Can someone explain?

Where is your traefik full tutorial?

Wouldn’t it be easier to setup ip whitelists?

The NSA just has to be all up inside Cloudflare.

OPNsense, and you're good to go

Thanks for the good video. Option 4 would be not do a port forwarding at all and use eg. Cloudflare tunnels to expose selected services instead.

How is possible that people thinks is a good practice to expose services to the exterior

I just can't help it, but this is how this video reads to me: 'Are you using this proxy to expose services to the internet? Well, guess what, there is a significant security flaw, and you are probably not aware of it. You have exposed services to the internet.' And yes, I know there might be people who simply don't understand the concepts and just slap in a Traefik instance in the middle of their stack because they read one tutorial and want this specific thing accessible from the internet. But who are these people who 'have a stack' and then 'accidentally' expose it to the internet as a whole? I just cannot fathom the cross-section between these two groups of people who seemingly have knowledge of running a server with a stack but then don't realize what the Traefik instance they just added to the stack does. But again, I might be biased as I have an IT background.

Just don't do it. If you want to access internal apps externally, come into your home network with your own VPN. It's the only safe way.

I just naturally realized this about my network around the same time this video was posted and came to the same 2 traefik conclusions. Ended up going with the IPwhitelist middleware

will you update this on opnsense? 👀