I currently host several services on my docker swarm, all of which are exposed to the internet but protected by Authelia and routed through Traefik.
I’d like to improve security and split my network into several vlans, one of which would be a DMZ for services exposed to the internet (Foundry VTT, Matrix, Searx, maybe some others), and another vlan for services that are only accessible while on a vpn (*arrs, Jellyfin, Nextcloud, etc.).
I’m not sure what is the safest and easiest way to do this. Some ideas I have:
- Setup a specfic server for my external services and connect it to a DMZ tagged vlan port.
- Run all of my services in the same docker swarm on the internal VLAN, and only have my Traefik service running in the DMZ (I don’t know if this is possible with physical vlan ports)
- Run all of my services in the DMZ, but with an IP whitelist to control access for services I only want accesible from the VPN
- Something else I haven’t thought of?
Thanks, and I appreciate the help.
I’d have all your services internal and have an additional reverse proxy in the DMZ that connects back to the internal services for anything that you expose.
This is kind of how my setup looks, only without the DMZ. PFSense NAT to nginx lxc, terminates the SSL/TLS and then uses both my swam nodes as upstream for docker services. Docker services are behind traefik, each service is its own network in docker. If its a webby service you hit treafik not a port.
I have exposed endpoints hitting HAProxy in pfSense, which then reverse proxies as needed. Same thing, basically.