As the title says, I want to know the most paranoid security measures you’ve implemented in your homelab. I can think of SDN solutions with firewalls covering every interface, ACLs, locked-down/hardened OSes etc but not much beyond that. I’m wondering how deep this paranoia can go (and maybe even go down my own route too!).

Thanks!

  • MigratingtoLemmy@lemmy.worldOPEnglish
    3·
    9 months ago

    Every web-based service is only accessible with a FQDN which auto-redirects to HTTPS and has an actual certificate signed by a trusted CA

    I’m assuming this is in your internal network. The problem with this is that communication from the client to the reverse-proxy (unless you’re running a reverse-proxy sandboxed with each application/are directly decrypting traffic at the base of your application) is encrypted, but the traffic from the server to the reverse-proxy is not.

    • MostlyGibberish@lemm.eeEnglish
      2·
      9 months ago

      Definitely a consideration. In my case, the vast majority of my services are running in docker on a single host box, including the reverse proxy itself (Traefik). That unencrypted traffic never goes out over a wire, so for now I’m not concerned.

      • raldone01@lemmy.worldEnglish
        2·
        9 months ago

        Bonus points for creating lots and lots of networks grouping the databases together with only their respective containers.

        ip a is a huge mess.