#+TITLE: Reverse Proxy Server
#+AUTHOR: Geir Okkenhaug Jerstad
#+DATE: [2025-06-04 Wed]

* Machine Overview
also known as vps1
Ip information: 
enX0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether fa:16:3e:d5:da:20 brd ff:ff:ff:ff:ff:ff
    altname enxfa163ed5da20
tailscale0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1280 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none 
    inet 100.96.189.104/32 scope global tailscale0

** Role
- **Primary Function**: Reverse proxy and SSL/TLS termination
- **Secondary Functions**: Load balancing, external access gateway
- **Network Position**: Edge server handling external connections

** Services
- Nginx or Traefik reverse proxy
- Let's Encrypt SSL certificate management
- Fail2ban security protection
- Basic system monitoring
- Firewall management for external access

** Architecture Notes
- Headless operation (no desktop environment)
- SSH-only access
- Minimal attack surface
- High availability requirements
- SSL/TLS offloading for internal services

** Routing Configuration
Routes external traffic to internal services:
- =grey-area= (Forgejo, web applications)
- =sleeper-service= (file sharing, if exposed externally)
- =congenital-optimist= (development services, if needed)

** Security Considerations
- First point of contact for external traffic
- Rate limiting and DDoS protection
- Automated security updates
- Log monitoring and alerting
- Certificate renewal automation

** Network Configuration
- Static IP assignment
- Firewall rules for ports 80, 443, 22
- Internal network access to other machines
- Tailscale integration for management