geir/home-lab
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
home-lab/machines/reverse-proxy/About.org
Geir Okkenhaug Jerstad d112f28ac9
Some checks are pending
🏠 Home Lab CI/CD Pipeline / 🔍 Validate Configuration (push) Waiting to run
Details
🏠 Home Lab CI/CD Pipeline / 🔨 Build Configurations (push) Blocked by required conditions
Details
🏠 Home Lab CI/CD Pipeline / 🔒 Security Audit (push) Blocked by required conditions
Details
🏠 Home Lab CI/CD Pipeline / 📚 Documentation & Modules (push) Blocked by required conditions
Details
🏠 Home Lab CI/CD Pipeline / 🔄 Update Dependencies (push) Waiting to run
Details
🏠 Home Lab CI/CD Pipeline / 🚀 Deploy Configuration (push) Blocked by required conditions
Details
🏠 Home Lab CI/CD Pipeline / 📢 Notify Results (push) Blocked by required conditions
Details
docs: add content to reverse-proxy About.org 
Complete documentation for reverse-proxy machine:
- Role: SSL/TLS termination and external traffic routing
- Services: Nginx/Traefik, Let's Encrypt, Fail2ban, monitoring
- Security: Edge server with minimal attack surface
- Routing: External traffic to grey-area, sleeper-service, etc.
- Network: Static IP, firewall rules, Tailscale integration
2025-06-04 16:36:44 +02:00

1.3 KiB
Raw Blame History

Reverse Proxy Server

Machine Overview

Role

  • Primary Function: Reverse proxy and SSL/TLS termination
  • Secondary Functions: Load balancing, external access gateway
  • Network Position: Edge server handling external connections

Services

  • Nginx or Traefik reverse proxy
  • Let's Encrypt SSL certificate management
  • Fail2ban security protection
  • Basic system monitoring
  • Firewall management for external access

Architecture Notes

  • Headless operation (no desktop environment)
  • SSH-only access
  • Minimal attack surface
  • High availability requirements
  • SSL/TLS offloading for internal services

Routing Configuration

Routes external traffic to internal services:

  • grey-area (Forgejo, web applications)
  • sleeper-service (file sharing, if exposed externally)
  • congenital-optimist (development services, if needed)

Security Considerations

  • First point of contact for external traffic
  • Rate limiting and DDoS protection
  • Automated security updates
  • Log monitoring and alerting
  • Certificate renewal automation

Network Configuration

  • Static IP assignment
  • Firewall rules for ports 80, 443, 22
  • Internal network access to other machines
  • Tailscale integration for management