geir/home-lab
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
home-lab/machines/reverse-proxy/About.org
Geir Okkenhaug Jerstad 9837d82199 Refactor: Simplify module structure and reorganize services 
- Removed system/ directory, merged applications into users/geir.nix
- Simplified fonts.nix to bare minimum (users can add more)
- Moved transmission.nix to sleeper-service/services/ (machine-specific)
- Organized grey-area services into services/ directory
- Updated import paths and tested all configurations
- Added research documentation for deploy-rs and GNU Stow
2025-06-07 12:11:20 +02:00

51 lines
1.6 KiB
Org Mode
Raw Blame History

#+TITLE: Reverse Proxy Server
#+AUTHOR: Geir Okkenhaug Jerstad
#+DATE: [2025-06-04 Wed]
* Machine Overview
also known as vps1
Ip information:
enX0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether fa:16:3e:d5:da:20 brd ff:ff:ff:ff:ff:ff
altname enxfa163ed5da20
tailscale0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1280 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 100.96.189.104/32 scope global tailscale0
** Role
- **Primary Function**: Reverse proxy and SSL/TLS termination
- **Secondary Functions**: Load balancing, external access gateway
- **Network Position**: Edge server handling external connections
** Services
- Nginx or Traefik reverse proxy
- Let's Encrypt SSL certificate management
- Fail2ban security protection
- Basic system monitoring
- Firewall management for external access
** Architecture Notes
- Headless operation (no desktop environment)
- SSH-only access
- Minimal attack surface
- High availability requirements
- SSL/TLS offloading for internal services
** Routing Configuration
Routes external traffic to internal services:
- =grey-area= (Forgejo, web applications)
- =sleeper-service= (file sharing, if exposed externally)
- =congenital-optimist= (development services, if needed)
** Security Considerations
- First point of contact for external traffic
- Rate limiting and DDoS protection
- Automated security updates
- Log monitoring and alerting
- Certificate renewal automation
** Network Configuration
- Static IP assignment
- Firewall rules for ports 80, 443, 22
- Internal network access to other machines
- Tailscale integration for management
Reference in a new issue View git blame Copy permalink