1.9 KiB
1.9 KiB
Security TODO
Future Improvements
Investigate Cloudflare Tunnel as Alternative to Port Forwarding
Why:
- No ports opened on router (better security)
- Cloudflare DDoS protection
- Hides home IP address
- Works with existing Traefik setup
Resources:
- Cloudflare Tunnel Documentation
- Can work alongside or replace current port forwarding setup
Status: To investigate
Look into Pangolin
Note: Research what Pangolin is in context of homelab/self-hosting security
Status: To investigate
Current Security Measures
Active:
- ✅ SSH key-based authentication (password auth disabled)
- ✅ Traefik SSL/TLS via Let's Encrypt
- ✅ Basic auth on Traefik dashboard
- ✅ VPN routing for Servarr stack (via Gluetun)
- ✅ Watchtower for automatic container updates
Planned:
- Investigate Cloudflare Tunnel
- Research Pangolin
Add Fail2ban for brute force protection→ Replaced by CrowdSec (see CrowdSec Setup)- Close port 2222, disable Gitea SSH, use HTTPS git (see CrowdSec Setup#Step 1)
- Implement Traefik rate limiting middleware
- Set up IP whitelisting for admin interfaces
- Regular security audits of exposed services
- Configure automated backups with encryption
Port Forwarding Currently Active
| Port | Service | Notes |
|---|---|---|
| 80 | Traefik HTTP | Auto-redirects to HTTPS |
| 443 | Traefik HTTPS | SSL/TLS encrypted |
| 2222 | Gitea SSH | For git operations |
Risk Level: Medium
- Publicly exposed services
- Mitigated by: SSL, authentication, regular updates
Action Items:
- Monitor logs regularly
- Keep services updated
- Consider Cloudflare Tunnel migration
References
- Traefik Multi-Stack Setup - Current setup documentation
- Integrating Servarr Stack with Traefik - VPN-routed services