As the title says, I want to know the most paranoid security measures you’ve implemented in your homelab. I can think of SDN solutions with firewalls covering every interface, ACLs, locked-down/hardened OSes etc but not much beyond that. I’m wondering how deep this paranoia can go (and maybe even go down my own route too!).

Thanks!

  • MigratingtoLemmy@lemmy.worldOP
    link
    fedilink
    English
    arrow-up
    3
    ·
    11 months ago

    Every web-based service is only accessible with a FQDN which auto-redirects to HTTPS and has an actual certificate signed by a trusted CA

    I’m assuming this is in your internal network. The problem with this is that communication from the client to the reverse-proxy (unless you’re running a reverse-proxy sandboxed with each application/are directly decrypting traffic at the base of your application) is encrypted, but the traffic from the server to the reverse-proxy is not.

    • MostlyGibberish@lemm.ee
      link
      fedilink
      English
      arrow-up
      2
      ·
      11 months ago

      Definitely a consideration. In my case, the vast majority of my services are running in docker on a single host box, including the reverse proxy itself (Traefik). That unencrypted traffic never goes out over a wire, so for now I’m not concerned.

      • raldone01@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        11 months ago

        Bonus points for creating lots and lots of networks grouping the databases together with only their respective containers.

        ip a is a huge mess.