Exposing Homelab

Filed Under Infrastructure, Linux at 7th October 2024 0:01 by

Overview

Opening home services to the world wide web is a security concern and technologies such as VPNs have gotten a lot easier to setup. However, there are times where you cannot install a VPN client and I haven’t had a chance to play with Tailscale’s Funnel has just been released. I have discovered a few technologies that has made it much easier to dynamically route sub domains to home services whilst adding layers of security on top.

Architecture


Walking around the above diagram from the top left to the top right and then down to the bottom like a backwards “C” shape.

The starting point is the Internet where if you know the address you will be routed to the first service: Cloudflare Tunnel.

The tunnel routes the traffic to the home network to a reverse proxy called Traefik. Traefik has rules that would either forward the request to authelia which provides authentication before going to the next step or it will skip authelia and go to the service being requested.

Cloudflare Tunnel

Cloudflare tunnel is really neat feature and takes care of a lot of the public Internet facing privacy concerns. You can set up a VPN like tunnel using their own technology and then use the Cloudflare DNS system to route sub domains down the tunnel. Cloudflare would hide your IP address behind theirs so anyone doing a reverse DNS lookup will get Cloudflare’s IP.

Just like a VPN, a VPN like server is required to be running and then the traffic is forwarded to a server. In my case it’s Traefik.

Traefik

Traefik is very modern reverse proxy / load balancer. Unlike HAProxy and nginx, it allows for the routes and services to be dynamically configured without having to restart or reload the service.

Traefik will also manage the SSL certificate renewal which I’m using letsencrypt.

Authelia

An authentication and authorisation server. It allows you to provide a layer of security based on rules or adhoc settings. For example, if you don’t trust or want to hide the service then Traefik can redirect the request to Authelia, log-in before forwarding it onto the service. It can be setup with sessions so if you have already logged in then it won’t ask for log in details again. It supports different authentication providers including a built in accounts.

Summary

The setup is very slick. I especially love the auto discovery of Docker containers using labels and Traefik. It makes standing up an encrypted publicly accessible service extremely easy.

About Danny

I.T software professional always studying and applying the knowledge gained and one way of doing this is to blog. Danny also has participates in a part time project called Energy@Home [http://code.google.com/p/energyathome/] for monitoring energy usage on a premise. Dedicated to I.T since studying pure Information Technology since the age of 16, Danny Tsang working in the field that he has aimed for since leaving school. View all posts by Danny → This entry was posted in Infrastructure, Linux and tagged , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *.

All comments must go through an approval and anti-spam process before appearing on the website. Please be patience and do not re-submit your comment if it does not appear.

This site uses Akismet to reduce spam. Learn how your comment data is processed.