from glizzyguzzler@piefed.blahaj.zone to selfhosted@lemmy.world on 29 Jun 01:36
https://piefed.blahaj.zone/c/selfhosted/p/841073/question-wrt-secure-networking-with-podman-docker-stack-and-a-reverse-proxy-in-a-v
I have a single Podman stack & Podman network - ingress via Caddy with crowdsec that forwards stuff to the various things I’ve got going. All self-contained in the Podman network.
I want to put Caddy in a VM to establish a “DMZ” (separate kernel) as I’ve seen recommended for directly internet-facing infrastructure. But to do that, I’ll break my single Podman network across two “servers”.
Because it is across two “servers”, I need to publish the ports for the services on the non-VM server so that the VM can address them externally - which allows the services to talk to the internet (even if they don’t need it) and allows the services to talk to each other on published ports (before I could have separate networks for each service, so BookOrbit can’t talk to Jellyfin for instance).
How can I have the Caddy in the VM that deals with the WWW forward things to the server running everything but retain that closed Podman network topology?
And ancillary Q, what other things should be in that “DMZ” VM? Auth ODIC? Headscale? Just Caddy?
Edit: Caddy forwards everything to the Auth OIDC which forwards it along if the connection attempt is logged in. Will be adding mTLS to bypass that check eventually. That’s why I’m thinking Auth ODIC should be in the “DMZ” VM too.
And lastly, Podman networking works just like Docker networking, so any topology is transferable if you’ve solved this in Docker!
WRT = with respect to
#selfhosted
threaded - newest