In my previous post, I shared my initial experience setting up a reverse proxy without fully understanding it. This time, Iβll explain how to use Traefik to protect your machine by avoiding direct exposure of application ports.
How a Reverse Proxy Works
Setting up Traefik is like building a fortified gate for your services. Without a reverse proxy, your services are like houses with open doorsβaccessible from any direction. Convenient, but risky. Malicious actors can exploit exposed ports easily. A reverse proxy changes that by exposing only one port (the one Traefik listens on) and routing traffic to the appropriate services on your machine via a Docker socket or, preferably, a socket proxy.
A reverse proxy alone isnβt a complete security solution, but itβs a critical first step to shield your home server from unauthorized access.
Setting Up Traefik with a Socket Proxy
Configuring Traefik and a socket proxy is straightforward once you get the hang of it. The key is setting up Docker Compose files, environment variables, and networks correctly. Proper network configuration ensures your services are accessible through the reverse proxy while staying isolated from direct external access.
Exposing Services to the Internet
Before exposing your services to the internet, understand the risks. Malicious actors constantly scan for open ports. Start with Traefik, Fail2Ban, and basic authentication for protection. For stronger security, consider adding an authentication middleware like Authentik or Authelia, and explore tools like CrowdSec.
Before the fun begins
To add basic protection, configure Traefik with middleware like basic authentication, secure headers, and a rate limiter. A strong password and rate limiting can deter unauthorized access in the short term, but youβll need more robust measures for long-term security.
tl;dr
- Configure Traefik and a socket proxy in Docker Compose, ensuring all services share the same network as Traefik.
- Add secure middleware to Traefik to protect your services.
- Verify that only Traefikβs port is exposed and allowed through your firewall; block all other service ports.
- Explore advanced security tools like authentication providers (e.g., Authentik, Authelia) and CrowdSec.
Final Thoughts
Self-hosting can feel daunting with so many malicious bots and actors out there. Securing my serverβhome to my 12 precious photos on Immich and my config filesβis a work in progress. It requires learning and effort, but the sense of control and accomplishment makes it worthwhile.
Stay safe, hermanos!