Comment on Question WRT secure networking with Podman/Docker stack and a reverse proxy in a VM "DMZ"
hirihit640@sh.itjust.works 1 week ago
Can you put the auth OIDC in the DMZ VM, forwarding to caddy in the other VM with all the services?
If you can’t, you can always use firewalls on the services VM to prevent services from talking to each other. Preventing them from talking to the internet can be achieved by putting them in an “internal” network (if using docker compose, set “internal: true” when defining the network)
glizzyguzzler@piefed.blahaj.zone 1 week ago
I do see Authentik can apparently act as a reverse proxy, so it can sit at the very front. But I’d lose out on caddy + crowdsec then…
I’ll have to do some reading if caddy can actually just forward to caddy, and where the TLS is terminated and all that.
And I do use the internal setting now, but I need it off if I want to publish the port on the LAN so that the VM can see the ports on the LAN. But if I can have WAN caddy do the auth check and forward along good stuff to the LAN caddy, then I’ll only need to publish LAN caddy’s port and that’s not the worst at all.
Thanks for the ideas, I’ll try to cook “caddy (DMZ) -> auth OIDC (DMZ) -> caddy (LAN) -> services (LAN)”!