Cross-container/vm communication security on Proxmox

Submitted ⁨⁨1⁩ ⁨year⁩ ago⁩ by ⁨LufyCZ@lemmy.world⁩ to ⁨selfhosted@lemmy.world⁩

Hey, I’ve got a bunch of services all running in their own containers/vms on Proxmox. All of these have their own ips that are accessible from my network.

I also have a container with a reverse proxy, which acts as a gateway for access to these services (it’s IP is the only one allowed to go through the firewall of each service).

These services have http servers, no encryption. Could someone on my network listen to comms between a service and my reverse proxy?

Would have to play around with VLANs if that’s the case…

Thanks

source

Comments

Sort:hotnew top

citizen@sh.itjust.works ⁨1⁩ ⁨year⁩ ago
If your goal is to improve security you would have to look into e2e encryption. This means network traffic needs to be encrypted both between client and proxy as well as between proxy and service. You didn’t elaborate on your proxmox/network setup. I will assume that you have multiple proxmox hosts and external router perhaps with switch between them. Traffic this way flows between multiple devices.

Some solutions

You could run another proxy on same VM as service just to encrypt traffic if service doesn’t support that. Then have your proxy connect to that proxy instead of service directly. This way unencrypted traffic doesn’t leave VM. Step up would be to use certificate validation. Step up from there would be to use internal certificate authority and issue certificates from there as well as validate using CA cert.

Another alternative is to use overlay network between proxy and VM. There are bunch of different options. There are more advanced projects combining zero trust concepts like nebula.

if you start building advanced overlay networks you may as well look at kubernetes as it streamlines deployment of both services and underlying infrastructure. You could deploy calico with wire guard network. Setup gets more complicated for simple home lab. All boils down to why you do self hosting. If it’s to learn tech then go for it all the way. If you want to focus on reliability and simplicity don’t overcomplicate things. Many people run everything on single node just running docker and docker networks between services to separate internal services from proxy traffic.
source
- LufyCZ@lemmy.world ⁨1⁩ ⁨year⁩ ago
  I have just one proxmox hosts which runs everything.
  
  I wasn’t sure if there was any traffic leaked out of the bridge (as it would be to everyone with wifi), though the more I think about it, the less sense it’d make for that to be the case.
  
  I self-host for a myriad of reasons, including a dev server, so ideally I need uptime. Might look into some more advanced stuff when I’ve got time though.
  
  Appreciate the response btw!
  
  source
scarecrow365@reddthat.com ⁨1⁩ ⁨year⁩ ago
Unless someone has physical access to the ports/switch that the traffic flows through, they would not be able to see anything besides broadcast/multicast traffic if they were just snooping with Wireshark. The internal switch of proxmox and any hardware switch you have will forward unicast traffic to the ports those Mac’s reside on, so without port mirrors setup, no one but you should be able to see that traffic.

source
- LufyCZ@lemmy.world ⁨1⁩ ⁨year⁩ ago
  Good to hear, thanks!
  
  source
fuggadihere@lemmy.world ⁨1⁩ ⁨year⁩ ago
I am interested in this topic as well

source