Hey, I’ve got a bunch of services all running in their own containers/vms on Proxmox. All of these have their own ips that are accessible from my network.
I also have a container with a reverse proxy, which acts as a gateway for access to these services (it’s IP is the only one allowed to go through the firewall of each service).
These services have http servers, no encryption. Could someone on my network listen to comms between a service and my reverse proxy?
Would have to play around with VLANs if that’s the case…
Thanks
If your goal is to improve security you would have to look into e2e encryption. This means network traffic needs to be encrypted both between client and proxy as well as between proxy and service. Your volumes should be also encrypted. You didn’t elaborate on your proxmox/network setup. I will assume that you have multiple proxmox hosts and external router perhaps with switch between them. Traffic this way flows between multiple devices. With security mindset you’re assuming network can’t be trusted. You need to apply layered approach and use sparation of physical devices, VLANs, ACLs, separate network interfaces for management and services for respective networks. Firewall rules on router, proxmox and VM.
Some solutions
Encryption:
All boils down to the question why you do self hosting? If it’s to learn new tech then go for it all the way. Experiment and fail often so you learn what works and what doesn’t. If you want to focus on reliability and simplicity don’t overcomplicate things. You will spend too much time troubleshooting and have your services unavailable. Many people run everything on single node just running docker with networks between services to separate internal services from proxy traffic. Simplicity trumps everything if you can’t configure complex networks securely.