Our great sponsors
-
-
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
crowdsec
CrowdSec - the open-source and participative security solution offering crowdsourced protection against malicious IPs and access to the most advanced real-world CTI.
-
Has anyone used [tailscale](https://tailscale.com/)? Is it any good?
This is my first attempt at self-hosting. I currently own a Raspberry Pi 4 Model B and I would like to use that in order to self-host some software like Portainer, FireflyIII, Vikunja, Gitea etc. I intent to use Docker swarm in order to be able to spin up these software as I have a lot of experience with it and adding new nodes to the cluster is pretty straightforward. ## Use case RPi is going to keep running in my home network and I would like to be able to access it from any other network, not just my local one, from my mobile phone and my laptop. However, I am aware that this introduces a lot of security risks that I would like to properly defend against. ## Architecture Users (a handful of people, mainly myself and family members) will hit the IP of my house at 443. Home Router is going to forward the request to [Traefik](https://github.com/traefik/traefik), that is running on the RPi in Docker Swarm mode. Then, based on host rules, Traefik is going to forward the request to the appropriate Docker Swarm service that will handle the request. I have attached a diagram with the above architecture.
Secondly I would use a tool like CrowdSec to protect ssh and traefik. Basically CrowdSec is a free, open source, modern and crowd sourced version of fail2ban that's able to parse logs to detect attack and block on firewall- or application layer. Also the crowd sourced part means that all users share information about the attacks they're undergoing so everyone else can block bad guys before they start attacking. In your case traefik is support both as a logparser and bouncer (blocking traffic).
Yes. We have a dockerized version of the CrowdSec agent (not bouncers) as well as helms charts for k8s. A few weeks ago we did the first part of a two-part article - and the second part is out soon.