Best way to expose certain apps to the internet?

[victort]

As the title says, what’s the recommended way of exposing only certain TrueNAS SCALE apps (and not others) to the public internet, when Traefik is serving them all via domain names?

Currently I use Caddy in CORE jail which has a nice “not host” syntax.

 

[danb35]

I'll be interested to hear if there are other or better suggestions, but my answer is to use Caddy as a reverse proxy on my OPNsense box, redirecting for whatever services (whether on the NAS or otherwise) I want to expose to the Internet. The only GUI for Caddy on OPNsense is a text box to enter your Caddyfile, but I still find it easier to work with than HAProxy.

 

[sretalla]

I use nginx, with a redirect for some domains to Traefik (and others to Nginx Proxy Manager)...

Code:

stream {

    map $ssl_preread_server_name $name {
      auth.domain.com      upstream_traefik;
      gf.domain.com     upstream_traefik;
      mi.domain.com   upstream_npm;
      mic.domain.com   upstream_npm;
      default                127.0.0.1:443;
    }

    upstream upstream_traefik {
        server 192.168.x.y:443;
    }
    upstream upstream_npm {
        server 192.168.x.z:32002;
    }
 
    server {
        listen      444;
        proxy_pass  $name;
        ssl_preread on;
    }

}

The firewall (which is pfSense, using HAproxy for the redirect) forwards all SSL traffic (as TCP) to the nginx server on 444, then I catch it with the pre-read to determine which domain will go where, defaulting to 443 on nginx, which also handles some reverse proxying directly there and handles domains that aren't local with a 444 (network error).

 

[Patrick M. Hausen]

Currently I use Caddy in CORE jail which has a nice “not host” syntax.

Same. Works great. The Caddyfile supports an "import" statement so I created one file per application:

Code:

import vhosts.d/*.conf

I'll be interested to hear if there are other or better suggestions, but my answer is to use Caddy as a reverse proxy on my OPNsense box, redirecting for whatever services (whether on the NAS or otherwise) I want to expose to the Internet. The only GUI for Caddy on OPNsense is a text box to enter your Caddyfile, but I still find it easier to work with than HAProxy.

There's a new Caddy plugin for OPNsense by forum user Monviech - you might want to try it:

GitHub - Monviech/os-caddy-plugin: Caddy Plugin with GUI for OPNsense

Caddy Plugin with GUI for OPNsense. Contribute to Monviech/os-caddy-plugin development by creating an account on GitHub.

github.com

 

[danb35]

There's a new Caddy plugin for OPNsense by forum user Monviech

Interesting--I'm using an older plugin from a different user. May need to check this one out.

 

[victort]

Wondering if the MetalLB charts from Truecharts could be what I’m looking for.

Maybe installing the caddy docker image as a custome app and running it on its own IP.

I’m thinking of abandoning core as life for me is just too much to try and maintain a storage server on a vanilla FreeBSD install. If CORE doesn’t have a future (5 years, fork or no fork) I’d like to get my stuff moved. But I need that reverse proxy…

EDIT: But then, a simple jail with one Caddyfile would not necessarily require the backup and management that other data would.

 

[victort]

On top of all that, how secure are containers anyway? If I’m going to expose certain things to the public web, how worried do I have to be of someone breaking in?

Are jails and containers on the same level security wise?

 

[danb35]

Well, jails are containers. I'd expect them to be roughly comparable in terms of security, though there are doubtless some differences. Caddy could run as the Docker image using the custom app, in a "Linux jail" under Dragonfish, in a VM on SCALE, or (as I do) on your router.