• 0 Posts
  • 2 Comments
Joined 1 year ago
cake
Cake day: August 12th, 2023

help-circle
  • You could use a VPN like wireguard and make all your private installations only accessible if the request originates from the VPN. That way you are not relying on the security of all individual programs, but only on the security of your VPN, which is specifically designed for it.

    I.e. on a server host a wireguard docker container. Make it forward and masquerade all incoming request to port 80/443 to a caddy container running on the same machine. In the caddyfile you can match by subdomain and filter by origin IP. Then either deny the request or allow the reverse proxy to serve the content.

    If you don’t want to use caddy or subdomains you can also just forward all requests that hit the VPN on [special port] to forward to your server. People without VPN access won’t be able to send requests to that interface in the first place.