I’ve got Nginx Proxy Manager set up and it’s working wonderfully. However, I have some services I want to be able to access via reverse proxy, so I have SSL and can use a hostname to direct me to a service, but I only want to be able to access them via VPN. My best idea to make this work is to configure access so that only connections from my local network can access certain proxy hosts. This gives all external traffic a 403 on connection attempt. Is this the best or only way to go about it? Short of additional services such as Authelia and Fail2Ban of course, but I wanted to know if I have the right idea.
It’s exactly what I do and works great
Yes this is how I do things. I run two instances of nginx proxy, one public facing and one private. External requests are routed to the public proxy and my local dns has CNAME records for all the domains my services run on forwarding to the internal proxy. That way I have a couple of subdomains exposed publicly (Plex, nextcloud and home assistant) through subdomains declared in my public name server and many, many more on the internal proxy whose domain records exist only on my local dns.
Thank you! This is the most appealing option to me right now. I’m having trouble understanding how all my internal traffic could be routed via my internal DNS though. NPM listens on both 80 and 443. Is the idea to have NPM listen on 443 and and my local DNS on 80, then I configure my router to use local DNS to route my traffic accordingly?
I personally run tailscale on my host and a single traefik instance on docker. Anything that doesn’t need to be accessed by other people listen to the hostname and get a 100.64.0.0/10 ip whitelist middleware to only allow connections through tailscale. That way a request sent through the public IP with a custom Host header can’t be smuggled in and I don’t have to deal with custom ports for a 2nd reverse proxy