[wg0]

Side question - what people use to hide (and make accessible) the internal services such as grafana, prometheus, rabbit mq (the web interface) and such?

Should they be public behind such a proxy? (seems odd) Or should they be totally internal and then setup a Wireguard VPN to reach them?

[section_me]

Auth forwarding[1] is normally the route. This allows you to basically zero auth your services. You can also use wireguard or tailscale[2]

[1] https://doc.traefik.io/traefik/middlewares/http/forwardauth/ [2] https://doc.traefik.io/traefik/master/https/tailscale/

[mrj]

Cloudflare tunnels are super convenient and provide lots of auth mechanisms. If you set up a tunnel using cloudflared and proxy the IP through cloudflare, there's nothing even exposed directly to the internet. You can even have different auth requirements for urls (like /admin) or punch holes for stuff like webhooks.

I have set up quite a few as kubernetes pods that direct to private hostnames in different namespaces and pretty happy with it for internal apps.

[illiac786]

I am starting to wonder if cloudflare tunnel are not a little too much trust put into cloudflare.

They effectively are decrypting your entire traffic then, including login credentials. It’s a little scary…

[Hrun0]

> what people use to hide (and make accessible) the internal services such as grafana, prometheus, rabbit mq (the web interface) and such?

Proxies or VPNs like you mentioned. You usually don't expose things if you don't have to.

[pyr0hu]

We use tailscale for this exact use case and has been working flawlessly so far. You can even set up ACL lists as a firewall.

[nullify88]

For the purposes of some of my self hosted stuff, I wanted to see how far I could go without VPN and instead use mutual tls authentication with my stuff exposed to the internet. Client certs are issued by cert manager in my k8s cluster and traefik does my TLS Auth.

[John23832]

From the internet? Drop them at the ingress level (if using kubernetes). You could also do some ip filtering. Then use an internal proxy (or internal ip of some kind) to reach them.

For proof of concepts, I use cloudflare tunnels which allows you to add ACLs to particular routes.

[withinboredom]

They are open to the internet but each ingress is using the “external auth” feature of nginx ingress, pointing to our internal login. There’s no vpn or magic ip addresses. Once you’re logged in, you can access whatever you need.

[waldrews]

Serve them on a firewalled port, then: 1) VPN if you need to expose them to multiple trusted users, 2) firewall rules to make them accessible to your IP range, or (probably easiest), 3) access them by ssh tunnel.

[blinded]

zero trust, host firewalls, mtls, ssh tunnels, bastion hosts.