Internal Documentation
Status
  • πŸ‘‹Welcome
    • πŸ—‚οΈWhat is this?
    • πŸ•Quick Start
    • πŸ’ΈBilling
  • πŸ—ƒοΈExternal Links
    • πŸ—„οΈPublic Documentation
    • πŸ“‹Private GitHub
    • πŸ“‹Public GitHub
    • πŸ—»NetData
    • πŸ“ŠTrello
    • πŸ•°οΈService Monitoring
  • πŸ“Policies
    • Authentication, Access and Accounts
    • Issue and Project Tracking
    • Creation and Managment of Servers or Services
    • Monitoring and Alerting
    • External Access to Systems
    • Management of Documentation
  • πŸ“‹Processes
    • ❔Deploy new Container Stack
    • Limit Bandwidth to Container
    • ❔Create new Virtual Machine
    • Disaster Recovery
    • Port Forwarding or Tunneling a Service
    • Crowdsec Modules
    • Internal IP Range Change
    • SSH Keys
    • Increase Disk on VM
    • Add Wireguard Client
    • ❔New Domain
    • DNS Management
  • πŸ—ΊοΈService Overviews
    • Websites
    • Portainer and GitOps
    • Content Creation
      • Davinci Resolve Server
    • Plex Suite
      • Tdarr
      • Maintainerr
      • Dashdot
      • Overseerr
      • Bazarr
      • Wizarr
      • Plex
      • Tautulli
      • MovieMatch
      • Prowlarr
      • Radarr
      • Sonarr
      • Lidarr
      • FlareSolverr
      • qBittorrent
      • SabNZBD
      • Huntarr
    • Pterodactyl
    • Home Automation & Physical Security
      • Google Assistant
      • Tuya Cloud
      • Home Assistant
    • Infrastructure
      • ❔Cloudflare
      • NextDNS
      • UniFi
      • Synology NAS
      • Proxmox VE
      • Vultr
      • ❔CyberPower PowerPanel & UPS
    • Maintenance & Monitoring
      • AutoHeal
      • Proxmox Backup Server
      • Duplicati
      • Google Drive Sync
      • Ansible
      • UptimeKuma
      • NetData
      • NetbootXYZ
    • Security
      • Bitwarden
      • Google OpenID Auth
      • Wazuh
      • CrowdSec
    • Remote Access
      • Cloudflare Zero Trust
      • ❔UniFi - Wireguard
      • Kasm
    • Other Adhoc Apps
      • ISponsorBlockTV
      • Homebox
      • ❔Hosted Discord Bots
      • LibreChat
      • Imgur
      • Morphos
      • Zapier
      • EpicGames Free Games
      • GitBook
      • Trello
      • StirlingPDF
      • ❔MeTube
    • ❔OpenAI
  • πŸ–₯️Physical Hardware
    • Macaroni
    • Fettuccine
    • Linguine
    • UniFi
  • ‼️Troubleshooting
    • An Introduction...
    • UptimeKuma alerts
    • Portainer
    • Pterodactyl
  • πŸ“–-- Administration --
    • πŸ“ŽGitbook Templates
      • Guide - Root Page
      • Guide - New Docker App
      • Hardware Overview
      • App Overview - Externally Hosted
      • App Overview - Container
      • Miniguide - Compose
      • App Overview - Hosted Discord Bot
Powered by GitBook
On this page

Was this helpful?

  1. Policies

External Access to Systems

Currently we are using a Cloudflare Tunnel to reverse proxy services to be available externally, either publicly or behind Cloudflare's authentication. Some services also require port forwarding

External type
Why?

Cloudflare Tunnel

Standard web traffic and/or web based apps.

Secured behind Cloudflare's network.

Port Forward

High bandwidth traffic (file services), not HTTP/S traffic (eg game servers, video files), latency sensitive services (game servers).

Insecure and unsafe.

Does my app need to be open to the public?

It depends on the use-case, and if you want to be! If you or someone else will need to access the service outside of the LAN, the app will need to be externally available.

  • Is my app secure enough to be open to the public?

    • How is authentication handled?

    • How are updates handled?

  • Does my app need to be open to the public?

    • Why would a random internet user access this app?

    • Would limiting this to a few users be a better solution?

    • What potential issues could arise? (eg file sharing service used to host malicious files)

  • Is the app designed to be open to the public (eg Overseerr vs Proxmox)

  • What is the potential risk if the app is breached?

    • What damage can be done? (eg deleting all VM's in Proxmox)

    • Can the service be used to jump to or access other services

If the app needs to be externally available but has some risk associated with it, it could be made available with Cloudflare Authentication in front of it. This also reduces the risk of DDOS attacks as the malicious actor will be attacking CF, not us.

PreviousMonitoring and AlertingNextManagement of Documentation

Last updated 1 year ago

Was this helpful?

πŸ“