Seeking advice on securing setup

I am new to self hosting. I have a Proxmox server with Ubuntu Server VMs that provide services for personal use. With much appreciated assistance from the Caddy community, I have setup Caddy with a Cloudflare domain to make those services accessible outside of my network, and with dynamic DNS. All VMs and the rest of my home network are on the default 192.168.x.x subnet.

Now having stood those services up and successfully been able to access them, I want to ensure they are well secured. Research has identified 3 possible solutions though I am unsure of feature duplication or compatibility.

  1. Intrusion prevention via Crowdsec.
  2. Single Sign On via Authelia or Authnetik.
  3. Everything else via OPNSense (Likely to be in the future as I don’t have the technical understanding of the functionality or configuration at this time. And it looks to require dedicated hardware as well.).

So in the short term I am looking at whether I can install Crowdsec first to work with Caddy. Then an SSO solution to simplify access to the various services.

For Crowdsec, they have seem to have a well documented install and setup process but from what I have read so far, it is unclear if that default setup would work with Caddy.

There is a Caddy bouncer which I interpret to be a Crowdsec plugin for Caddy. There is also a Caddy module for Crowdsec. Would I need to install and configure both of these or just one? Also, would I need to be changing my router config to direct traffic first to Crowdsec and it would then forward allowed requests onto Caddy to direct?

For SSO, is there a reason to use one of the providers (Authentik or Authelia) over the other? Is it practical to install and configure after Crowdsec and with many of my services already operating?

Apologies in advance for any glaring omissions or dumb questions above. Thanks :slight_smile:

Hey there,

if you use OPNsense, its easy to run caddy and crowdsec on it together. (I maintain the caddy plugin on OPNsense)

https://docs.opnsense.org/manual/how-tos/caddy.html

The plugin also features easy to set up basic auth and access lists for securing services fast and easy.

Additionally, you can set up suricata (Intrusion Detection) on the OPNsense and integrate the same logs into crowdsec too.

For security, it is the most important that everything you implement makes sense and can be easily audited. Combining too many cogs can create unmaintainable setups.

The most important thing is that the applications you reverse proxy are patched on OS and application level.

2 Likes

Thank you for the advice. I am not confident setting up OPNSense at this stage. My understanding in this is rudimentary at best.

Is my existing Minisforum MS-01 (i9 13900 / 32GB RAM model) device, hosting my Proxmox server with all my other VMs and Docker containers likely to have the hardware resources for OPNSense if I install it in another VM?

Also I use Caddy for keeping my Cloudflare domain pointed at my dynamic IP via the dynamic dns module for Caddy. Would that still be possible if I tried to install Caddy as a plugin for OPNSense?

Having learned a bit more on OPNSense, I think it’s too much for my requirements and level of understanding. Maybe in the future but not today. Thank you still as suggesting to check it out more has helped me better understand my requirements. For now I just want intrusion prevention from Crowdsec and SSO via a self hosted provider.

Yeah your proxmox machine is more than enough to run OPNsense VMs. You can run it easily with 4 cores, 4+GB RAM and like 60+GB SSD.

Only thing you should look at, some people do PCIe passthrough for their NICs to get better performance. But if you don’t plan to pump 10+GBit/s through it, using virtio is just fine.

And yeah, the plugin has Cloudflare compiled in, dynamic DNS and DNS-01 challenge can be easily configured in the GUI. Read the documentation I have linked for some configuration examples. It can do what you need.

If you need any help eventually come to the OPNsense Forum. There’s lots of proxmox users there and lots of proxmox threads too.

EDIT: Okay I didn’t read your last reply yet, thats understandable. Hope you can get it sorted out, I can’t help directly with caddy+crowdsec outside of the controlled freebsd environment that I support.

2 Likes

IMO, Crowdsec is overkill for a home server, unless you think people are going to try to specifically target you for some reason. If you’re just running a few apps for personal use, then there’s not really much chance of it being a problem.

Re SSO, that’s up to you to decide which one is a better fit for you. We’ve worked directly with the Authelia team to set up Caddy’s forward_auth support, so I can attest that that works for sure. I’ve not tried Authentik but I’ve heard from other users that it worked fine for them.

Generally I just use whatever auth is already available in the apps I run, I don’t think SSO is important unless you plan on having lots of users and don’t want to manage individual accounts for each of them on each app. SSO adds complexity for sure, consider whether you actually need that.

2 Likes

I greatly appreciate your input.

I am considering self-hosting a resume/portfolio website in the near future and other small webapps as I learn and improve my webdev knowledge/skill. Therefore Crowdsec feels like a nice to have, if not a need to have.

An SSO provider would greatly benefit enabling family members to use the services/apps I am currently or plan to host in the future. If Caddy has already collaborated with Authelia, it sounds like that will be the solution I go with, thank you.

Now just to learn how to install and configure Crowdsec and Authelia to play nice with Caddy :slight_smile:

1 Like