文章描述了一个运行在Proxmox VE 9上的Debian虚拟机环境,内部包含Docker容器堆栈(Immich、Traefik、Authelia),并使用UFW限制入站连接至特定端口。为了增强安全性,作者考虑部署OPNSense或Crowdsec以减少资源消耗,并最终选择VPN隧道以平衡隐私与安全需求。 2025-9-25 12:47:25 Author: www.reddit.com(查看原文) 阅读量:0 收藏
Hi everyone,
I have a Debian VM runs on Proxmox VE 9
inside it has a docker stack: Immich + Traefik + Authelia; I already setup `ufw` and `ufw-docker`
Because I will use Immich to store personal media so I want to harden it more. I'm thinking of creating an OPNSense VM to act as primary router for Debian VM. But don't know if it's overkill.
- UFW on Debian only allow TCP/443 incoming connectionTo Action From
-- ------ ----
1022/tcp ALLOW 192.168.1.0/24# Allow SSH access from LAN only
172.21.0.10 443/tcp ALLOW FWD Anywhere # allow traefik 443/tcp reverse_proxy
- Immich is hardened with Authelia two factor (TOTP)
- Geoblocking plugins on Traefik
In my case, how about using Crowdsec on both firewall (nftables), and Traefik, instead of spending system resources on OPNSense? I checked the requirements, about 40GB disk space and 4GB RAM.
UPDATE: Never minds guys. I switched to a VPN tunnel setup to avoid sec risk because of my low tech knowledge. A trade-off between privacy/speed and security.
如有侵权请联系:admin#unsafe.sh