VLAN DMZ for website server (ubuntu server) or any other way of doing it?

[flamur]

Hi,

I am just starting my life time goal to have a somewhat serious network at home and to host my own websites.

I have just installed opnsense firewall as the first node from the fiber. I then connect a newvly installed ubuntu server in to the firewall.

My plan, after some googleing and reading, is to create a separate VLAN and DMZ for that server.

What makes it a bit tricky is that I have a truenas scale server with NGINX and proxy thrue cloudflare. So before this I just pointed cloudflare to my public IP and then my asus router would portforward that to my truenas scale server with NGINX to point the traffic to my website server.

Taken this in to account my NGINX would be on separate VLAN not DMZ. To keep it "internal" and more safe. But not sure how it would be able to direct traffic to my new website server within the other VLAN with DMZ setup.

My question is perhaps to broad, since I dont really know where to start this. Do anyone have a guide on this specific thing? Or can point me in the right direction?

Or would you recommend any other (more secure) setup for my website server?

Best regards,

Flamur

[meyergru]

Usually, you would just use a reverse proxy like Caddy or HAproxy (there are howtos for those in the tutorial section) to redirect requests to any web backend by name). Using it this way, you do not need to know any ports, just the DNS names for the servers. The reverse proxy does the TLS termination and also fetches the certificates via ACME.sh (preferably via wildcard domains). You would open up ports 80 and 443 on your OpnSense, while the web UI is put on another arbitrary port.

By setting up a separate DMZ VLAN for the backend web server(s), you would then make sure that if one is getting hacked, they cannot get through to your valuable ressources on LAN. Since OpnSense has access to all VLANs, you can put the backends anywhere.

For this to work, you must (these are quite some tasks):

1. Divert the OpnSense web UI to other ports.
2. Set up a working DMZ VLAN with separation from your LAN to put your web server into.
3. Configure the reverse proxy.
4. Set up certificate generation.
5. Configure DNS names to point to your OpnSense instance (potentially involving DDNS).

Cloudflare works differently, AFAIK. They use a reverse tunnel from your web service to Cloudflare, which works much like a VPN. This way, nobody using your web service ever gets to know your real IP or contacts it via ports 80/443. This has the advantage to work even if you are behind CG-NAT, where you cannot set up an open port to work from the outside in in the first place. Your web backend can exist in a separate DMZ VLAN as well in this scenario. Since the connection is done from you to Cloudflare and not the other way around, you also do not have to deal with (D)DNS or expose anything directly to the internet.

For this to work, you must set up:

1. A working separate DMZ VLAN which can access the internet. You place your web server in that DMZ.
2. Cloudflare reverse proxy with certificates.