caddy, dmz and web apps

[caplam]

When i setup opnsense i created several vlans.
My main server is unraid. It has its interface eth0 on lan and subinterfaces in vlans.
I host several applications (immich, nextcloud, authentik, homeassistant and many others).
The majority of these applications are installed through portainer stacks.
Some are accessible from outside, others are restricted to lan ip.
I connect to these apps through caddy plugin.
When i first setup caddy (previously i was using npm docker on unraid) i followed the documentation: (firewall wan+lan rule destination: this firewall dst ports: 80&443) 
I placed devices in according vlans when i setup dnsmasq dhcp but I never took the time to move the apps on another vlan.
Should i really do that knowing all apps are behind caddy?
 
Should i change the firewall lan rule to dmz vlan ? afaik the best practice is to put the reverse proxy in dmz.
Authentik is used to give access to almost all my apps (through oidc, ladp or proxy provider) should i move it to dmz ?
I think you would guess i'm a little confused.

 

[meyergru]

I put all applications that are reachable from outside, regardless if they are containerized or VMS, in a DMZ. For docker containers, I have one docker host for internal services (on LAN) and one for web services (in DMZ).

Caddy does not really help if your apps are prone to authentication circumvention attacks, SQL injections or other attacks.

Take a full web UI like Proxmox as an example - I would not expose that with a "dumb" reverse proxy only, rather use a VPN or limit access to API endpoints. It would be similar for the Portainer UI.

By putting such applications in a separate network zone, potential attacks are mostly limited to spreading outside that zone.