caddy, dmz and web apps

[caplam]

When i setup opnsense i created several vlans.
My main server is unraid. It has its interface eth0 on lan and subinterfaces in vlans.
I host several applications (immich, nextcloud, authentik, homeassistant and many others).
The majority of these applications are installed through portainer stacks.
Some are accessible from outside, others are restricted to lan ip.
I connect to these apps through caddy plugin.
When i first setup caddy (previously i was using npm docker on unraid) i followed the documentation: (firewall wan+lan rule destination: this firewall dst ports: 80&443) 
I placed devices in according vlans when i setup dnsmasq dhcp but I never took the time to move the apps on another vlan.
Should i really do that knowing all apps are behind caddy?
 
Should i change the firewall lan rule to dmz vlan ? afaik the best practice is to put the reverse proxy in dmz.
Authentik is used to give access to almost all my apps (through oidc, ladp or proxy provider) should i move it to dmz ?
I think you would guess i'm a little confused.

 

[meyergru]

I put all applications that are reachable from outside, regardless if they are containerized or VMS, in a DMZ. For docker containers, I have one docker host for internal services (on LAN) and one for web services (in DMZ).

Caddy does not really help if your apps are prone to authentication circumvention attacks, SQL injections or other attacks.

Take a full web UI like Proxmox as an example - I would not expose that with a "dumb" reverse proxy only, rather use a VPN or limit access to API endpoints. It would be similar for the Portainer UI.

By putting such applications in a separate network zone, potential attacks are mostly limited to spreading outside that zone.

[caplam]

Thank you for your answers.
I have only one docker host; but now when i create a bridge network for a stack i bind it to a particular subinterface of the host as per default docker listen to all interfaces. For compose stacks i put the webserver in a macvlan (if it's more convenient) or a bridge in the dmz vlan and the others containers in another vlan network.

My authentik stack authenticates apps for lan or internet users and also apps only accessible from lan. For now its listening interface is in the lan but i wonder if i should move it to dmz. I'm also trying to force all apps through caddy and authentik to have an authentication and use the same hostname to access it whether i'm inside or outside.

The same goes for caddy. If i understood correctly caddy process is listening on all interfaces. But i think i don't really get the path of a packet.
Caddy listen on ports 80&443.
If the request comme from outside, it arrives on wan interface which caddy listens to. Then it processes the request to upstream server or forward the request to authenticating server depending on the authentication type (oauth or proxy).
For this request to be actually effective you need a firewall rule on wan interface to pass the pack to "this firewall".
If the request comes from the inside on the interface (LAN for now) where the user is. Then the request is processed as in the first case.
For this request to be actually effective you need a firewall rule on lan interface (or the interface on vlan where users resides) to pass the pack to "this firewall".
So if i'm correct when the reverse proxy is on the firewall itself you can't really put it in the dmz. The only thing i can do is move authentik to dmz and eventually change my users vlan from lan to another one.
Another thing i need to take care of is that the app with oidc provider need to contact the authentik server. For now as authentik is in the lan i have a firewall rule passing request from apps in the dmz with oidc provider to authentik server (not sure about that one as i don't which container of the stack actually makes the request).
For example i have a jellyfin docker in dmz which can't authenticate without such a rule (it's only one container).
But i have a nextcloud-aio (13 containers in a vlan bridge and the apache one in dmz bridge) which can authenticate without the rule.

Forget about that my authentik stack is still in a bridge network that is not bound to a particular interface so it listens to all. I consider this as a security hole and i have to modify my authentik bridge network so that it listens to only one interface.
I guess it's the danger to have a docker host with several interfaces.