Network Architecture Prompt: DNS, TLS and Reverse Proxies

Purpose

This reference guide provides architectural patterns for implementing secure network access in homelab environments using DNS, TLS certificates, and reverse proxies.

Architecture Pattern: Secure Internal Services

Layer 1: Network Segmentation

Internet → WAN → pfSense → LAN (Internal Services)
                     ↓
              Reverse Proxy (Nginx Proxy Manager)
                     ↓
         ┌───────────┼───────────┐
         ↓           ↓           ↓
    Proxmox        n8n      Databases
  (192.168.1.10) (.20)       (.30)

Layer 2: DNS Resolution

Option A: Public Domain + Split DNS

External: proxmox.yourdomain.com → Public IP → Cloudflare Tunnel
Internal: proxmox.lab.local → 192.168.1.100 (Reverse Proxy)

Option B: Local DNS Only

All Clients: proxmox.local → 192.168.1.100 (pfSense DNS Resolver)

Layer 3: TLS Termination

Reverse Proxy (Nginx Proxy Manager)

Client (HTTPS) → Nginx Proxy Manager → Backend (HTTP/HTTPS)
              ↓
      Let's Encrypt or Self-Signed Cert

Implementation Checklist

DNS Configuration

pfSense DNS Resolver:

Services → DNS Resolver → Host Overrides
- proxmox.lab → 192.168.1.100
- n8n.lab → 192.168.1.100
- db.lab → 192.168.1.100

Reverse Proxy Setup

Nginx Proxy Manager:

Proxy Hosts:
1. proxmox.lab → https://192.168.1.10:8006
2. n8n.lab → http://192.168.1.20:5678 (WebSockets: ON)
3. db.lab → http://192.168.1.30:5432

SSL Certificate Options

Option 1: Let’s Encrypt (DNS Challenge) - Requires public domain - Uses Cloudflare API - Auto-renewal every 90 days

Option 2: Self-Signed (mkcert) - Local CA installation required - No external dependencies - Manual renewal

Option 3: Cloudflare Origin Certificate - Free 15-year certificates - Only for Cloudflare-proxied domains - Trusted by Cloudflare edge

Security Layers

1. Network Layer

  • pfSense firewall rules
  • VLAN segmentation
  • Port restrictions

2. Transport Layer

  • TLS 1.3 encryption
  • Strong cipher suites
  • HTTP Strict Transport Security (HSTS)

3. Application Layer

  • Authentication (HTTP Basic Auth, OAuth)
  • Access control lists
  • Rate limiting

Common Patterns

Pattern 1: Development Services

Local DNS: service.lab
Certificate: Self-signed (mkcert)
Access: LAN only
Backend: HTTP

Pattern 2: Production Services

Public DNS: service.yourdomain.com
Certificate: Let's Encrypt
Access: Internet (with authentication)
Backend: HTTPS (validated)

Pattern 3: Hybrid Approach

Internal: service.lab (mkcert, LAN)
External: service.yourdomain.com (Let's Encrypt, Cloudflare Tunnel)
Backend: Same service, different access paths

Quick Commands Reference

Test DNS Resolution

nslookup proxmox.lab
dig proxmox.lab +short

Test TLS Certificate

openssl s_client -connect proxmox.lab:443 -servername proxmox.lab
curl -vI https://proxmox.lab

Verify Proxy Configuration

curl -H "Host: proxmox.lab" http://192.168.1.100
curl -I https://proxmox.lab

Decision Matrix

Use Case DNS Certificate Reverse Proxy
Dev/Testing Local (.lab) Self-signed Optional
Internal Prod Local (.lab) mkcert Required
External Access Public (.com) Let’s Encrypt Required
Sensitive Data Local only mkcert Required + Auth

Best Practices

  1. Always use HTTPS for web interfaces
  2. Implement defense in depth (firewall + proxy + auth)
  3. Use strong passwords or key-based auth
  4. Monitor access logs regularly
  5. Keep certificates current (auto-renewal)
  6. Document your architecture in diagrams
  7. Test disaster recovery procedures

Conclusion

Proper network architecture with DNS, TLS, and reverse proxies creates secure, manageable homelab infrastructure. Choose patterns based on your security requirements and access needs.

For detailed implementation, see related articles on Nginx Proxy Manager and pfSense configuration.