Safe / Secure if reverse proxy only allows netbird network range

Context: Self-hosted setup

The reverse-proxy now allows restricting access to the exposed services by network CIDR (and I have explicitly defined a CIDR for the Netbird network). If I restrict the access by this method to the Netbird CIDR, is this a safe and secure setup in the form, that nobody outside the Netbird network is allowed to access the service.

(See other topic, where I wanted to use the SSH/Certificate features of the reverse-proxy without actually exposing services to the internet, only to members of the Netbird VPN).

I asked the KI and the answer was “yes”, with the restriction that networks I connect to (mainly cable provider network) must not use the same IP range. Also, possibly Header-Spoofing could be a theoretical problem (X-Forwarded-For, X-Real-IP).

IMHO, both should not be a problem in the principle and my concrete setup.

However, I do not trust KI regarding the security of my network, so a human judgment would be helpful, too.

I’m not a security specialist to do actual pentest or similar, after setup.

Also, are the general Netbird policies I have defined regarding access from/to internal infrastructure element still active in this setup?

I would also like to know, if it is possible to expose services like

• immich.mydomain.com
• jellyfin.mydoain.com
• audiobookshelf.mydomain.com

only to the clients in my BirdNet. Is this somehow possible?

You could use DNS:

image1495×167 12.4 KB

And point whatever domain to the NetBird IP address and then expose the service to ONLY the NetBird/GCNat subnet (100.64.0.0/10) to only allow people on NetBird to access your service(s) directly. (This is what I do, but with a DNS server on the same local net)

This is a solution, if I just want a (custom) domain name. I can device a zone for this an assign hostnames to the zone for IPs.

However I want the SSL certificates of the proxy functionality for the services, too.

That’s maybe possible, but the proxy can’t handle that directly. It’s a case of chicken and egg. Mostly because of who has to get the certificate first, and then how it gets layered down to the actual service.

My solution for this is to have an reverse proxy with nginx proxy manager, with NPM. I use the cloudflare method (dns) of getting a wildcard certificate for *.home.domain.com and I use that specific wildcard to have an internal only wildcard. The proxy is for exposing services outside, npm for inside.