3 min read

Masking Your Homelab Static IP with Your VPS IP

If you run a homelab, you might be proud of the services and projects hosted on your own hardware. However, exposing your homelab's static IP to the public can open you up to unwanted attention and potential attacks. One smart strategy to safeguard your infrastructure is to route all external traffic through a Virtual Private Server (VPS). This not only hides your homelab's real IP behind the VPS’s IP but also adds an extra layer of security to your setup.

The Idea Behind Using a VPS as a Proxy

By placing a VPS in front of your homelab, you ensure that any external request first hits the VPS. The VPS then forwards the request to your homelab, acting as a secure intermediary. This way, your homelab's static IP remains hidden from the outside world, reducing the risk of direct attacks or probing.

How It Works: The Nginx Configuration

Here’s an Nginx configuration that achieves this setup:

server {
    listen 80;
    server_name *.homelab.meanii.dev;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name *.homelab.meanii.dev;

    ssl_certificate /etc/letsencrypt/live/homelab.meanii.dev/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/homelab.meanii.dev/privkey.pem;

    location / {
        proxy_pass https://<homelab-ip>:443;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        
        proxy_ssl_name $host;  # Pass the hostname for SNI
        proxy_ssl_server_name on;  # Enable SNI
        proxy_ssl_verify off;  # Keep this off if you're using self-signed certificates
    }
}

Breaking Down the Configuration

  1. HTTP to HTTPS Redirection
    The first server block listens on port 80 (HTTP) and redirects all traffic to HTTPS:
server {
    listen 80;
    server_name *.homelab.meanii.dev;
    return 301 https://$host$request_uri;
}

This ensures that no insecure HTTP traffic reaches your services.

  1. Secure HTTPS Handling on the VPS
    The second server block listens on port 443 (HTTPS) and uses Let's Encrypt SSL certificates:
server {
    listen 443 ssl;
    server_name *.homelab.meanii.dev;

    ssl_certificate /etc/letsencrypt/live/homelab.meanii.dev/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/homelab.meanii.dev/privkey.pem;
}

With valid SSL certificates, your VPS securely terminates HTTPS connections.

  1. Proxying Traffic to Your Homelab

Within the HTTPS server block, the location / block handles forwarding the traffic to your homelab:

    location / {
        proxy_pass https://<homelab-ip>:443;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        
        proxy_ssl_name $host;  # Pass the hostname for SNI
        proxy_ssl_server_name on;  # Enable SNI
        proxy_ssl_verify off;  # Keep this off if using self-signed certificates
    }

Here’s what happens:

  • Proxy Pass: The proxy_pass directive routes traffic to your homelab's HTTPS endpoint.
  • Header Forwarding: The proxy_set_header directives pass the original request headers to your homelab. This is useful for logging and handling client-specific behavior.
  • SNI Support: proxy_ssl_name and proxy_ssl_server_name ensure that your homelab receives the correct domain name via SNI (Server Name Indication).
  • SSL Verification: With proxy_ssl_verify off, SSL verification is disabled for the backend connection. This is often necessary for self-signed certificates common in homelab setups. If your homelab uses a valid certificate, consider enabling verification.

Benefits of Masking Your Homelab IP

  • Enhanced Security: The VPS acts as a shield, hiding your homelab’s IP from potential attackers. Even if someone targets your domain, they’ll only see the VPS's IP address.
  • Privacy: By not exposing your homelab's static IP, you reduce the risk of direct DDoS attacks or scanning attempts against your personal infrastructure.
  • Flexibility and Control: Using a VPS provides you with additional management options. You can easily scale, apply security updates, or change routing policies without modifying your homelab.
  • Seamless SSL Termination: With SSL termination at the VPS, your homelab can remain behind a secure layer without needing to handle the complexities of managing public certificates directly.

Final Thoughts

Masking your homelab’s static IP with a VPS IP is a smart move for anyone looking to protect their personal or experimental infrastructure. By using Nginx as a reverse proxy, you not only safeguard your homelab from direct exposure but also benefit from improved security, privacy, and control. Whether you’re running a small personal server or a larger homelab environment, this approach provides an extra layer of defense in an increasingly hostile internet landscape.

Published by:

Anil Chauhan

Member discussion