Skip to content
pablo@docs:~$
Portfolio

Cloud Firewall & Zero Trust

Infrastructure Security Strategy

Section titled “Infrastructure Security Strategy”

This project follows the Defense in Depth principle. Security is not handled by a single tool, but by multiple redundant layers. Even if a service is misconfigured at the Docker level, the external network infrastructure provides a secondary “hard shell” that drops unauthorized traffic.

Hetzner Cloud Firewall

Section titled “Hetzner Cloud Firewall”

The first line of defense is the Hetzner Cloud Firewall, a stateful firewall that filters traffic at the edge before it reaches the Virtual Private Server (VPS).

Inbound Rules (Ingress)

Section titled “Inbound Rules (Ingress)”
ProtocolPort RangeSourceDescription
TCP80Any IPv4/v6Public HTTP (Let’s Encrypt validation)
TCP443Any IPv4/v6Public HTTPS (Web Traffic)
UDP41641Any IPv4/v6Tailscale: Direct P2P VPN Handshake

The “Default Drop” Policy

Section titled “The “Default Drop” Policy”

To minimize the attack surface, all other ports are strictly blocked by default. This includes:

  • SSH (TCP 22): Public access is denied to prevent brute-force attacks.
  • NPM Admin (TCP 81): The management UI is hidden from the public internet.
  • Database Ports: No database management ports are exposed externally.

Zero Trust Implementation

Section titled “Zero Trust Implementation”

Since management ports are blocked from the public internet, all administrative tasks are performed via a Zero Trust Network Access (ZTNA) model using Tailscale.

Access Workflow

Section titled “Access Workflow”

Instead of connecting to the server’s public IP, we utilize a private WireGuard-based overlay network.

  1. Authentication: The administrator authenticates via a secure SSO provider.
  2. Encrypted Tunnel: A peer-to-peer tunnel is established between the admin machine and the VPS.
  3. Internal Routing: Services are accessed via the server’s internal Tailscale IP (100.x.x.x).

Redundancy Check

Section titled “Redundancy Check”

To verify the setup, a port scan from the public internet should only show ports 80, 443, and the UDP ranges as open. Any attempt to reach port 22 or 81 will result in a timeout, as packets are dropped at the Hetzner edge before reaching the OS.

Proceed to Nginx Reverse Proxy & Public SSL to see how public traffic is handled once it passes through this firewall.