I have an unraid server running some dockerized services (eg emby & seafile) that offer web interfaces which now need to be opened up in order to be accessible from outside the LAN.
Never opened any services to the world and am now having troubles figuring out the correct way to protect the environment. Many off-the-shelf dockerized services (eg seafile ones) come pre-bundled with nginx/fail2ban et al, but those services really belong in their own containers; otherwise we'd end up with multiple instances of nginx, f2b, ufw running on the server.
Now, my naive logic would lay the docker containers out as follows:
This is still questionable. Eg should there be a separate volume for all the services' logs, so fail2ban could monitor them?
Whatever the case, am I on the right track here?
