System:Security: Difference between revisions
Added configuration guide: Security Architecture |
Updated documentation from markdown files |
||
| (2 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
This document describes the security architecture of the reverse proxy system. | This document describes the security architecture of the reverse proxy system. | ||
| Line 7: | Line 5: | ||
The system uses multiple layers of security: | The system uses multiple layers of security: | ||
= '''Public Layer''': | === '''Public Layer''': Caddy with SSL/TLS encryption (Let's Encrypt) === | ||
= '''VPN Layer''': Encrypted tunnel between VPS and NAS = | == '''VPN Layer''': Encrypted tunnel between VPS and NAS == | ||
= '''Internal Layer''': Services only accessible via VPN = | == '''Internal Layer''': Services only accessible via VPN == | ||
= '''Certificate Security''': Automatic renewal prevents expired certificates = | == '''Certificate Security''': Automatic renewal prevents expired certificates == | ||
== Security Benefits == | == Security Benefits == | ||
* '''No Direct Exposure''': Synology NAS is not directly accessible from the internet | |||
* '''Encrypted Traffic''': All public traffic uses HTTPS | |||
* '''Isolated Network''': Internal services communicate over VPN | |||
* '''Certificate Management''': Automatic SSL certificate renewal | |||
== Security Components == | == Security Components == | ||
| Line 23: | Line 24: | ||
=== SSL/TLS Encryption === | === SSL/TLS Encryption === | ||
* All public-facing traffic uses HTTPS | |||
* Let's Encrypt certificates automatically renew | |||
* HTTP traffic is redirected to HTTPS | |||
=== VPN Encryption === | === VPN Encryption === | ||
* OpenVPN provides encrypted tunnel between VPS and NAS | |||
* All internal traffic is encrypted through VPN | |||
* Certificate-based authentication for VPN clients | |||
=== Network Isolation === | === Network Isolation === | ||
* Internal services only accessible via VPN | |||
* No direct internet exposure of Synology NAS | |||
* Firewall rules control traffic flow | |||
== Related Documentation == | == Related Documentation == | ||
* [Network Architecture](network-architecture.md) - Network topology | |||
* [Key Components](components.md) - Component details | |||
* [OpenVPN Server](index.md) - VPN security configuration | |||
[[Category:Documentation]] | [[Category:Documentation]] | ||
[[Category:Documentation/System]] | [[Category:Documentation/System]] | ||
Latest revision as of 14:04, 16 May 2026
This document describes the security architecture of the reverse proxy system.
Defense in Depth
[edit]The system uses multiple layers of security:
Public Layer: Caddy with SSL/TLS encryption (Let's Encrypt)
[edit]VPN Layer: Encrypted tunnel between VPS and NAS
[edit]Internal Layer: Services only accessible via VPN
[edit]Certificate Security: Automatic renewal prevents expired certificates
[edit]Security Benefits
[edit]- No Direct Exposure: Synology NAS is not directly accessible from the internet
- Encrypted Traffic: All public traffic uses HTTPS
- Isolated Network: Internal services communicate over VPN
- Certificate Management: Automatic SSL certificate renewal
Security Components
[edit]SSL/TLS Encryption
[edit]- All public-facing traffic uses HTTPS
- Let's Encrypt certificates automatically renew
- HTTP traffic is redirected to HTTPS
VPN Encryption
[edit]- OpenVPN provides encrypted tunnel between VPS and NAS
- All internal traffic is encrypted through VPN
- Certificate-based authentication for VPN clients
Network Isolation
[edit]- Internal services only accessible via VPN
- No direct internet exposure of Synology NAS
- Firewall rules control traffic flow
Related Documentation
[edit]- [Network Architecture](network-architecture.md) - Network topology
- [Key Components](components.md) - Component details
- [OpenVPN Server](index.md) - VPN security configuration