Cloud Firewall
Infrastructure Security Strategy
Section titled “Infrastructure Security Strategy”This project follows the Defense in Depth principle. Security is not handled by a single tool, but by multiple redundant layers. Even if a service is misconfigured at the Docker level, the external network infrastructure provides a secondary hard shell that drops unauthorized traffic.
Hetzner Cloud Firewall
Section titled “Hetzner Cloud Firewall”The first line of defense is the Hetzner Cloud Firewall, a stateful firewall that filters traffic before it reaches the Virtual Private Server (VPS).
Inbound Rules (Ingress)
Section titled “Inbound Rules (Ingress)”| Protocol | Port Range | Source | Description |
|---|---|---|---|
| TCP | 80 | Any IPv4/v6 | Public HTTP (Let’s Encrypt validation) |
| TCP | 443 | Any IPv4/v6 | Public HTTPS (Web Traffic) |
| UDP | 41641 | Any IPv4/v6 | Tailscale: Direct P2P VPN handshake |
The “Default Drop” Policy
Section titled “The “Default Drop” Policy”To minimize the attack surface, all other ports are strictly blocked by default. This includes:
- SSH (TCP 22): Public access is denied to prevent brute-force attacks.
- NPM Admin (TCP 81): The management UI is hidden from the public internet.
- Database Ports: No database management ports are exposed externally.
Management Access Preview
Section titled “Management Access Preview”Management ports are blocked on the public interface. Administrative access (SSH, NPM GUI, CI/CD) is routed through Tailscale instead. The full Zero Trust setup — Tailnet authentication, OOB management, and Docker port binding — is documented in Tailscale Private Admin Access.
Validation
Section titled “Validation”A port scan from the public internet should only show ports 80, 443, and the Tailscale UDP range as reachable. Attempts to reach port 22 or 81 on the public IP should time out, as packets are dropped at the Hetzner edge before reaching the OS.
Proceed to Nginx Reverse Proxy & Public SSL to see how public web traffic is handled once it passes through this firewall.