Security concerns to proxy only local and internet resources in one instance

i have an question about my setup.

I want to proxy services which should only only be internally (.homenetworkdomain) available and at the same time resources which are accessible from the internet ( on the same traefik proxy instance.

Would there be any security concern? Would it be possible to scan the proxy instance from the internet which other services are proxied from traefik?
My question excludes the problem about user configuration error. I only would like to know how it looks on the technical side.
The local domain should be already not accessible from the internet, i could also include a IP whitelist on the local service but yeah.


For security you should use a whitelist on every internal service. Make sure the middleware sees the correct client IP.

Scanning is possible, what the scanner sees depends on the whitelist, maybe you can just return a 404.

Be aware that the domain name can be faked within a http request, so just having the domain not in public DNS is no protection.

Alternatively you could run 2 Traefik instances on the same host listening to different IPs (for external and internal). Just need to make sure that the requests go to the right IP. You can still use Configuration Discovery, as you can filter by service labels. (Doc)

1 Like

Thank you very much. I didnt thought about the possibility about the http domain faking!
Will set a Whitelist for the moment. One idea, would it be possible that traefik set the Whitelist based on the domain automatically? So if Domain ".privatedomain" is used it will set a whitelist automatically and if "" is does not use any whitelist.

About the 2 instances, maybe you can check my other question, because i think exactly that i wanted to achieve. Put traefik on a LAN IP different from host, but i am not 100% sure i would do this correct.

I have no idea about MACVLAN. We have some VMs running with public IP, we added a private IP on the host (for use with a vlan). In that case, you should be able to bind the IP/port ports: - <extIP>:80:80.