I got infected with a crypto-miner via misconfigured qBittorrent
blog.vasi.liI was scratching my head trying to figure out how he got Internet to access qbittorrent on a private IP, but then I read this:
"you see, at some point in time the password was bypassed for users on local network 192.168.1.0/24, however the traefik ingress lives on 192.168.1.1"
which of course is his real problem (reverse proxy, microservices). And of course he has to double down and pile on even more complexity as the solution, instead of throwing out all the crap he's stacked together and coming up with something simple, performant and sane.
I think he wants Traefik's proxied requests to come from a different subnet, that way externally you need to authenticate but internally you don't.
Personally I wouldn't bother with that and instead I would not directly expose the service to the internet at all, and just use a VPN. I don't trust that any services I run are safe to expose to the internet unless they are very intentionally designed for that.