Skip to content

Network Configuration

Our server infrastructure is designed with a strong focus on security, reliability, and maintainability. The following outlines the key technical choices and configurations implemented for networking:

Firewall and Port Management

  • Ingress Traffic: The server is configured to accept incoming traffic exclusively on standard HTTPS (port 443) and HTTP (port 80) ports. This ensures that only web traffic is permitted, reducing the attack surface.
  • Port Blocking: All other ports are explicitly blocked at the firewall level, preventing unauthorized access to non-essential services.

Site-to-Site Networking with Tailscale

We utilize Tailscale to establish a secure, encrypted mesh network between our servers and authorized developer machines. Tailscale leverages the WireGuard protocol for secure communication and provides the following capabilities:

  • Secure SSH Access: Developers and administrators can securely SSH into the server over the Tailscale network, eliminating the need to expose SSH ports to the public internet.
  • Exit Node Functionality: The server can be configured as an exit node, allowing authorized users to route their internet traffic through the server. This is particularly useful for accessing third-party services (e.g., SFTP, APIs) that are IP-restricted to the server's address, enabling local debugging and secure access.
  • Server-to-Server Communication: Internal services (such as Metabase or other application components) communicate over the private Tailscale network, ensuring data remains encrypted and isolated from public networks.
  • Access Control: Tailscale ACLs (Access Control Lists) are used to define granular permissions for users and services, ensuring only authorized entities can access specific resources.

Use Cases Covered

  • Developer Access: Developers can securely access staging and production environments for debugging and maintenance without exposing sensitive ports.
  • Database and Analytics Integration: Services like Metabase connect to application databases over the internal Tailscale network, ensuring secure and reliable data access.
  • Operational Flexibility: The Tailscale network can be extended to additional servers or cloud resources as needed, supporting future scalability and integration requirements.

Monitoring and Auditing

  • Connection Logging: Tailscale provides audit logs for all connections, enabling monitoring of access patterns and rapid detection of unauthorized activity.
  • Firewall Logging: The server's firewall logs all blocked and allowed connections for further analysis and compliance.

This networking setup ensures robust security, simplifies remote access for authorized users, and provides a flexible foundation for future infrastructure growth.