Home Infrastructure

A practical setup for hosting services from home without exposing the local network directly to the internet.

Hosting from Home

Hosting from a residential connection often involves router port forwarding. That creates unnecessary exposure to scanning and automated traffic. I use an approach where inbound ports remain closed while selected services are still accessible externally.

Architecture

Services run in a Proxmox environment. Workloads are isolated in virtual machines or containers.

Traffic is handled through dedicated Cloudflare Tunnel containers. Instead of opening ports on the router, an outbound encrypted connection is established to Cloudflare. The tunnel client is not installed on internal HTTP-server or other application VMs.

Static content is served from internal HTTP-server, which operates as an internal multi-site Nginx host with minimal modules and strict headers.

Internet Cloudflare Edge Encrypted Tunnel (Outbound Only) Home Firewall (No open inbound ports) Proxmox Hypervisor VM / Container Nginx (Static Content)

Traffic Flow

External requests go through Cloudflare Edge and then through a tunnel container to the internal service. Only traffic passing through the tunnel reaches the local environment. The public IP address is not directly exposed, and the firewall has no open inbound web ports.

Maintenance and Resilience

Stability comes from simplicity. Configuration is versioned locally. Backups are taken regularly, recovery steps are documented, and deployment actions are scoped to the correct site directory. The environment can be rebuilt or moved with predictable effort.