So I decided to go with “acceptable risk” and here is what I did:
- Cloudflare for DNS & overall security, I have a VM running Cloudflared
- Set up the following in the config to allow only from certain addresses (the first 2 are LAN, rest is Cloudflare IPs)
http:
use_x_forwarded_for: true
trusted_proxies:- 192.168.0.205
- 192.168.0.0/24
- 173.245.48.0/20
- 103.21.244.0/22
- 103.22.200.0/22
- 103.31.4.0/22
- 141.101.64.0/18
- 108.162.192.0/18
- 190.93.240.0/20
- 188.114.96.0/20
- 197.234.240.0/22
- 198.41.128.0/17
- 162.158.0.0/15
- 104.16.0.0/12
- 172.64.0.0/13
- 131.0.72.0/22
- I also set up the HA VM to auto update - am not that paranoid about it as HA is secondary to my SmartThings (for now)
Thoughts? Hope this helps!