Skip to main content
Homelab Journal
  1. Wiki/

Security

Table of Contents

Security Architecture

Enterprise security principles applied to a homelab. This wiki covers the layered security architecture — from next-gen firewall policies to XDR threat detection to certificate lifecycle automation.

Firewall Architecture
#

The Palo Alto Networks PA-440 provides the network security foundation with App-ID, zone-based policies, and centralized logging. Full details in the Networking wiki — including security zones, VLAN trust levels, and DNS proxy configuration.

Wazuh XDR
#

Open-source extended detection and response (XDR) monitoring endpoints and containers across the homelab:

Certificate Management
#

Automated certificate lifecycle for PAN-OS SSL decryption:

Vaultwarden Security
#

Self-hosted password management with dual-path traffic architecture:

Related Pages#

2026

Architecture: Vaultwarden Traffic Flow & IP Header Strategy

661 words
Architecture Security Cloudflare Reverse-Proxy Vaultwarden Cloudflare-Tunnel Caddy
Overview # When running a self-hosted password manager like Vaultwarden, accurate client IP logging is critical for security alerts. The “New Device Login” email should show the actual IP address of whoever just accessed your vault—not your reverse proxy’s internal IP. This becomes tricky when you have multiple traffic paths: external users coming through Cloudflare Tunnel, and internal users coming through your local reverse proxy. Each path uses different mechanisms to communicate the real client IP.