The guide was static-site-specific. Update to cover dynamic,
authenticated services (e.g., Forgejo):
- Add dynamic service nginx example with no blanket cache, proxy
headers, WebSocket support, selective static asset caching
- Expand DDoS section: explain why dynamic services are more vulnerable
(no cache absorbing traffic) and what mitigations exist
- Rewrite fail2ban section: irrelevant for static, essential for
dynamic services; runs on indri watching service logs, needs
forwarded IP headers
- Add comparison table: static vs dynamic across caching, sessions,
rate limits, proxy headers, fail2ban, DDoS exposure
- Add pre-exposure checklist for dynamic services
- Note Tailscale ACL differences for non-k8s services (e.g., Forgejo
on indri needs tag:homelab grant, not tag:k8s)
- Add inline comments in nginx.conf marking static-only directives
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Erich Blume
35b43083a8