Public Exposure

Last updated: 2026-06-22

This diagram tracks what is intentionally reachable from the internet and how

traffic reaches the internal services. It should be reviewed before adding any

new public hostname or port forward.

DNS And Reverse Proxy Path

flowchart LR Browser["External browser/user"] DNS["Google Cloud DNS\nravick5.com zone"] InternalA["internal.ravick5.com\nA -> Frontier public IP\n47.204.57.28 observed"] Aliases["overseerr.ravick5.com\nseerr.ravick5.com\nrequests.ravick5.com\nCNAME -> internal.ravick5.com"] FutureAudio["audiobooks/books DNS records\nreserved; app routes planned only"] UDM["UDM SE\nWAN gateway"] Caddy["Caddy on Synology\nhost 8088/8443\nTLS termination"] Seerr["Seerr\ncontainer port 5055"] Audiobookshelf["Audiobookshelf\ncontainer port 80 / host 13378\nplanned ShelfPlayer route"] Browser -->|"HTTPS request"| DNS DNS --> InternalA DNS --> Aliases DNS -. "explicit DNS exists; app route not approved" .-> FutureAudio Aliases --> InternalA --> UDM UDM -->|"443 -> 10.0.0.119:8443\n80 -> 10.0.0.119:8088"| Caddy Caddy -->|"reverse proxy"| Seerr Caddy -. "future hardened route" .-> Audiobookshelf

Active And Disabled Public Services

flowchart TB Internet["Internet"] UDM["UniFi UDM SE\nPort forwards"] subgraph Synology["Synology NAS 10.0.0.119"] Caddy["Caddy reverse proxy\n8088/8443"] Seerr["Seerr requests\n5055"] Plex["Plex\n32400"] PlexTest["Plex Test\n32401 -> 32400\nremove approved; verify live state"] Minecraft["Minecraft Bedrock\n19131/19132\ndisable approved; verify live state"] Qbit["qBittorrent\n6881 disabled relic\nactive traffic should use Gluetun/VPN path"] DirectSeerr["Direct Seerr/Overseerr app-port exposure\n80/443/5055 disabled"] Grafana["Grafana/Prometheus\ninternal only"] Audiobookshelf["Audiobookshelf\nplanned app access only"] ReadAIrr["ReadAIrr\nretired 2026-06-14"] Kavita["Kavita/Mylar3\ninternal only"] end Internet --> UDM UDM -->|"enabled: 80/443"| Caddy --> Seerr UDM -->|"enabled: 32400"| Plex UDM -.-|"remove approved: 32401"| PlexTest UDM -.-|"disable approved: 19131/19132"| Minecraft UDM -.-|"disabled: 6881"| Qbit UDM -.-|"disabled: 80/443/5055 direct"| DirectSeerr Internet -.-|"not exposed"| Grafana Internet -.-|"future: audiobooks.ravick5.com after hardening"| Audiobookshelf Internet -.-|"retired / not exposed"| ReadAIrr Internet -.-|"not exposed"| Kavita

Exposure Rules

Prefer named subdomains plus Caddy reverse proxy over direct app-port

forwards.

Keep direct Seerr/Overseerr 5055 public exposure disabled.
Keep Grafana/Prometheus internal unless a hardened identity-aware access path

is designed.

audiobooks.ravick5.com and books.ravick5.com DNS records may exist as

reserved explicit records, but Audiobookshelf/Kavita/Mylar3 public app access

still requires explicit Caddy/account/security review before use.

Volume 1 evacuation/rebuild work does not require any new public exposure.

Keep migration status/reporting internal or routed through existing protected

monitoring/Discord paths.

ReadAIrr was retired from the active audiobook stack on 2026-06-14; do not

recreate or expose it unless audiobook automation is explicitly reopened.

Keep Kavita and Mylar3 internal-only unless a separate access model is

approved.

Remove Plex Test and disable Minecraft public forwards with the approved

UniFi helper, then verify live UniFi state.

Reconcile qBittorrent public-port history only if connectability changes.
Add future public DNS records explicitly. Do not restore a wildcard CNAME

unless there is a deliberate reason.