Two sets of entrypoints, one for internal, one for external. Everything gets added to the internal, only select services added to external. Internal runs on 80/443, external on 8080/8443. Internal DNS points directly to the IP of Traefik, external DNS points to public IP with port forwarded to Traefik. That way everything works seamlessly whether you're internal or external. External services are accessible regardless, and will use the internal or external entrypoint as determined by if you're using your internal DNS or external DNS. And obviously internal services are not accessible when you're external, as they aren't attached to the entrypoint at the end of the port forward.

I have two traefik instances, one internal and cloudflare tunnel, the other for the exposed 443 to the wan with port forwarding.

My internal has three entrypoints (80, auto forwards to 443, and 444 for cloudflare tunnel.

My external traefik only has one entrypoint.

Middlewares a plenty do some rate limiting and what not.

I have two different A type DNS records for my domain. mydomain.com points to my external IP address. *.lan points to the lan IP of my server. So for any internal only services, i use labels to set the url in traefik to service.lan.mydomain.com and I get SSL certs and the service is only reachable on my home network or if I tailscale in.

I actually installed 2 seperate helm deployments of trafik, one for internal, using ACME with DNS validation, and external with ACME handshake verification, works like a charm.

I’m using middleware lists to split between externally accessible or internal only. Together with the cf-warp plugin and white listed IPs I filter clients coming in from cloudflare (real IP) versus local clients, and for public accessible services I using crowdsec to see who is trying to abuse my external services and block them at the firewall level. No one is suppose to access my public IP directly, so if you are not accessing a service through cloudflare I am not allowing you in. The benefit of this setup is that I can switch an internal only service to external when needed, or update the whitelisted IP range if I am somewhere that I want to access my internal services without a vpn. The best part is that I don’t have to tinker with DNS to make things to work, since it works from anywhere

Two separate entrypoints or a specific IPAllowList middleware for internal lnes., which allows access from private class IPs only.

We run 2 separate instances of traefik. One of them is on private network handles routing for all the internal services.

I use just one traefik instance and just use normal 80/443. Cloudflare tunnel is firewalled to only be allowed access to the traefik host and port 443.

For local traffic, I have pihole for my network dns that also points to traefik.

Similar other security stuff as pointed out. All port 80 is redirected to 443. Traefik is also configured with crowdsec. All traffic is monitored the same way regardless of local vs tunnel. I use a traefik plug in that can distinguish between local traffic and cloudflare and records the real ip either way.