Public Exposure Watch¶
Summary¶
Public Exposure Watch is an n8n workflow branch that checks DNS records, reverse proxy hosts, and Docker-published ports to identify potentially risky public-facing exposure in a home lab environment.
The goal is to catch obvious changes, make exposure review repeatable, and reduce the chance of forgetting about a service that became publicly reachable.
Problem¶
Self-hosted environments can grow quickly. Over time, it becomes easy to lose track of:
- Which DNS records exist
- Which reverse proxy hosts are configured
- Which containers publish ports
- Which services are reachable externally
- Whether a new service changed the exposure baseline
That creates risk because public exposure should be intentional, documented, and reviewed.
Approach¶
The workflow builds a simple exposure review process:
- Pull Cloudflare DNS records.
- Pull reverse proxy host data.
- Pull Docker-published port data.
- Normalize the results.
- Compare the current run against a stored baseline.
- Classify findings.
- Send a Discord report.
- Write metrics for dashboarding.
Screenshots¶
Workflow Overview¶

Exposure Review Logic¶

Discord Alert¶

What This Demonstrates¶
- External exposure awareness
- DNS and reverse proxy review
- Docker port review
- Baseline comparison logic
- Operational alerting
- Practical home lab security monitoring
- Translating technical checks into readable reports
Outcome¶
The workflow provides recurring visibility into public-facing exposure and makes it easier to notice unexpected changes.
Lessons Learned¶
- Public exposure should be intentional.
- Baselines make recurring checks more useful.
- A simple check that runs consistently is better than a perfect check that never gets finished.
- Alert quality matters more than alert quantity.
Public Safety Note¶
Screenshots on this page are sanitized before publishing. Public IPs, private IPs, internal service names, webhook URLs, and media-related services should not be visible on a public portfolio site.