How to set-up Firewall and/or Proxy to protect my Cloudron instance?

MiddleEndian

• I recently purchased a Cloudron license but until now I could't actively use it due to security concerns: I wish to have another VPS instance (in the same VPC) acting as a gateway (to my Cloudron), such that it could provide reverse proxy (NOT ONLY for HTTPS), maybe packet filtering, vpn and whatever else a gateway/router would do.
• Other posts that I found in this forum were not specifically helpful, and, as of now, the documentation about it is somewhat terse (https://docs.cloudron.io/networking/#firewall).
• So I humbly ask the following:

1. What EXACTLY (on the linux system and wherever else) does the "Trusted IPs & Ranges" setting do? The GUI description suggests it only applies to HTTP, but why is that? Whats the difference
2. What EXACTLY (on the linux system and wherever else) does the "Blocked IPs & Ranges" setting do? Is it just transpiled into Cloudron's instance nftables/iptables?
3. What is the maximum number of lines that the "Blocked IPs & Ranges" and "Trusted IPs & Ranges" can take? And how long does it take to be in effect?
4. Could Cloudron's staff shine some light about this at the documentation? I found other forum topics asking for clarifications on networking configs like this, so maybe it deserves to get more detailed documentation.

nebulon

Cloudron uses iptables on the system to open required ports. Those ports depend on the apps which are installed.
The full script, which configures iptables can be found at https://git.cloudron.io/platform/box/-/blob/master/setup/start/cloudron-firewall.sh?ref_type=heads

For the blocked IPs, we use ipset together with thecloudron_blocklist https://git.cloudron.io/platform/box/-/blob/master/src/scripts/setblocklist.sh?ref_type=heads