The selfhosted guys are correct with that. Of course its not a magic pill, but it can help to minimize the attack surface immensely with little effort.
Edit: while open ports can easily be enumerated, a reverse proxy often requires knowledge of the right server name. In tls1.3 those are not transferred in clear. Depending on your thread scenario you might want to consider doh/dot etc.
Reverse proxies can require client certs, which lift the security benefit to something like a vpn. Even basic auth adds a high threshold to attackers and is simple even for random users to work with. All this is functionality many services don’t offer natively - as they assume a reverse proxy anyway I guess.
As if a proxy blindly passing traffic directly to a backend server “reduces attack surface” in any meaningful way. 🙄
Edit: Guy edits his post with a bunch of stuff and assumes I’ve read it later. I can’t eyeroll enough…
You’ve increased your “attack surface” by adding a second application to the stack. Proxies aren’t magic, they are also targets.
Sure - you can do those things on a proxy. How many people here are? And why are those things never suggested when people here say “use a reverse proxy”? Because they think the proxy is the security.
Sorry - which part of your comment added anything of value? “can help to minimize the attack surface”? 99% of the time a proxy just passes traffic through. Unless you’re talking about a WAF which is a) a different thing and b) NOT what any home gamers are talking about when they recommend nginx, traefik, etc. to newbs.
The self-hosted crowd thinks reverse proxies protect you from the Internet. Don’t expect too much of them.
You are right about that a reverse proxy does not protect. But I can not relate that with security through obscurity.
The selfhosted guys are correct with that. Of course its not a magic pill, but it can help to minimize the attack surface immensely with little effort.
Edit: while open ports can easily be enumerated, a reverse proxy often requires knowledge of the right server name. In tls1.3 those are not transferred in clear. Depending on your thread scenario you might want to consider doh/dot etc.
Reverse proxies can require client certs, which lift the security benefit to something like a vpn. Even basic auth adds a high threshold to attackers and is simple even for random users to work with. All this is functionality many services don’t offer natively - as they assume a reverse proxy anyway I guess.
See what I mean?
As if a proxy blindly passing traffic directly to a backend server “reduces attack surface” in any meaningful way. 🙄
Edit: Guy edits his post with a bunch of stuff and assumes I’ve read it later. I can’t eyeroll enough…
Did you just add ‘blindly passing traffic’ to your statement? Did you read my comment about can help?
Move on, joker.
Sorry - which part of your comment added anything of value? “can help to minimize the attack surface”? 99% of the time a proxy just passes traffic through. Unless you’re talking about a WAF which is a) a different thing and b) NOT what any home gamers are talking about when they recommend nginx, traefik, etc. to newbs.
Lol
Enjoy your “security”. 🙄