• atzanteol@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    3
    arrow-down
    10
    ·
    12 hours ago

    The self-hosted crowd thinks reverse proxies protect you from the Internet. Don’t expect too much of them.

    • nibbler@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      6
      ·
      edit-2
      3 hours ago

      The selfhosted guys are correct with that. Of course its not a magic pill, but it can help to minimize the attack surface immensely with little effort.

      Edit: while open ports can easily be enumerated, a reverse proxy often requires knowledge of the right server name. In tls1.3 those are not transferred in clear. Depending on your thread scenario you might want to consider doh/dot etc.

      Reverse proxies can require client certs, which lift the security benefit to something like a vpn. Even basic auth adds a high threshold to attackers and is simple even for random users to work with. All this is functionality many services don’t offer natively - as they assume a reverse proxy anyway I guess.

      • atzanteol@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        6
        ·
        edit-2
        3 hours ago

        See what I mean?

        As if a proxy blindly passing traffic directly to a backend server “reduces attack surface” in any meaningful way. 🙄

        Edit: Guy edits his post with a bunch of stuff and assumes I’ve read it later. I can’t eyeroll enough…

        1. You’ve increased your “attack surface” by adding a second application to the stack. Proxies aren’t magic, they are also targets.
        2. Sure - you can do those things on a proxy. How many people here are? And why are those things never suggested when people here say “use a reverse proxy”? Because they think the proxy is the security.
        • nibbler@discuss.tchncs.de
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          1
          ·
          3 hours ago

          Did you just add ‘blindly passing traffic’ to your statement? Did you read my comment about can help?

          Move on, joker.

          • atzanteol@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            3
            ·
            3 hours ago

            Sorry - which part of your comment added anything of value? “can help to minimize the attack surface”? 99% of the time a proxy just passes traffic through. Unless you’re talking about a WAF which is a) a different thing and b) NOT what any home gamers are talking about when they recommend nginx, traefik, etc. to newbs.