• nibbler@discuss.tchncs.de
    link
    fedilink
    English
    arrow-up
    4
    ·
    edit-2
    2 hours ago

    The selfhosted guys are correct with that. Of course its not a magic pill, but it can help to minimize the attack surface immensely with little effort.

    Edit: while open ports can easily be enumerated, a reverse proxy often requires knowledge of the right server name. In tls1.3 those are not transferred in clear. Depending on your thread scenario you might want to consider doh/dot etc.

    Reverse proxies can require client certs, which lift the security benefit to something like a vpn. Even basic auth adds a high threshold to attackers and is simple even for random users to work with. All this is functionality many services don’t offer natively - as they assume a reverse proxy anyway I guess.

    • atzanteol@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      3
      ·
      edit-2
      2 hours ago

      See what I mean?

      As if a proxy blindly passing traffic directly to a backend server “reduces attack surface” in any meaningful way. 🙄

      Edit: Guy edits his post with a bunch of stuff and assumes I’ve read it later. I can’t eyeroll enough…

      1. You’ve increased your “attack surface” by adding a second application to the stack. Proxies aren’t magic, they are also targets.
      2. Sure - you can do those things on a proxy. How many people here are? And why are those things never suggested when people here say “use a reverse proxy”? Because they think the proxy is the security.
      • nibbler@discuss.tchncs.de
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        2 hours ago

        Did you just add ‘blindly passing traffic’ to your statement? Did you read my comment about can help?

        Move on, joker.

        • atzanteol@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          2
          ·
          2 hours ago

          Sorry - which part of your comment added anything of value? “can help to minimize the attack surface”? 99% of the time a proxy just passes traffic through. Unless you’re talking about a WAF which is a) a different thing and b) NOT what any home gamers are talking about when they recommend nginx, traefik, etc. to newbs.