So I tried the VPN route using OpenVPN-AS on a container and only leaving that port open. I run hassio on a container but also a number of other services like Unify, Roon, OwnCloud, and FreeNAS (on a dedicated VM) among others.Īll these were configured as backends in Nginx based on ports or sub-domain identifiers but in the end I wondered if I was not exposing too many services to the internet, especially since I couldn’t filter the incoming IP as I would want to be able to connect from anywhere mobile. I have a server with Esxi running several VMs and docker. For the moment I’m sticking with the VPN. The reserve proxy one with Nginx and more recently a VPN connection. Meaning - a more appropriate solution would be to configure a reverse proxy (nginx) to require a client certificate (x509 authentication) to allow the traffic to pass - thus requiring an attacker to actually obtain the certificate (unlikely) or guess the actual key, which would take a bit more than a “kazillion guesses”. “ Obscurity” is not the same thing as actual “ Security” you also need the mod_proxy module installed. This stuff goes into your ‘nf’ file in the ‘/etc/apache2/sites-available’ directory. You can have several reverse-proxy statements within the same virtualhost, each with a unique UUID to allow access to other servers in your house. SSLCertificateChainFile /etc/letsencrypt/live//chain.pem SSLCertificateKeyFile /etc/letsencrypt/live//privkey.pem SSLCertificateFile /etc/letsencrypt/live//cert.pem
Here’s an example of a very secure reverse proxy to a Domoticz instance (it even adds more security by requiring the user to log in and in my case I have a UUID as password too so no dictionary attack possible):
There’s still a kazillion guesses to find that UUID and without it there’s no coming in.Īpache also works great as a Reverse Proxy. Now, if somebody brute forces your external DDNS name like by effectively guessing the myexternalddnsname part, just trying a port scan won’t get them face to face with your internal server. a UUID along the lines of /7cbc1ac3-4b46-4aea-8f0e-69f227963918 or such that needs to be added to the path-name after the base URL and port. You do this by creating long and complicated endpoint names in the proxy, with e.g.
(if anyone believes I’ve left anything out - or feels i’ve misstated something - please feel free to add/clarify)Īnother great reason to use Reverse Proxy is that you can make it really difficult for hackers who stumble upon your internet front door to actually get in. This adds value because a web application running in linux over any port below 1024, requires the service run as root (your internet facing application SHOULD NEVER run with admin privileges).