Ok. So I’ve been using a reverse proxy for some services that I have running on a machine at home – things like Emby, Actual Budget, and a few others…
I just started playing with using ZeroTier today in conjunction with my mikrotik router and was able to get things working OK. But I see people on different sides of this fence on whether it’s needed or not. I see people indicating they’d never expose any public facing ports but others seem somewhat OK with it.
I guess that I’m trying to find the best path here. My fiancee uses my server somewhat regularly and I’m trying to find the sweet-spot so to speak for ease of use and from a security standpoint.
In my case, using the reverse proxy (caddy), I’m using non-standard ports (45xxx and higher) with odd DNS names for the different services. Yeah, I guess anyone could surf my DNS hostnames AND I suppose they could sniff all the ports and find which ones are being listened on…
But all these services have authentication such as Emby and so forth. Yeah, I suppose I’m at the mercy of how well the authentication code is written for Emby and the others… And yes I need to ensure all these services are regularly updated to fix bugs and so forth…
Am I barking up the right tree here? Should I just forget the reverse proxy and have my fiancee just access the server name+port for each service directly via ZeroTier’s VPN (and obviously have her install ZeroTier on her machine(s)) and have no public facing services that random hacker guy might stumble across one day? Or ?
it’s not a one or the other question. they serve different purposes. a reverse proxy maps subdomains to an ip address and port. a vpn creates a secure tunnel through which to communicate.
if you can get your fiancee to use the vpn then that should be the default solution. if not then you need to evaluate what your risk posture is and go from there. plenty of people directly port forward. plenty of people forward from a vps. plenty of people use cloudflare tunnels. it just depends on how much risk you want to accept, how knowledgeable you are in security, and how much time you have to manage and monitor your infrastructure.
There is absolutely no way I would run a nginx server hosting my site and services and NOT HAVE a vpn backdoor back into the network.
If nginx goes down, or you have issues accessing your services through https you’re fucked, always keep a way to bypass the webserver to reach your lan services
I use both. Reverse proxy for my services like Nextcloud (convenient when I want to share a file with my colleagues) and WireGuard VPN for my admin needs
Rproxy for 80 and 443 and then only frontends, Wireguard or Tailscale for backend, especially ssh.
Having ssh open is an absolute no go. It’s going to be a constant barrage. I have 80 and 443 open, rproxied and secured by crowdsec, but have almost no alarms yet, only a few lazy attempts at Nextcloud. Though I seem to have been quite lucky.
In my experience, you won’t get anyone to appreciate your setup if they need to (actively) use a VPN. An alternative solution: you can set up wireguard to start on demand, just exclude your home network.
Add a pihole with a good whitelist and a backup to get an advantage to using Wireguard (no more ads, even in apps) and a nice homepage, so IPs (or subdomains) don’t need to be remembered.
People have you covered on the " use both." But you also need to do a real hardening pass and understand all the security concepts.
Make sure your Reverse Proxy limits connections through your authoritative domain registrar (whatever you have managing your domain dns— Cloudflare, Pork in, whatever). I highly recommend moving that to Cloudflare for the automatic DDOS protection. If you have philosophical differences with that route, I’m sure there are alternatives, but basically you want to make sure your RP will only allow connections routed through your domain registrar. You could also throw in some GeoIP blocking, too, though that’s a little more hit or miss. Learn about security headers to add a bit more on top of the rest (though many apps will require you to add exceptions).
Also make sure you have a real auth layer over any service that’s exposed to the internet. Authentik/Keycloak/Authelia + Crowdsec/Fail2Ban. Relying on the service’s login prompt is problematic because it’s hard to be certain there aren’t major unlatched vulnerabilities. Security-conscious solutions will be much better at disclosing and patching vulnerabilities. Think about it this way: the main reason something like Emby has a login isn’t actually security, it’s for managing multi-tenancy features. They need a way to distinguish users when there’s more than one user. They don’t want to spend all their time patching CVEs instead of developing their app.
Peak ease of use and UX actually comes from getting your auth layer set up to be used as an Identity Provider. You’ll be able to set up SSO on your services and make it so she only has to log in to the auth layer for each app to sign her in as the correct user. She’ll go from having to sign in to every service whenever her access token expires to only ever having to sign into one place. And you can do nifty things like requiring MFA outside your local network but not inside it (or even not requiring passwords on local network, though I hesitate to set this up).
PS: Setting up your services as accessible through a FQDN (using a reverse proxy) has a high comfort level with most people in terms of UX. Ask yourself whether your girlfriend would prefer to type in “app.ilovemybf.com” or “216.200.43.16:5600” (or worse, she knows the server IP is 192.168.200.150, but she’s out of the local network so she has to look up the tailnet IP and replace the server address with it)? To achieve the former requires a reverse proxy to handle the routing, but doesn’t mean you can’t still use a VPN.
Both of them for different scenarios. If it absolutely needs or benefits from reverse proxy I use Traifik with Authelia and CrowdSec with a the community blocklists for various apps and scenarios. Also, a handful of middleware’s for Traefik to help tighten up security like geo block and rate limiting to name a few. On top of that I also have some WAF rules on Cloudflare, where my domain is hosted. Think apps like Immich, Vaultwarden, Gitea and Paperless. All other apps are via a VPN hosted on my router.
I’m using non-standard ports (45xxx and higher) with odd DNS names for the different services. Yeah, I guess anyone could surf my DNS hostnames
If you’re using SSL certificates for those “odd” DNS names all I would need to do is search https://crt.sh/ for SSL certificates issued on that domain. Just something to be aware of.
Thanks for the clarification… I think I can get her setup with the VPN as ZeroTier seems pretty easy and the difficulty level is fairly low. thank you!
This is exactly what I ended up with but using ZeroTier instead of Tailscale. I’ve got ZT dolling out 172.22.x.x IP’s (fixed for each host) and changed my CloudFlare DNS to have DNS entries for each host I’ve got (e.g. emby.mydomain.com, foo.mydomain.com, etc) and using the 172.22.x.y IP’s for each DNS record (not proxied as indicated by u/nosyrbllewe). Seems to work quite well. Maybe at some point I’ll just use standard WireGuard but am not quite there yet.
Also there may be some services you don’t want to actually expose as subdomains but may want to be able to access occasionally, so you can access it on the tailnet.