• atzanteol@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    4
    arrow-down
    19
    ·
    2 days ago

    The self-hosted crowd thinks reverse proxies protect you from the Internet. Don’t expect too much of them.

    • notfromhere@lemmy.ml
      link
      fedilink
      English
      arrow-up
      1
      ·
      7 hours ago

      There’s also a big brigading problem with going against the “common knowledge” of Lemmy. Brave can do no good. Reverse proxy on the internet and you’re secure. Etc.

      That your comment is downvoted and barely debated speaks volumes to Lemmy as actual discourse.

      • qaz@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        7 hours ago

        It’s being downvoted with little relatively little discourse because it’s an insult with no relevance to the topic, in addition to supporting a comment from someone who is either trolling or has no idea what they’re talking about

    • nibbler@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      10
      arrow-down
      1
      ·
      edit-2
      1 day ago

      The selfhosted guys are correct with that. Of course its not a magic pill, but it can help to minimize the attack surface immensely with little effort.

      Edit: while open ports can easily be enumerated, a reverse proxy often requires knowledge of the right server name. In tls1.3 those are not transferred in clear. Depending on your thread scenario you might want to consider doh/dot etc.

      Reverse proxies can require client certs, which lift the security benefit to something like a vpn. Even basic auth adds a high threshold to attackers and is simple even for random users to work with. All this is functionality many services don’t offer natively - as they assume a reverse proxy anyway I guess.

      • atzanteol@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        16
        ·
        edit-2
        1 day ago

        See what I mean?

        As if a proxy blindly passing traffic directly to a backend server “reduces attack surface” in any meaningful way. 🙄

        Edit: Guy edits his post with a bunch of stuff and assumes I’ve read it later. I can’t eyeroll enough…

        1. You’ve increased your “attack surface” by adding a second application to the stack. Proxies aren’t magic, they are also targets.
        2. Sure - you can do those things on a proxy. How many people here are? And why are those things never suggested when people here say “use a reverse proxy”? Because they think the proxy is the security.
        • nibbler@discuss.tchncs.de
          link
          fedilink
          English
          arrow-up
          6
          arrow-down
          2
          ·
          1 day ago

          Did you just add ‘blindly passing traffic’ to your statement? Did you read my comment about can help?

          Move on, joker.

          • atzanteol@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            3
            arrow-down
            11
            ·
            edit-2
            1 day ago

            Sorry - which part of your comment added anything of value? “can help to minimize the attack surface”? 99% of the time a proxy just passes traffic through. Unless you’re talking about a WAF which is a) a different thing and b) NOT what any home gamers are talking about when they recommend nginx, traefik, etc. to newbs.

    • lIlIllIlIIIllIlIlII@lemmy.zip
      link
      fedilink
      English
      arrow-up
      5
      arrow-down
      1
      ·
      1 day ago

      You are right about that a reverse proxy does not protect. But I can not relate that with security through obscurity.