nginx reverse proxy security

msattmsatt OG
in Help

How secure is nginx rproxy ?
I need a reverse proxy to access my 'internal' proxmox vms.
I configured nginx with

 # Allow only connections from the specified IP
  allow x.x.x.x;  #my home ip
  deny all;

This works (checked proxy using my mobile and got a 403 Forbidden).
I am also running the proxy on a random port.

So is that 'reasonably' secure or do you have any other suggestions?
Thanks

Comments

  • skhronskhron Hosting Provider

    @msatt said: So is that 'reasonably' secure or do you have any other suggestions?

    I suggest you to not rely upon IP address based ACL for authentication. Use passwords instead.

    Thanked by (1)msatt

    Check our KVM VPS (flags are clickable): πŸ‡΅πŸ‡± πŸ‡ΈπŸ‡ͺ | Looking glass: πŸ‡΅πŸ‡± πŸ‡ΈπŸ‡ͺ

  • msattmsatt OG
    edited May 6

    @skhron said: I suggest you to not rely upon IP address based ACL for authentication. Use passwords instead.

    Good point - although all of the 'internal' vms are already password protected but I agree more layers are good hence my question.
    Thanks

    edit - added to config
    auth_basic "Restricted Site";
    auth_basic_user_file /path/to/.htpasswd;

  • skhronskhron Hosting Provider

    @msatt said: How secure is nginx rproxy ?

    If answering your broad question, I would evaluate is as battle-tested solution (applicable only for stable releases). See https://nginx.org/en/security_advisories.html

    Check our KVM VPS (flags are clickable): πŸ‡΅πŸ‡± πŸ‡ΈπŸ‡ͺ | Looking glass: πŸ‡΅πŸ‡± πŸ‡ΈπŸ‡ͺ

  • nfnnfn
    edited May 6

    Since this is only for you, why not Tailscale?

    I run a small VM on PVE with TS just for this propose.

  • @nfn said:
    Since this is only for you, why not Tailscale?

    I run a small VM on PVE with TS just for this propose.

    Understood - I already run Zerotier and have my own zt controller which work fine.
    I also use openwrt with ZT as my router for 10 nodes providing access to multiple proxmox networks and vms.
    My key problem is that because of proxmox & openwrt firewalls, I can't access the openwrt web interface as this is only available on the lan side. Using a reverse proxy (over ZT) solves this problem but as discussed I am concerned about the security over nginx and want it locked down as much as possible,

    I have messed around with Proxmox SDN but find it too restrictive in comparison to the SDN's you can create with openwrt.

Sign In or Register to comment.