I run some public facing services on my home network, some of which I want to open up to people I don’t know or trust. While the chance of me being DDOSed is low, I want some kind of protection just in case. (Preferably using free accounts on cloud hosting services)
At the moment I’ve got SSLH on a Linode VM which just forwards all traffic on port 443 to my home network. Provides a bit of obfuscation and I can just turn it off should I get attacked (Correct me if I’m wrong). However, I want to ‘relay’ more ports that are not http/https protocol - but SSLH can only do one. Does anyone know of a way to do this?
Tom’s suggestion is probably easier and faster, but if this were my setup, I’d run Nginx on that Linode instance with proxy_pass and proxy_cache configured. The cache will reduce traffic back home and reduce the negative effect hammering on your service would have on your home network. If your home network setup (firewall) has the option, or if the service you’re running has the option, I’d also set things up so only your Linode IP is trusted for the traffic.
Do you know if nginx can proxy non-http traffic? I looked a while ago whether you could proxy Minecraft server traffic with nginx, but I couldn’t find a whole lot of info. I was mainly looking and reverse proxying based on hostname though… which I’m almost certain Nginx can’t do (although I did find a solution to this elsewhere). Minecraft packets are TCP apparently, if that makes a difference. Caching is definately a plus for my websites though - hadn’t considered that.
I asked this over at the LTT forums too for good measure, and someone suggested that iptables could be used to simply relay the traffic. I’ve avoided iptables like the plague though, so I’ll have to brush up on that first and find out if it’s something that’s possible.
Unfortunately my router doesn’t allow that kind of control, and my cable modem has an aneurism when I use pfSense - it’s a common problem with my ISP and no one seems to know why… But either way its a risk I’m willing to take. Although, there might be a trusted proxy setting in HAproxy (which I’m using inside my network) that could do a similar job.
For anyone reading in the future, I ended up using nftables to redirect the traffic as described in this guide Forward a TCP port to another IP or port using NAT with nftables | Jensd's I/O buffer . Iptables works too but nftables seems easier for adding rules in the future. Works perfectly with http/https traffic and Minecraft TCP traffic too.