Hello everybody, I am totally newbie of this topic so I would like to know why it is not recommended to use a reverse proxy to expose services from the local network.
I have already own a domain and I would like to access to services like nextcloud and home assistant hosted on my network.
What are the issues I could have with haproxy, caddy, etc and the port 443 opened on the wan to use those services?
I could have issues because these reverse proxy are not totally safe? Or it is because have I to expose the login page of the services or my public ip?
If I enable the MFA and a strong password, and I keep my systems updated, what could be the difference between my home solution and a commercial one, like if I buy the Nabu casa access or host nextcloud on linode?
Anytime you expose services, even if you have a good password and MFA, you are opening up yourself to a scenario where a flaw being found and exploited either before the vendor is aware of the flaw and has a patch or you are aware of the flaw and get it patched. This is why I ALWAYS suggest using a VPN to minimize that.
Are you sure that VPN are the only way?
Do not get me wrong, but aren’t you the first to say that mobile devices are unsafe and must been placed on a separate network?
So, if I use a vpn on those devices to access a secure place, is it not like the dog who chase one’s own tail?
Unknow vulnerabilities apart.
Are reverse-proxy as well as the login forms of the services, safe enough to be public exposed?
Can the use of a dedicated (and paid) service - that nearly uses (if not) the same programs - add some extra protection layer?
I am trying to understand… correct me if my reasoning is wrong (please argument it so I can understand why and where I am wong)
If an hacker found a breach on home assistant, - I think that - it is most probable that he will hit nabu casa or other instances hosted on well know domains than mine that is almost unknow. Don’t you think?
…Even if this doesn’t mean that I am safe but it could give me the time to update or remove the self host
You either have some trust that your phone is a secure device or you don’t, I always suggest putting the phone on the same network where the devices are that you want it to talk to.
Safe enough is about your own level risk tolerance and it’s all a numbers game. With the exception of those doing nation state espionage threat actors are generally focused on a few things:
Money via ransomware or extortion
Using your system for a botnet (home or business)
Using your system as away to mask where they are coming from to do other attacks
Exposed services are well indexed by sites such as Shodan and Censys and many of the security issues found in products are mass applied to the lists found there. This is why I prefe a VPN and expose only things that are deemed necessary.
I am pretty confident that my phone is secure, even if I am not prepared to bet on it.
As well as my lan, I think that is secure, but I will not bet on it.
It should, but I am not 100% sure.
Especially since I am not the only user, how can I know that right now a not detect malwere/or other is working on some device?
Or if someone in the house do a click the wrong link…
I followed many guides, watched tons youtube videos (even a lot of yours, thanks ) to better understand, did a lot of mistakes and learned from those.
I gained a lot of skill but I know that there are a lot of more I have to learn, this stops me from doing some things without be sure, that is why I asking - even the same thing 1000 times - because I want at least 90% sure of what I am doing and the risks I could face
I also followed your video about cloudflare tunnel and haproxy on pfsense and I left both configured but disabled since I was too scared to do something wrong and leave a door opened on internet.
I am not a super-iper-mega-multi-nationals-company with tons of industrial patents and informations to protect, but if someone uses my Frigate instance as his personal “big brother” or see my bills and other documents it could be a problem, not the end of the world but…
Back on topic
I was asking that because I tought that a third party service (like cloudflare) + a reverse proxy + a good firewall + a strong authenitications could protect me, but reading your answers it is clear that is not.
How can I learn to prevent all these potential risks? Or at least gain some trust to use them safetly?
No I am not, but as the poster says: “I want to believe it”
Yes it should but… look what happened with the log4j, recently with microsoft or other vulnerabilities.
Ok we got the news but, how many days, weeks or months are pasts since it happened?
Also reverse proxy like haproxy, caddy or traefik are widely used, so a patch should be released quickly
It is not for me or my wife, but explain how it works to mine or her parents, it could be a challenge.
There is a good security principle to minimize the attack surface potential bad actors have access to. If you open a port on your own internal network to your own NextCloud for everyone on the Internet, that’s a pretty big attack surface. If you only open that same port to a single IP address, it’s a much much smaller attack surface.
This is less useful in your particular use case where you have no control over what IP address your phone gets, but was used here to explain this core security principle.
Now, keeping the same principle in mind, were you to open several ports to NextCloud, Home Assistant and whatever else you need, to everyone on the Internet the attack surface is increased almost exponentially. You’re betting your network safety on all of the servers you allow everyone access to, that they have no 0 day exploits, that vendors patch them in a timely fashion and that you yourself apply those patches asap. That’s a tall order to follow through for the foreseeable future.
Also it seems you’re under the impression a reverse proxy is somehow protecting you against exploits in whatever is behind the proxy, i.e. NextCloud. It is not.
However, were you to open up a single port to a VPN server on your premises, and from the phone connect to that port and access through that VPN all the services you need on your network, the attack surface is much much smaller yes? You’re limiting the security risks, and 0 days and patching to a single very robust server since reputable VPN servers are some of the most secure servers if configured properly.
You get 1 port through which all of NextCloud etc are exposed. If there’s a bug in NextCloud, the bug will be accessible to anyone from the entire Internet that connects to your reverse proxy through Cloudflare. That was my point I was trying to raise earlier that the fact you’re passing things through the reverse proxy doesn’t boost the security of the services behind in the way you seem to think it does.
Whereas if you had a VPN, the only people that can connect to NextCloud, etc. are the people you approve. Everyone else has 0 ability to even see the services, much less exploit any of the potential bugs.
Ok, but this could be applied to all internet services, if a bug has found in home assistant every instances are affected, no matter where are hosted (even the ones on nabu casa [the official provider]), if a bug has found on bitwarden every instances will be affected no matter of where it are hosted and so on…
Frankly I am more scared if this happens to a big company like lastpass (am I remember correctly?), not a long time ago than a small homelab like mine…
Also, following this thought, we should never use any internet services because it could be compromised.
If it will happens to me, ok - I don’t know how to translate the Italian expression: “mi girano le balle” (literally my balls are spinning or something like that to say that I will get angry) but in the end, it happened… it is not the end of the world.
Back on topic
Since I am not talking of small softwares developed by guys as homework but well done and maintained projects, big issues should, and here I add a big SHOULD been very rare.
Also if nextcloud (or another software exposed) live inside of a docker container on its separate network the issue should be limited to it, because it is insulated from the host vm and the vlan where it is running. Am I right?
Please don’t read my posts like if I am a child who wants its toys at all costs, I am asking (maybe in stupid or repetitive way) because I want to better understand all the possible risks, solutions and all the opinions to the topic
I am not and I don’t absolutely want to be polemical etc
OK, I’ll bite. DrHeat gave you a solid answer. If you want to reduce your attack surface, then VPNs are a great way of doing it. If you don’t care so much or think it is unnecessary, then by all means don’t use it. If you don’t understand why, then read up on it. If you are looking for a debate, you won’t find people jumping out of their chairs to prove you wrong on something so basic.
Good and thank you, I thought that there were other possibilities or options but if all the bells sounds the same note maybe this is really the only song.
That is instead, it is what I was looking for. I was looking for someone more prepared than me that:
doesn’t only say: vpn, what else?
doesn’t only say: vpn because it is vpn
and at least tries to understand other points of view or the fact that vpns are not the holy grail but them have at least 2 - and well known - failure points. the start and the end.
VPN no discussion, that’s the point.
But why? Can someone write something more constructive than: “continue to read”, or “continue to watch youtube videos” without post a link or document that let me understand your point?
Also, why you are so sure that vpn is secure?
Because all bells sound that? or because until now you had no issue?
But what is the result if one of the 100 apps installed on a device allowed to use the vpn, has a malware?
Or the operative system is not updated because the device is too old?
Or the new device has a zero day breach?
Well, you have a secure tunnel for hackers that points directly to your lan instead of a single point/service. no?
I understood that for the important stuff, a vpn is a must
I want to have an instance of nextcloud to use just for the file I could need “onfly” when I am not at home (manuals, guides and other not critical stuffs).
Which security issue could I have using a reverse proxy with the configuration on the above idea?
A probable hacker will only “see” the nextcloud login screen (since it is the end point of the 443 requests) or can also, I don’t know, hit the reverse proxy hitself and/or get control of it or other machine on the vlan?
As from the topic’s title, I want to understand which are the possible risks using this technology.
I did a quick scan of the responses, so apologies if I missed it, but you could always use a cloudflare tunnel to expose nextcloud and not have to port forward any ports inyour firewall. Yes, you have to trust cloudflare, but I am ok doing that. YMMV. Also with the cloudflare tunnel, your public IP address isn’t exposed at all. Your DNS records point to a cloudflare public IP address.
Here’s a potential scenario, one that’s unfortunately all too common: let’s say people discover a bug in NextCloud. Let’s say this is a severe bug that doesn’t require people to be logged in to your NextCloud, the bug works by accessing a specially crafted link on your installation of NextCloud. And because it’s a severe bug, crafty bad actors figured out a way to use it to drop a reverse shell on your NextCloud server.
Now, your NextCloud instance is part of at best a botnet used to carry out all sorts of mischief say DDOS attacks to other servers, and at worst as a gateway to expose more of your internal network.
All that because anyone from the wild wide Internet could access your NextCloud over whatever reverse proxy you had in place.
Now, same scenario, same vulnerability. But your NextCloud can’t be accessed by anyone unless they are logged in to your secure VPN. I’m assuming you’re trusting the people you give access to your VPN, so they aren’t going to exploit that vulnerability. Everyone else on the Internet has no idea you’re even running NextCloud, all they are able to see is your open VPN port.
This is the gist of why VPNs are providing inherently more security to your network. As for the VPN server itself, it’s more secure than most other servers out there not because they’re magic but because they have undergone lots and lots of scrutiny and the source code is checked line by line by many top experts. Could there maybe still be hidden bugs? Sure, I guess. Nothing is ever 100% secure. But I’d rather take my chances with a very well audited product that’s at the forefront of computer security than with most other solutions.
That is why pretty much everyone is recommending you use a VPN if you truly want your network to be as secure as humanly possible. Of course, it’s your home lab, and the purpose of a home lab is to experiment. Just take all the precautions you can that when it is compromised you minimize the damage, both to yourself and others.
One could make the argument that you can utilize your reverse proxy or firewall to allow only specific IP’s to access the content, but then you are limited by the locations on which you can only access said content. Going even further, one could do the same when setting up a VPN to only allow specific IP’s to connect.
OpenVPN has user certificates, server certificates, username and password. So the chances of a threat actor gaining access to all the resources to connect to your VPN would be pretty tough. Another option would be to setup 2FA on your nextcloud instance OR setup authelia.
I think anyone can go as deep as they want when it comes to security and their home lab. Is one technology or method better than the other? I think it depends on a combination of technologies and methods with your comfort level on how you setup your environment. I don’t think there is one silver bullet here.