Webserver behind HAproxy(pfsense)

I am wondering how secure running a static/simple site in ngnix in a linux vm, that sits behind haproxy (ssl certs, pfsense) is.

I am Just starting to get into cyber security, with a drive for defensive security.

As it stands now, how secure am I?

1-10 ( 0 being wide open, 9 being air gapped, 10 being PS removed, off)

With having no search boxes, etc, fow far could a bad hacker get into my system? Can they get root access through ngnix?

Does anyone know of any good resources/video demos of someone pentesting this kind of setup, so I can get a better idea of how and what they can do?

TLDR

I’d give your simple setup a score 3.5 based as you described it. Without testing the code of the actual site you’ll never really know how secure it really is. If you have bad dev’s that don’t do security best practices then yeah your site is probably a 0.

Security Tools

Wuzzah

Nexus

Proxy and VM

Personally it isn’t best practice to have your proxy sit directly on your firewall. It is best to set this up on a VM. With that being said you also need to make sure your proxy is in a DMZ in the case the proxy VM is compromised it cannot move laterally in our network. Take precautions on the VM hosting your cat site with adequate firewall rules to make sure if compromised, cannot move laterally on your network.

I would suggest setting up apparmor or SELinux to help protect your VM’s from being compromised.

Firewall and Third Party

Try to scope down inbound traffic to your site with IP’s you want accessing it.

Might be worth installing crowdsec with bouncers to help mitigate known threats from IP addresses and shutdown brute force attacks.

Data At Rest

What about data? Where does it sit? Is it encrypted? Do you have snapshots?
There is a lot to consider when dealing with security on that front as well.

Thank you for all this help. It is a lot to think about/implement.

I have snort in PFsense installed, I need to learn how to use it/implement it.
I had crowdsec installed in PFsense, from Tom’s tutorial on installing it in PFsense. I am unsure if it was a reboot or an update, it is not showing up in PFsense. I am going to figure it out and get it working again.

The site, a temp page, is just the default Nginx page with the HTML changed to display a few lines of text—no pictures or anything else.

Everything is self-contained in the VM. I do have it set for snapshots and backups. It is not encrypted.

Could a DMZ zone be a Vlan that only has rules that let it talk to the WAN, and nothing else on the one interface?

Again, thank you.

yes, this is a way of implementing it if you just have 1 firewall.