nginx reverse proxy security
How secure is nginx rproxy ?
I need a reverse proxy to access my 'internal' proxmox vms.
I configured nginx with
# Allow only connections from the specified IP
allow x.x.x.x; #my home ip
deny all;
This works (checked proxy using my mobile and got a 403 Forbidden).
I am also running the proxy on a random port.
So is that 'reasonably' secure or do you have any other suggestions?
Thanks
Comments
I suggest you to not rely upon IP address based ACL for authentication. Use passwords instead.
🇵🇱 KVM VPS | LG | Colocation (aff)
Good point - although all of the 'internal' vms are already password protected but I agree more layers are good hence my question.
Thanks
edit - added to config
auth_basic "Restricted Site";
auth_basic_user_file /path/to/.htpasswd;
If answering your broad question, I would evaluate is as battle-tested solution (applicable only for stable releases). See https://nginx.org/en/security_advisories.html
🇵🇱 KVM VPS | LG | Colocation (aff)
Since this is only for you, why not Tailscale?
I run a small VM on PVE with TS just for this propose.
Understood - I already run Zerotier and have my own zt controller which work fine.
I also use openwrt with ZT as my router for 10 nodes providing access to multiple proxmox networks and vms.
My key problem is that because of proxmox & openwrt firewalls, I can't access the openwrt web interface as this is only available on the lan side. Using a reverse proxy (over ZT) solves this problem but as discussed I am concerned about the security over nginx and want it locked down as much as possible,
I have messed around with Proxmox SDN but find it too restrictive in comparison to the SDN's you can create with openwrt.