nginx reverse proxy security

How secure is nginx rproxy ?
I need a reverse proxy to access my 'internal' proxmox vms.
I configured nginx with

 # Allow only connections from the specified IP
  allow x.x.x.x;  #my home ip
  deny all;

This works (checked proxy using my mobile and got a 403 Forbidden).
I am also running the proxy on a random port.

So is that 'reasonably' secure or do you have any other suggestions?
Thanks

Virmach is NOT worth the risk.

Comments

  • skhronskhron Hosting Provider

    @msatt said: So is that 'reasonably' secure or do you have any other suggestions?

    I suggest you to not rely upon IP address based ACL for authentication. Use passwords instead.

    Thanked by (1)msatt

    Check our KVM VPS plans in πŸ‡΅πŸ‡± Warsaw, Poland and πŸ‡ΈπŸ‡ͺ Stockholm, Sweden

  • msattmsatt OG
    edited May 2024

    @skhron said: I suggest you to not rely upon IP address based ACL for authentication. Use passwords instead.

    Good point - although all of the 'internal' vms are already password protected but I agree more layers are good hence my question.
    Thanks

    edit - added to config
    auth_basic "Restricted Site";
    auth_basic_user_file /path/to/.htpasswd;

    Virmach is NOT worth the risk.

  • skhronskhron Hosting Provider

    @msatt said: How secure is nginx rproxy ?

    If answering your broad question, I would evaluate is as battle-tested solution (applicable only for stable releases). See https://nginx.org/en/security_advisories.html

    Check our KVM VPS plans in πŸ‡΅πŸ‡± Warsaw, Poland and πŸ‡ΈπŸ‡ͺ Stockholm, Sweden

  • nfnnfn
    edited May 2024

    Since this is only for you, why not Tailscale?

    I run a small VM on PVE with TS just for this propose.

  • @nfn said:
    Since this is only for you, why not Tailscale?

    I run a small VM on PVE with TS just for this propose.

    Understood - I already run Zerotier and have my own zt controller which work fine.
    I also use openwrt with ZT as my router for 10 nodes providing access to multiple proxmox networks and vms.
    My key problem is that because of proxmox & openwrt firewalls, I can't access the openwrt web interface as this is only available on the lan side. Using a reverse proxy (over ZT) solves this problem but as discussed I am concerned about the security over nginx and want it locked down as much as possible,

    I have messed around with Proxmox SDN but find it too restrictive in comparison to the SDN's you can create with openwrt.

    Virmach is NOT worth the risk.

Sign In or Register to comment.