What's new

Security of reverse proxy (vs other options)?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

ags

Regular Contributor
I have several LAN devices that I want access to from LAN and WAN. I am running a NAS that supports reverse proxy and am considering using it to allow human-readable naming (and access) to the LAN endpoints. I've researched but unsurprisingly there does not seem to be consensus about security of this (non-IT-pro administered) method compared to others. For example, using just one public domain name (pointing to a router), I can use ephemeral/dynamic/private (i.e. non-standard) port numbers and port forwarding to "hide" the LAN endpoints (so only the router is directly exposed). I presume that accessing endpoint machines would require guessing (or scanning) the port number then a successful attack. With reverse proxy, using the public domain name (no scanning or guessing) would lead to the NAS as an endpoint for attack, and if compromised would thus allow access to all the proxy clients. In addition I've read many known strategies for attacking reverse-proxy setups.

Is this idea of using non-standard ports as an obfuscation to reduce attacks even valid (port scanning would defeat it if it scanned all the way up to 65535 unless some other protection detected that scan and terminated the sessions with timeout).

Is there a way to implement reverse-proxy that is more secure, relative to other methods - or are there yet other better ways to accomplish my goal?
 
Is there a way to implement reverse-proxy that is more secure, relative to other methods - or are there yet other better ways to accomplish my goal?

I have pondered the same question many times. In the end, I used Synology's Reverse Proxy setup. I did try OpenVPN.

The argument for a Reverse Proxy depends a little on the use case. If you have a static IP from your ISP, then the big advantage is with sub-domains and the ability to have the Reverse Proxy point to different devices, including your router. If you are using DDNS, then this advantage goes away. You can still point the Reverse Proxy to the NAS port 443.

I did consider OpenVPN. The issue I have with any VPN server, either through the router or NAS is that neither offer 2FA. So if any device that has an OpenVPN client on it with the password embedded is stolen, the thief will have access to my entire network. Sure, the password does not need to be embedded with the client install. But in my case, I could not control how others who need remote access would handle the OpenVPN client password issue. Besides, I didn't want to give others unrestricted access to the entire network. Sure, restrictions can be added to the router. But now, things are getting more complex. And there are 3rd party 2FA services for extra $$$ that can solve that part too.

My understanding of how most hacker threats are initiated is by surveying the WWW by IP address (not by domain name). The Reverse Proxy does thwart this kind of threat. If your IP with port 443 open is found, accessing the NAS signin page does not show at [WAN-IP]:443. It is a dead end for would be hackers. I am not saying that a hacker who finds an active IP address can't figure out the domain associated with it. But this task is way more difficult. A simple IP Whois Lookup will not give you domain information. The only thing you get with an DNS Lookup is the ISP's information.

The security features provided by a Reverse Proxy follow:
  • If you type into a browser address bar the ISP IP address, you don't go anywhere – Dead End!
  • If you type https://ISP-IP, you still don't go anywhere – Dead End!
  • If you type https://ISP-IP:443 (443 is port forwarded to the NAS where the Reverse Proxy list is located), you still don't go anywhere – Dead End!
So, if a hacker snoops and finds the open port on the router (port 443), they still can't access anything. They don't get the sign-in page of anything. It is a Dead End.

In the end, I find that 2FA is the most important security piece of the puzzle. I can't trust others that I don't control and need remote access to keep their devices secure. If I set them up with complex passwords, they just save them in their browsers.

In the end, I have chosen a Reverse Proxy setup with 2FA and clearing "trusted" devices regularly.
 
Last edited:
I have been working on a similar problem..

As a malicious bad actor Its not hard to map out a network a combination of DNS reconnaissance / a few SYN packets and a few probing requests. Yet, if using a Rev-Proxy (Hybrid rev-proxy) style setup Admin only has to expose 80:443 (Even 80 can get forced to HTTPS) and if admin has to only monitor those 2 ports then its feasible to create a blacklist and geoip blocking rules and some autoban trip rules > fail2ban jail conditions.

Its what a DMZ is for no? you put your edge device/firewall appliance inside the DMZ behind the perimeter firewall and in front of the LAN firewall. its how you control ingress into your network from the edge. You can even take it further out and come in over a PVN link which adds an extra layer of ossification. Yes, don't map your rev-proxy ports to actual service ports use some high dynamic range port numbers: Src 443 : Dst 62443 (example) [with Cloudflare tunnels you can use default ports 443:443 mapping if you like as you control edge - more below.]

Have you considered a combination of a Rev Proxy combined with Cloudflare Tunnels ? You are able to control ingress and egress traffic & setup TLS filtering rules plus a lot more.

Alternatively, You can go with a "Zerotrust" and use something like "StepOne" for the CA issuance and revoking, all streamlined and then something like "NGINX Proxy Manager" / "Caddy2" to manage the Edge/perimeter ingress traffic.

Cloudflare tunnels is pretty clumsy, and are locked into using their 1dot1dot1dot1@DNS servers (Which isn't really a bad thing!) but works and is secure, especially, if users are meet with a forced landing portal. You can take a step further with a hybrid OAUTH2 Forced landing portal to access restricted namespace via MFA. The NPM/CF tunnel/StepOneCA/PortainerEE run quite happily under 1 docker stack and one docker image/container.

Second option, would be to use something like OPNSence I am in the process of building this out using x6 port J6xx5 based Embedded device It will sit outside the LAN in DMZ land with perimeter firewall in front of the DMZ behind CF Tunnels. Will still use rev Proxy just for the URL mapping/subdomains.

Also for DynDNS users checkout DNSExit as you can update DNS Zones from single $curl one liner (Cloudflare's API updates is a little more tricky *Bearer tokens etc*) plus with DNSExit you have certbot / letsencrypt access via the API too to automate the SSL refresh every 30/60/90days. which is inside wanip_update.sh > triggered via Cron task 30mins to update my records.

There is a lot of legacy stuff I need to change up now as newer Layer 7 stuff is coming out and its time to migrate from the old ways and embrace the new Terraform/Ansible/Docker methods.. One wicked helpful combination of tools to ensure your network is running tip-top are as follows Kuma Uptime (Monitoring/Ping/HTTPs API) Triggers/Alerts AND a tool I've just started to use called "N8N" Its a way to build Automation Flow using drag and drop basically.. Its very powerful especially with webhooks; Anyway, Its an all singing, All dancing War machine..

One final idea you guys may want to look at is Umbrel OS. Its basically, a Bitcoin node 'slash' personal Raspberry Pi OS Server.. I used the same Docker stack as the developers of Umbrel in my development stack. NGINX manages the proxy and is locked down for remote stuff accesible only over TOR. Quite secure. *I guess this could be added to a CF Tunnel and remove TOR remote*

Proxmox is very powerful when managing all my stacks incl storage pools.
Also Authelia/Traffik/MeshCentral/Uptime Kuma/N8N
Use UmbrelOS dockerfile as a blueprint to build out your own custom env.
Use Cloudflare Tunnels - ingress/egress/TLS filtering rules
NXINX Proxy Manager is the Business.. or Traffik/Caddy2
Now all the Zero trust Layer7 stuff is becoming more mainstream Plus you have tailscale as a solutions too..
My next move is to use dedicated PfSence /OPNSence setup under dedicated firewall appliance in combination of CF Tunnels/NPM and Authelia (MFA/SSO).

Anyway.. Hope this helps..
Happy Hunting ;)
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top