I have docker containers running on the NAS and one or two of them already setup to access remotely via the reverse proxy. It works well and I like that I don’t have to poke holes into my router (i.e open ports). The reverse proxy also forces the apps to be accessed via HTTPS only which is a nice touch.
Buuttt, I was still wondering: reverse proxy for each app? or VPN into local network and use IP/port for each app?
VPN offers less attack surface. The reverse proxy passes the individual app through to the net, so if the app has a security exploit, it can often be used through a proxy as well. VPN will stop any traffic from coming to the app if not properly authenticated, so the attacker would need a security flaw in the VPN package.
But: everything comes down to your risk appetite. Often reverse proxy is good enough, as I can not stop a determined hacker with time and resources on hand, but others may be the more interesting target.
Comparison: I don’t need a 100% perfect lock and house security, it just needs to be better than average for what can be stolen from me.
I have docker containers running on the NAS and one or two of them already setup to access remotely via the reverse proxy. It works well and I like that I don’t have to poke holes into my router (i.e open ports). The reverse proxy also forces the apps to be accessed via HTTPS only which is a nice touch.
The docker containers (running on my NAS) are hosting apps that I access from the outside world via a reverse proxy (also running on my NAS).
That’s an interesting way to look at it. Thanks for the insight. I’m not a hacker myself and really only a home hobbiest when it comes to building IT infrastructure. There have been quite a few “gotcha’s” lately where I didn’t realise how bad the security hole was until someone told me about it. It’s all a learning process I suppose.
For some more context, I’ve currently got several docker containers running on my NAS and these are what I’ve been passing through the reverse proxy (also running on the NAS). The reverse proxy is configured to only accept HTTPS (with a Lets Encrypt cert) from the underside world. And I’ve been hearing more and more that a VPN isn’t the “security safe-house” that everyone believes it to be. Hence the question.
If it’s a zero day type exploit that’s been figured out on other hosts, the attack can be thrown at various devices with little investment and do damage at least until security updates plug the hole in security.
Sure, have a proper backup in place for that.
And apply security updates frequently if your system is exposed to the internet.