this post was submitted on 11 Feb 2024
9 points (84.6% liked)

homelab

6576 readers
28 users here now

founded 4 years ago
MODERATORS
 

I currently have my reverse proxy on my NAS. That means I forward all of my 443 HTTPS traffic to my NAS. I am using OpnSense for my router, and there are several options for reverse proxies on that. Everything works the way it is now, but I do wonder if it would be "better" if I moved all of the reverse proxy stuff to my router. I don't know that anything would be simpler to manage one way or the other, so I think it comes down to best practices and security. If I move the reverse proxy to my router, I would be able to remove that forwarded port, but is that really any more or less secure?

all 5 comments
sorted by: hot top controversial new old
[–] poVoq 4 points 8 months ago

The reverse-proxy is usually the place where you terminate the TLS connections and also where you generate your let's encrypt certificates. Depending on your network stack and software used, it can be a bit inconvenient to have that on the router.

One way that is interesting though is to have a load-balancer + reverse-proxy combination on the router that can also do SNI based forwarding and then have a second application reverse-proxy that also acts as the TLS termination point on the actual server. However setting that up is a bit more involved and the documentation for it on OPNsense isn't great (I tried this before and failed, even though the docs say it should be possible).

[–] MSgtRedFox@infosec.pub 2 points 8 months ago

Is this for internal clients?

If no, do you need unauthenticated public access to that?

Would you consider VPN instead?

[–] SheeEttin@programming.dev 2 points 8 months ago

If it ain't broke, don't fix it.