Help me harden my home server
https://lemmy.sdf.org/post/24652924
=> More informations about this toot | More toots from miau@lemmy.sdf.org
Just close 443 and use VPN with ACME DNS challenges for your certs. That’ll help make it even more secure, nothing is full proof though and a VPN is a good first step
=> More informations about this toot | More toots from Lyricism6055@lemmy.world
Thanks for replying!
I do use dns challanges for renewing my certs. But I use port 443 for application data, not for certs.
Is a vpn always safer then a reverse proxy? Do you use wireguard or do you have any other options worth looking into?
=> More informations about this toot | More toots from miau@lemmy.sdf.org
Is a vpn always safer then a reverse proxy?
Depends on what you trust, I guess.
A reverse proxy on a standard cert is a bigger target for automated scripts than a reverse proxy on a non-standard port. A VPN runs through the VPN’s authentication, whereas a reverse proxy relies on whatever that app’s authentication is. So whether it’s secure enough depends on the VPN configuration, what you’re hosting, etc.
I’m behind CGNAT, so I have limitations you don’t, but here’s my setup:
I like this approach because I can eat my cake (nice domain names instead of IPs and ports) and have it too (fast connection inside LAN, can disable reverse proxy if I want better security). You could get the same w/o the VPS if you skipped the first step, and if you require WireGuard VPN access outside the LAN, you get better security than a public-facing service.
=> More informations about this toot | More toots from sugar_in_your_tea@sh.itjust.works
I didnt mention on my original post but I do have a virtual machine on gcp, which I use to run mongodb. I didnt mention it because I am not too concerned with it, but mostly it follows the same practices, with the exception being that ssh is open and it has no private data in it.
But I suppose I could do something similiar to what you mentioned. The ideia of having and eating the cake is very nice. And if something goes wrong I could turn of public access and have the vpn still working.
I will consider implementing something like that as well, thanks a lot for sharing your thoughts!
=> More informations about this toot | More toots from miau@lemmy.sdf.org
I still use a reverse proxy, but to get into my network you need to be on VPN. It’s more secure for me I guess.
I use traefik forward auth, even inside my network on VPN, for an extra layer of security for some apps.
My opinion is that port 443 getting accidentally misconfigured by me is just too likely a scenario. With wireguard on my router I also am able to restrict traffic to ONLY my webserver and DNS servers for my devices.
So I guess that’s another positive of wireguard, you can use your own DNS servers for all your phones all the time and always have ad blocking with pihole or something similar, even on mobile.
=> More informations about this toot | More toots from Lyricism6055@lemmy.world This content has been proxied by September (ba2dc).Proxy Information
text/gemini