Ancestors

Written by miau@lemmy.sdf.org on 2024-11-04 at 14:31

Help me harden my home server

https://lemmy.sdf.org/post/24652924

=> More informations about this toot | More toots from miau@lemmy.sdf.org

Written by Lyricism6055@lemmy.world on 2024-11-04 at 16:26

Just close 443 and use VPN with ACME DNS challenges for your certs. That’ll help make it even more secure, nothing is full proof though and a VPN is a good first step

=> More informations about this toot | More toots from Lyricism6055@lemmy.world

Written by miau@lemmy.sdf.org on 2024-11-04 at 18:46

Thanks for replying!

I do use dns challanges for renewing my certs. But I use port 443 for application data, not for certs.

Is a vpn always safer then a reverse proxy? Do you use wireguard or do you have any other options worth looking into?

=> More informations about this toot | More toots from miau@lemmy.sdf.org

Written by sugar_in_your_tea@sh.itjust.works on 2024-11-04 at 20:53

Is a vpn always safer then a reverse proxy?

Depends on what you trust, I guess.

A reverse proxy on a standard cert is a bigger target for automated scripts than a reverse proxy on a non-standard port. A VPN runs through the VPN’s authentication, whereas a reverse proxy relies on whatever that app’s authentication is. So whether it’s secure enough depends on the VPN configuration, what you’re hosting, etc.

I’m behind CGNAT, so I have limitations you don’t, but here’s my setup:

I like this approach because I can eat my cake (nice domain names instead of IPs and ports) and have it too (fast connection inside LAN, can disable reverse proxy if I want better security). You could get the same w/o the VPS if you skipped the first step, and if you require WireGuard VPN access outside the LAN, you get better security than a public-facing service.

=> More informations about this toot | More toots from sugar_in_your_tea@sh.itjust.works

Toot

Written by miau@lemmy.sdf.org on 2024-11-05 at 01:02

I didnt mention on my original post but I do have a virtual machine on gcp, which I use to run mongodb. I didnt mention it because I am not too concerned with it, but mostly it follows the same practices, with the exception being that ssh is open and it has no private data in it.

But I suppose I could do something similiar to what you mentioned. The ideia of having and eating the cake is very nice. And if something goes wrong I could turn of public access and have the vpn still working.

I will consider implementing something like that as well, thanks a lot for sharing your thoughts!

=> More informations about this toot | More toots from miau@lemmy.sdf.org

Descendants