Comment

Comment on What's the real danger of opening ports?

you can reverse proxy other ports than 443 and ex. upstream ssh, the advantage of having reverse proxy over everything is to have traffic in one place so you can manage it, that’s why for example kubernetes have ingress server, example nginx / openresty upstream ssh

stream {
    upstream ssh {
        server          127.0.0.1:22;
    }

    server {
        listen          2222;
        ssl_preread     on;
        proxy_pass      ssh;
    }
}

source

Sort:hotnew top

dontblink@feddit.it ⁨3⁩ ⁨days⁩ ago
As far as I knew reverse proxies could only reverse proxy stuff coming in from 443 or 80, I didn’t know they could listen other ports as well!

Main reason why I was using a reverse proxy at first is because I had everything behind cloudflare, and cloudflare can only proxy and give you an SSL encryption for stuff that goes through 443, so I could make Caddy listen to 443 and then forward to interested ports.

But this leaves out everything that needs to go in some other places than 443, and requires its own standalone ssl certificate, which is a bit cumbersome. Pheraps these can be proxied with other proxies than cloudflare, hopefully giving SSL to everything…

I’m not sure I understood the upstream ssh thing, what do you actually do?

source
- Lem453@lemmy.ca ⁨2⁩ ⁨days⁩ ago
  Traekif can reverse proxy just about anything include ssh.
  
  That being said I don’t. For stuff like ssh I connect with wireguard first then ssh. For stuff like immich I directly expose that behind traefik so I can share images with others. For stuff like vaultwarden I have that behind traefik but internal only so you need wireguard first then you connect to vaultwarden.local.domain.com
  
  source
- vane@lemmy.world ⁨3⁩ ⁨days⁩ ago
  this is nginx / openresty config - upstream is just definition of server / bunch of servers if you do loadbalancing or want to configure stuff you can do
  
  stream { upstream something { server xxx:123; server yyy:321; } server { listen 666; proxy_pass something; } }
  
  docs.nginx.com/nginx/…/tcp-udp-load-balancer/
  
  I use openresty with autossl, it renews certificates automatically. The only problem is maintaining subdomain allowance otherwise bots will ddos letsencrypt that would soft ban you to create certificates for new domains / subdomains.
  
  source