Comment on Safely exposing services to the Internet
dieTasse@feddit.org 2 days ago
- I would recommend a VPS for publicly facing services, you simply don’t want to open your home network, one mistake is enough, old router software, one small misunderstanding or a bit of bad luck. If someone gets into your VPS, few services will be hurt, if someone gets into your home network its game over.
- There is nice little app called immich proxy, I didn’t yet try it myslef (but I plan to), but basically if you want to just share some albums or photos, you can make the proxy accessible publicly but your Immich stays safe.
Australis13@fedia.io 1 day ago
Thanks, didn't know about Immich proxy. Sounds useful.
On the VPS point - beyond protection against DoS, I assume the main benefits only arise if you host the services on it? My understanding is that, if I open a port and forward it to nginx, then the largest attack surface would be nginx itself and the services it is acting as a reverse proxy for (e.g. Vikunja). nginx is well-established and I think most of the risk is from the plugins rather than nginx vulnerabilities itself, which leaves Vikunja and any other services I'd want to expose as the main attack surface. If I'm using a VPS as a gateway (e.g. hosting nginx there and still keeping Vikunja and Immich within my LAN), then that doesn't seem like it's much of a risk reduction. What am I missing?
Yes, the best option is to deploy your services on it. That Nginx is well established doesn’t mean its secure. A) popular software is preferred target for hackers and B) Nothing is safe, especially now, when LLMs are getting good at finding holes in software.