Comment on Safely exposing services to the Internet
Australis13@fedia.io 1 day agoThanks, didn't know about Immich proxy. Sounds useful.
On the VPS point - beyond protection against DoS, I assume the main benefits only arise if you host the services on it? My understanding is that, if I open a port and forward it to nginx, then the largest attack surface would be nginx itself and the services it is acting as a reverse proxy for (e.g. Vikunja). nginx is well-established and I think most of the risk is from the plugins rather than nginx vulnerabilities itself, which leaves Vikunja and any other services I'd want to expose as the main attack surface. If I'm using a VPS as a gateway (e.g. hosting nginx there and still keeping Vikunja and Immich within my LAN), then that doesn't seem like it's much of a risk reduction. What am I missing?
Yes, the best option is to deploy your services on it. That Nginx is well established doesn’t mean its secure. A) popular software is preferred target for hackers and B) Nothing is safe, especially now, when LLMs are getting good at finding holes in software.