May not add security in and of itself, but it certainly adds the ability to have a little extra security. Put your reverse proxy in a DMZ, with a firewall and only certain ports exposed to your origins. Install a single wildcard cert and easily cover any subdomains you set up. There’s nginx configuration files out there that will block URL’s based on regex pattern matches for suspicious strings. All of this (probably a lot more I’m missing) adds some level of layered security.
atzanteol@sh.itjust.works 4 months ago
So what? I can still access your application through the rproxy. You’re not protecting the application by doing that.
This is a way to do it but not a necessary way to do it. The rproxy has not improved security here. It’s just convenient to have a single SSL endpoint.
If you do that, sure. But that’s not the advice given in this forum is it? It’s “install an rproxy!” as though that alone has done anything useful.
For the most part people in this form seem to think that “direct access to my server” is unsafe but if you simply put a second hop in the chain that now you can sleep easily at night.
The web browser doesn’t care if the application is behind one, two or three rproxies. If I can still get to your application and guess your password or exploit a known vulnerability in your application then it’s game over.
zingo@lemmy.ca 4 months ago
Right!?
Your castle can have many walls of protection but if you leave the doors/ports open, people/traffic just passes through.
Auli@lemmy.ca 4 months ago
So I’ve always wondered this. How does a cloudflare tunnel offer protection from the same thing.
atzanteol@sh.itjust.works 4 months ago
They may offer some sort of WAF (web application firewall) that inspects traffic for potentially malicious intent. Things like SQL injection. That’s more than just a proxy though.
Otherwise, they really don’t.