Reverse Proxy to an external machine Security Concerns

@TheCakeIsNaOH I have a [probably] stupid question about security.
So I got my Nextcloud instance installed on a home “server” (it is just a Rock64 running Armbian Buster) and Nginx on my Linode properly proxies to my home network. Due to my 10mbps upload speed it is very slow, but tbh it’s okay with me. Is it a security flaw during the data transfer between my home network and the Linode? Is there a way I can mitigate this? I have the following port forward set up on my home router:

And that greatly increases the security of my home’s port forward, but I am still worried about the data transferred between my home and the Linode proxy. Also here is my Nginx proxy configuration on my Linode:

#HTTPS Port 443 Configuration

server {
	listen 443		ssl http2;
	listen [::]:443		ssl http2;
        location / {
            proxy_pass		          ;
            proxy_redirect Host                     off;
            proxy_set_header X-Real-IP              $remote_addr;
            proxy_set_header X-Forwarded-For        $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto      $scheme;
            proxy_set_header X-Forwarded-Protocol   $scheme;
            proxy_set_header X-Url_Scheme           $scheme;

        location /.well-known/carddav {
            return 301 $scheme://$host/remote.php/dav;

        location /.well-known/caldav {
            return 301 $scheme://$host/remote.php/dav;

	# SSL Configuration
	add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;

	ssl_certificate /etc/letsencrypt/live/;
	ssl_certificate_key /etc/letsencrypt/live/;
	include /etc/letsencrypt/options-ssl-nginx.conf;
	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;


# HTTP Port 80 Configuration
server {
	if ($host = {
		return 301 https://$host$request_uri;

	listen 80;
	return 404;

Also the machine behind my home network is running Apache and the apache vhost is not configured for SSL at all.

Should the site be available without using the proxy?
fyi can hit directly may want to limit to the vps.

So I tested that out by going to and my browser redirected to the FQDN of the Linode. The port forward is limited to the VPS IP address. It will only forward requests coming from WAN IP address, which is the IPv4 address of my Linode.

Could it be an Nginx reverse proxy configuration that I have wrong?

So I used Nextcloud’s scan tool to scan the instance IP address directly and it came up with this:

Okay, so I decided to switch the machine behind my home network over to NextcloudPi because Armbian for the Rock64 seems to be unstable. It seems to be harder to set up a proxy in front of the device with NextcloudPi now…

It is, even if you only accept connections from your linode IP. HTTP is not encrypted, so anyone in between your linode and rock64 would be able to see what you are tranmitting.

Two options. Either setup https on the rockpi, or setup a VPN between your Linode and home network (your router or the rock64 would work).

I personally use wireguard VPN to connect my home server to my VPS. That way any traffic is encrypted between the server and the VPS and I don’t have to deal with two sets of https.

1 Like