Reverse Proxy to an external machine Security Concerns

CodeDragon57 · January 18, 2021, 1:43am

@TheCakeIsNaOH I have a [probably] stupid question about security.
So I got my Nextcloud instance installed on a home “server” (it is just a Rock64 running Armbian Buster) and Nginx on my Linode properly proxies to my home network. Due to my 10mbps upload speed it is very slow, but tbh it’s okay with me. Is it a security flaw during the data transfer between my home network and the Linode? Is there a way I can mitigate this? I have the following port forward set up on my home router:

And that greatly increases the security of my home’s port forward, but I am still worried about the data transferred between my home and the Linode proxy. Also here is my Nginx proxy configuration on my Linode:

#HTTPS Port 443 Configuration

server {
	listen 443		ssl http2;
	listen [::]:443		ssl http2;
	server_name		cloud.linuxdragon.dev;
	
        location / {
            proxy_pass		                    http://68.35.32.227:8192;
            proxy_redirect Host                     off;
            proxy_set_header X-Real-IP              $remote_addr;
            proxy_set_header X-Forwarded-For        $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto      $scheme;
            proxy_set_header X-Forwarded-Protocol   $scheme;
            proxy_set_header X-Url_Scheme           $scheme;
        }

        location /.well-known/carddav {
            return 301 $scheme://$host/remote.php/dav;
        }

        location /.well-known/caldav {
            return 301 $scheme://$host/remote.php/dav;
        }

	# SSL Configuration
	add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;

	ssl_certificate /etc/letsencrypt/live/linuxdragon.dev/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/linuxdragon.dev/privkey.pem;
	include /etc/letsencrypt/options-ssl-nginx.conf;
	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

}

# HTTP Port 80 Configuration
server {
	if ($host = cloud.linuxdragon.dev) {
		return 301 https://$host$request_uri;
	}

	server_name		cloud.linuxdragon.dev
	listen 80;
	return 404;
}

Also the machine behind my home network is running Apache and the apache vhost is not configured for SSL at all.

Iron_Bound · January 18, 2021, 1:54am

Should the site be available without using the proxy?
fyi can hit 68.35.32.227:8192 directly may want to limit to the vps.

CodeDragon57 · January 18, 2021, 1:59am

So I tested that out by going to http://68.35.32.227:8192 and my browser redirected to the FQDN of the Linode. The port forward is limited to the VPS IP address. It will only forward requests coming from WAN IP address, 45.79.218.96 which is the IPv4 address of my Linode.

CodeDragon57 · January 18, 2021, 2:03am

Could it be an Nginx reverse proxy configuration that I have wrong?

CodeDragon57 · January 18, 2021, 2:07am

So I used Nextcloud’s scan tool to scan the instance IP address directly and it came up with this: https://scan.nextcloud.com/results/3ec62244-6599-4ca4-bce1-9c2e51d2c6df

CodeDragon57 · January 18, 2021, 4:41am

Okay, so I decided to switch the machine behind my home network over to NextcloudPi because Armbian for the Rock64 seems to be unstable. It seems to be harder to set up a proxy in front of the device with NextcloudPi now…

TheCakeIsNaOH · January 18, 2021, 3:20pm

It is, even if you only accept connections from your linode IP. HTTP is not encrypted, so anyone in between your linode and rock64 would be able to see what you are tranmitting.

Two options. Either setup https on the rockpi, or setup a VPN between your Linode and home network (your router or the rock64 would work).

I personally use wireguard VPN to connect my home server to my VPS. That way any traffic is encrypted between the server and the VPS and I don’t have to deal with two sets of https.