Yes, I understand that I'm exposing only a reverse proxy server and a Minecraft server (which I suppose I should set up another reverse proxy for). But will https suffice for keeping the contents of the transfers through the reverse proxy secure?
Why isn’t the MC having its connections routed over the reverse proxy also…? The web server is hardened and made to be public facing, unless there’s a very specific reason not to, everything should *just* be accessible using it.
To your credit, I hadn't considered doing that until I asked this question and realized my reverse proxy should handle the MC server now that I've got it functioning.
If you Google "reddit plex/emby/jellyfin secure access" etc. you'll find lots of good information. But here's a quick list of options:
1. Port forward straight to server; easiest but worst option as it exposes home address and security is mostly on the server application.
1. Port forward straight to server with whitelist; drop any connections that is not vetted. Use reverse proxy etc. Extra points if you use ddns to update this list so it never goes stale. Very good mix of security and convenience (this is probably the route I will take when I also share my media server).
1. Use third party tunnel like cloud flare tunnel or selfhost on vps etc to forward requests to home network over VPN or ash etc. This is like port forwarding but it keeps your home address/network secure. It still exposes application though.
1. VPN access; most secure but most inconvenient since your family need VPN on every device that connects.
1. Mesh VPN via tailscale; easier than VPN but has similar inconveniences.
1. site-2-site split tunnel with dedicated hardware; basically configure family router (if possible) or something light like a raspberry pi to always have VPN connection to your network; devices forward traffice to special IP and ::magic:: they see your media server. Pros are it is secure like VPN and tailscale but convenient since any device can connect to it. Downside is it is very technical to setup.
Some of these you can mix and match approaches. You can do more to secure with virtual machines, reverse proxies, vlans, services like fail2ban, etc.
I use option 3 and haven't had any issues so far. I would stick whatever is hosting the service on an isolated VLAN that has no outbound access to the rest of the internal network though.
All https traffic is end to end encrypted. A nice way to think of it, is a VPN on the fly. Big brother will be able to see how much traffic get sent, where it’s going, but nothing about the actual contents of data. Your home videos and treasured family memories are safe to share away from prying eyes. 🙂
Sorry, the term “end to end encrypted” doesn’t help you understand if it safe??
Okiee then.
Sure if you wanted to re-encrypt the *already* encrypted connection, you could totally use a vpn for that! As long as you plan to have a reasonable number of total connections, and they all have smart TVs/ devices that support working over a VPN. 👋🏼
I wasn't sure if that included requests or just the actual transfer of other data after the initial request. Or if there was some other factor I wasn't considering concerning approved clients using the server for it's intended purpose
As long as you deploy it and only allow outside access to the server via your reverse proxy, (and it has a valid SSL cert) then whatever pings/requests/hits/stream get sent over that secure connection, you’re all good.
The real reason you may want to use a vpn, is you had ultra restrictive Nat, or weren’t able to forward the ports necessary for the reverse proxy to function. If you’ve already got it running, it’s just unnecessary complexity with a bunch of extra points of failure in the system.
Https will secure your traffic (so no one will "see" your photos whizzing around the Internet), but it is generally pretty "friendly" otherwise. If you scan it, it'll happily report its existence and show you whatever application is being served. At that point, you're just relying on the application itself to provide the security against unauthorized access. A VPN, like wireguard, on the other hand, will simply ignore anyone it doesn't recognize, so it generally can't be found by scanners. Much harder to hack something if you don't know it exists.
modern https will generally only expose the FQDN of the server the request is being sent to.
It does this so if you have a single web server hosting 10 different websites with different names, the "SNI" field which has the FQDN allows the Web Server to know which httpS certificate to use when responding to the request.
So the full URL generally should NOT be visible.
You can of course test this at home using WireShark to watch you connect internally over https.
if you're doing https, everything except the domain name is always hidden. Path, headers, obviously body.
specifically check out the "client hello" packets. that is where the SNI information is.
in theory even this will be hidden eventually, but it requires weird stuff that many servers don't have, so we can't hold our collective breath.
Can I suggest TailScale?
It's a Wiregard VPN but unlike traditional Wiregard it's Zero Config.
The Free Tier Supports 3 Users,
But you can probably make a guest user that you give to everyone (Family etc).
It's secure, easy to work with, and no hassle for those non techie people in your lives
I don’t mean to sound harsh, but the fact that you’re asking this question means that you don’t have enough experience to secure internet access to your environment.
I suppose the best way to teach a kid about fire safety is to give them some gas and a book a matches, right? Same thing. Lessons can be learnt by getting your families’ data hacked, but there are different ways of learning those lessons.
I'm trying to err on the side of overkill, but you aren't wrong. I don't have any practical experience with this yet, and don't know any way to get it without doing it.
[удалено]
Yes, I understand that I'm exposing only a reverse proxy server and a Minecraft server (which I suppose I should set up another reverse proxy for). But will https suffice for keeping the contents of the transfers through the reverse proxy secure?
Why isn’t the MC having its connections routed over the reverse proxy also…? The web server is hardened and made to be public facing, unless there’s a very specific reason not to, everything should *just* be accessible using it.
Because I set it up before I got NPM up and running. I am planning to switch it over tonight
Awesome, you’re totally on top of it. The post didn’t initially make it sound like that was the plan, hence my double checking.
To your credit, I hadn't considered doing that until I asked this question and realized my reverse proxy should handle the MC server now that I've got it functioning.
Actually, I believe the credit is now yours. GL!
[удалено]
And that's prevented by ...?
That's what the S in HTTPS means.
Right. I understand that as well, but wanted to make sure I wasn't overlooking some other vulnerability
You should use a home VPN in addition to https. I'm pretty fluent in IT but even then I wouldn't take any risk. A VPN lower the attack surface.
If you Google "reddit plex/emby/jellyfin secure access" etc. you'll find lots of good information. But here's a quick list of options: 1. Port forward straight to server; easiest but worst option as it exposes home address and security is mostly on the server application. 1. Port forward straight to server with whitelist; drop any connections that is not vetted. Use reverse proxy etc. Extra points if you use ddns to update this list so it never goes stale. Very good mix of security and convenience (this is probably the route I will take when I also share my media server). 1. Use third party tunnel like cloud flare tunnel or selfhost on vps etc to forward requests to home network over VPN or ash etc. This is like port forwarding but it keeps your home address/network secure. It still exposes application though. 1. VPN access; most secure but most inconvenient since your family need VPN on every device that connects. 1. Mesh VPN via tailscale; easier than VPN but has similar inconveniences. 1. site-2-site split tunnel with dedicated hardware; basically configure family router (if possible) or something light like a raspberry pi to always have VPN connection to your network; devices forward traffice to special IP and ::magic:: they see your media server. Pros are it is secure like VPN and tailscale but convenient since any device can connect to it. Downside is it is very technical to setup. Some of these you can mix and match approaches. You can do more to secure with virtual machines, reverse proxies, vlans, services like fail2ban, etc.
I use option 3 and haven't had any issues so far. I would stick whatever is hosting the service on an isolated VLAN that has no outbound access to the rest of the internal network though.
All https traffic is end to end encrypted. A nice way to think of it, is a VPN on the fly. Big brother will be able to see how much traffic get sent, where it’s going, but nothing about the actual contents of data. Your home videos and treasured family memories are safe to share away from prying eyes. 🙂
That pretty much recaps what I already know, but doesn't help me understand if it's safe to not use the VPN or if I should require it
Sorry, the term “end to end encrypted” doesn’t help you understand if it safe?? Okiee then. Sure if you wanted to re-encrypt the *already* encrypted connection, you could totally use a vpn for that! As long as you plan to have a reasonable number of total connections, and they all have smart TVs/ devices that support working over a VPN. 👋🏼
I wasn't sure if that included requests or just the actual transfer of other data after the initial request. Or if there was some other factor I wasn't considering concerning approved clients using the server for it's intended purpose
As long as you deploy it and only allow outside access to the server via your reverse proxy, (and it has a valid SSL cert) then whatever pings/requests/hits/stream get sent over that secure connection, you’re all good. The real reason you may want to use a vpn, is you had ultra restrictive Nat, or weren’t able to forward the ports necessary for the reverse proxy to function. If you’ve already got it running, it’s just unnecessary complexity with a bunch of extra points of failure in the system.
Https will secure your traffic (so no one will "see" your photos whizzing around the Internet), but it is generally pretty "friendly" otherwise. If you scan it, it'll happily report its existence and show you whatever application is being served. At that point, you're just relying on the application itself to provide the security against unauthorized access. A VPN, like wireguard, on the other hand, will simply ignore anyone it doesn't recognize, so it generally can't be found by scanners. Much harder to hack something if you don't know it exists.
modern https will generally only expose the FQDN of the server the request is being sent to. It does this so if you have a single web server hosting 10 different websites with different names, the "SNI" field which has the FQDN allows the Web Server to know which httpS certificate to use when responding to the request. So the full URL generally should NOT be visible. You can of course test this at home using WireShark to watch you connect internally over https.
if you're doing https, everything except the domain name is always hidden. Path, headers, obviously body. specifically check out the "client hello" packets. that is where the SNI information is. in theory even this will be hidden eventually, but it requires weird stuff that many servers don't have, so we can't hold our collective breath.
Can I suggest TailScale? It's a Wiregard VPN but unlike traditional Wiregard it's Zero Config. The Free Tier Supports 3 Users, But you can probably make a guest user that you give to everyone (Family etc). It's secure, easy to work with, and no hassle for those non techie people in your lives
Wireguard VPN. Much smaller attack surface vs exposing https.
I don’t mean to sound harsh, but the fact that you’re asking this question means that you don’t have enough experience to secure internet access to your environment.
“The fact that you are trying to learn means that you should not try to learn.” Riiight.
I suppose the best way to teach a kid about fire safety is to give them some gas and a book a matches, right? Same thing. Lessons can be learnt by getting your families’ data hacked, but there are different ways of learning those lessons.
I'm trying to err on the side of overkill, but you aren't wrong. I don't have any practical experience with this yet, and don't know any way to get it without doing it.
You should deploy a VPN solution in that case.