How useful is a reverse proxy?

[jsnotlout1]

I was looking around for how to improve my security so I can host my servers better and I keep getting told about reverse proxies. However, from my research, I can't figure out how it's any better than a forwarded port behind a domain name and on a device with a firewall blocking all other ports.

 

Can anyone explain the benefits? Or point me in a direction to safely host server status web pages and or the servers themselves?

(Yes I know it is inherently less secure running it yourself, but it is more fun than just buying a server host)

[manikyath]

the idea is that you dont have to give out your real ip, so if something gets attacked they attack the proxy instead of you.

 

my personal rule of thumb is that once you host for more than just friends, it belongs in a datacenter.

 

but depending on your plans, you could just rent a small vps that does a webserver and a reverse proxy for the rest.

 

and yes - a reverse proxy is essentially just a system accepting traffic on a given port, and just forwarding it to the 'real' host.

[Levent]

Extremely useful. Its much better that my proxy server crash in case of attacks than the app itself. I can also host multiple websites on 80/443 thanks to reverse proxy. You can also deal with certificates MUCH easily if you just deal with installing certificates to your reverse proxy server.

[jsnotlout1]

7 minutes ago, manikyath said:

the idea is that you dont have to give out your real ip, so if something gets attacked they attack the proxy instead of you.

 

my personal rule of thumb is that once you host for more than just friends, it belongs in a datacenter.

 

but depending on your plans, you could just rent a small vps that does a webserver and a reverse proxy for the rest.

 

and yes - a reverse proxy is essentially just a system accepting traffic on a given port, and just forwarding it to the 'real' host.

Yeah, I have a website that I'm working on, And it's currently being hosted on a free learning plan. Once I get anything done on it, I will be using a datacenter. Im just not really up for the idea of hosting any big websites off my network. But my minecraft servers and other game servers should probably be fine, they are also not very popular, that helps lol

 

So in theory, I only have to port forward the port for the reverse proxy, not the others? And it obscures the services running. making it a little more secure. And since I already have my real ip behind a domain it wont help in that case?

[Electronics Wizardy]

12 minutes ago, jsnotlout1 said:

Yeah, I have a website that I'm working on, And it's currently being hosted on a free learning plan. Once I get anything done on it, I will be using a datacenter. Im just not really up for the idea of hosting any big websites off my network. But my minecraft servers and other game servers should probably be fine, they are also not very popular, that helps lol

 

So in theory, I only have to port forward the port for the reverse proxy, not the others? And it obscures the services running. making it a little more secure. And since I already have my real ip behind a domain it wont help in that case?

I find reverse proxies great as you can do something like web1.domain.com and web2.domain.com and have them link to different web servers. Great for running many different services on different servers. 

 

It should help security as the public internet never can access the actual webservers, but only your proxy. This should make a lot of attacks that rely on taking to a web server directly much harder.

[ieleja]

43 minutes ago, jsnotlout1 said:

Can anyone explain the benefits?

Use case — you serve multiple domains, each on dedicated VM, but external IP is 1 — you define vhosts with Reverse Proxy entry.

[jsnotlout1]

6 minutes ago, ieleja said:

Use case — you serve multiple domains, each on dedicated VM, but external IP is 1 — you define vhosts with Reverse Proxy entry.

In theory Couldnt i use ports and one domain to this effect?

[ieleja]

It may be more than one solution as usual...

[Eigenvektor]

5 hours ago, jsnotlout1 said:

In theory Couldnt i use ports and one domain to this effect?

Sure... but why would you do this?

 

You'd then have to explain to your users why they need to use https://domain.com  and https://domain.com:444 rather than simply https://domain.com  and https://sub.domain.com.

 

There no good reason not to use a reverse proxy with virtual hosts for that use case.

 

Plus you know there's one endpoint every request has to go through. So you don't have to worry as much about potential shoddy HTTPS implementation (or lack thereoff) in the services running behind the proxy.

[m9x3mos]

1 hour ago, Eigenvektor said:

Sure... but why would you do this?

 

You'd then have to explain to your users why they need to use https://domain.com  and https://domain.com:444 rather than simply https://domain.com  and https://sub.domain.com.

 

There no good reason not to use a reverse proxy with virtual hosts for that use case.

 

Plus you know there's one endpoint every request has to go through. So you don't have to worry as much about potential shoddy HTTPS implementation (or lack thereoff) in the services running behind the proxy.

Also with a reverse proxy you can limit connection rates as well as what ip addresses. 

I use mine to VPN through on port 443 and my websites can only be accessed through Cloudflare. 

[jsnotlout1]

5 hours ago, m9x3mos said:

Also with a reverse proxy you can limit connection rates as well as what ip addresses. 

I use mine to VPN through on port 443 and my websites can only be accessed through Cloudflare. 

Ah, so I can allow my family members ip's to connect to my jellyfin server, but not even let anyone else see the login UI

[jsnotlout1]

8 hours ago, Eigenvektor said:

Sure... but why would you do this?

 

You'd then have to explain to your users why they need to use https://domain.com  and https://domain.com:444 rather than simply https://domain.com  and https://sub.domain.com.

 

There no good reason not to use a reverse proxy with virtual hosts for that use case.

 

Plus you know there's one endpoint every request has to go through. So you don't have to worry as much about potential shoddy HTTPS implementation (or lack thereoff) in the services running behind the proxy.

Will I need multiple domain names?

[m9x3mos]

5 hours ago, jsnotlout1 said:

Ah, so I can allow my family members ip's to connect to my jellyfin server, but not even let anyone else see the login UI

Correct. I use haproxy on mine and it will check requests against a text file with allowed ips and only let them through if it matches and if not it appears like nothing is there. 

I used to use nginx but switched to haproxy since it can handle tcp streams not just http.

[m9x3mos]

4 hours ago, jsnotlout1 said:

Will I need multiple domain names?

No, both ways you only need one domain. 

Without a reverse proxy your need to specify different ports which can be confusing for end users and some services might not like using non standard ports. 

With a reverse proxy you can have all services using the standard ports and the sub domain specifying the different services. 

Ie domain.com for a basic web site

Then nextcloud.domain.com for an installation of next cloud. 

[Eigenvektor]

7 hours ago, jsnotlout1 said:

Will I need multiple domain names?

A single domain with a wildcard DNS record is enough. That means example.com and *.example.com needs to resolve to your server's IP address. Then you can configure as many subdomains on your reverse proxy as you want. But you could also use multiple domains, if needed.

 

E.g. I have two domains, both with wildcard DNS records. I can connect to my web server through domain1.com and domain2.com. I have multiple web services and also an email service that I can reach through mail.domain1.com and <other>.domain1.com, mail.domain2.com, <other>.domain2.com and so on.

[jsnotlout1]

17 hours ago, m9x3mos said:

Correct. I use haproxy on mine and it will check requests against a text file with allowed ips and only let them through if it matches and if not it appears like nothing is there. 

I used to use nginx but switched to haproxy since it can handle tcp streams not just http.

Wait It supports TCP streams???? Ok Im using that instead so my minecraft servers can run through the proxy

[jsnotlout1]

14 hours ago, Eigenvektor said:

A single domain with a wildcard DNS record is enough. That means example.com and *.example.com needs to resolve to your server's IP address. Then you can configure as many subdomains on your reverse proxy as you want. But you could also use multiple domains, if needed.

 

E.g. I have two domains, both with wildcard DNS records. I can connect to my web server through domain1.com and domain2.com. I have multiple web services and also an email service that I can reach through mail.domain1.com and <other>.domain1.com, mail.domain2.com, <other>.domain2.com and so on.

I think I'll buy a domain, Thats seems super useful and my free one is already a subdomain so it limits me to one service unless you specify the port

[Marvin_The_Robot]

6 hours ago, jsnotlout1 said:

I think I'll buy a domain, Thats seems super useful and my free one is already a subdomain so it limits me to one service unless you specify the port

Does your free domain support CNAME records? If so, you could just add another subdomain.

[jsnotlout1]

8 minutes ago, Marvin_The_Robot said:

Does your free domain support CNAME records? If so, you could just add another subdomain.

I dont think so, its no ip, and it appears that i only have creepervillage3.ddns.net. Which i thought was already a CNAME

[m9x3mos]

8 hours ago, jsnotlout1 said:

Wait It supports TCP streams???? Ok Im using that instead so my minecraft servers can run through the proxy

Oh yeah, it works great for me. When I am at any of the health care places here I can only VPN home on 443. With haproxy I route the VPN traffic over 443 then to the server. No problems with it ever since I did it. 

[m9x3mos]

1 hour ago, jsnotlout1 said:

I dont think so, its no ip, and it appears that i only have creepervillage3.ddns.net. Which i thought was already a CNAME

Not sure how that would work. I just bought mine through cloudflare and turned off their proxy stuff. You can get a domain from them for a low as 6 usd per year which includes privacy on the registration and ssl.