this post was submitted on 28 Oct 2023
21 points (88.9% liked)

Selfhosted

40183 readers
697 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Hey, I've got a bunch of services all running in their own containers/vms on Proxmox. All of these have their own ips that are accessible from my network.

I also have a container with a reverse proxy, which acts as a gateway for access to these services (it's IP is the only one allowed to go through the firewall of each service).

These services have http servers, no encryption. Could someone on my network listen to comms between a service and my reverse proxy?

Would have to play around with VLANs if that's the case...

Thanks

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 1 points 1 year ago (1 children)

Encryption would be a good idea between the service and the reverse proxy. I’d also look into Proxmox firewall, which is pretty robust. Here’s the link to the documentation: https://pve.proxmox.com/pve-docs/pve-admin-guide.html#chapter_pve_firewall. Definitely worth perusing.

[–] [email protected] 1 points 1 year ago (1 children)

I've got firewall set up, services are only accessible through the reverse proxy, was more concerned about something like logging into keycloak and having the password leaked with MitM or another attack of the sort.

[–] [email protected] 1 points 1 year ago (1 children)

Gotcha. That makes sense. My own thoughts are that if you mitigate all of the attack surfaces you can, it ends up coming down to the robustness of the particular app. I’ve never played with keycloak, so can’t speak intelligently about that, but I’ve got authentik setup in a similar configuration. I limit access so the only way in is via either the reverse proxy or the PVE console and basically keep an ear out for security and software updates.

As I type this, it occurs to me that perhaps there’s a fail2ban integration that could be added to limit credential guessing at the keycloak webui.

[–] [email protected] 1 points 1 year ago

I've got 2FA set up and required, so I'm not too worried about brute force attacks.