Specifically from the standpoint of protecting against common and not-so-common exploits.

I understand the concept of a reverse proxy and how works on the surface level, but do any of the common recommendations (npm, caddy, traefik) actually do anything worthwhile to protect against exploit probes and/or active attacks?

Npm has a “block common exploits” option but I can’t find anything about what that actually does, caddy has a module to add crowdsec support which looks like it could be promising but I haven’t wrapped my head around it yet, and traefik looks like a massive pain to get going in the first place!

Meanwhile Bunkerweb actually looks like it’s been built with robust protections out of the box, but seems like it’s just as complicated as traefik to setup, and DNS based Let’s Encrypt requires a pro subscription so that’s a no-go for me anyway.

Would love to hear people’s thoughts on the matter and what you’re doing to adequately secure your setup.

Edit: Thanks for all of your informative replies, everyone. I read them all and replied to as many as I could! In the end I’ve managed to get npm working with crowdsec, and once I get cloudflare to include the source IP with the requests I think I’ll be happy enough with that solution.

  • @[email protected]
    link
    fedilink
    English
    17
    edit-2
    7 months ago

    LE certs can always be “side loaded” by acme.sh or LEbot or whatever, and the reverse proxy restarted to use the new certs. So, the whole “pro subscription to use specific certs” shouldn’t be a factor, except a little more work/config (so, money Vs time).

    Now for my opinion…

    For base security, all it’s doing is looking at whatever you tell it to look at in an http request and forward/drop/block as such.
    HAProxy is well battle-tested. Nginx is well battle-tested. Traefik and caddy are comparably newer contenders, but considering their adoption they are probably well battle-tested.
    Which means, an established reverse proxy is only going to be as secure as the software it’s forwarding traffic to.

    If there happens to be some mental TLS handshake RCE that comes up, chances are they are all using the same underlying TLS library so all will be susceptible…
    But at least an attacker only gets access to the reverse proxy server. Which is why it’s worth having that in a locked down isolated VM, ideally built in a way that is extremely easy to rebuild (declarative configs like docker-compose and some scripts, or even something like nixos for an immutable OS).

    As for add-ons… Most WAFs only look for things like XSS injection or SQL injection or exploitative HTTP request formats. Very very basic attack vectors that any decent HTTP stack and reasonably built software shouldn’t have to even worry.
    Any DDOS protection is more likely to blast your network connectivity, which (for self hosting) a WAF isn’t going to be able to do anything about.
    I’m not sure how good they actually are against a DOS attack that is caused by bugs/inefficiencies in the application. Maybe they monitor for long/increasing response times, and block further requests to them? Might cause a lot of false-positives for your users.

    So, the only real benefit - that I see - are zero-day exploit protections… and that only matters if they are built around near-realtime updates like crowdsec is. I don’t know how it compares to cloudflares WAF, tho.
    Any zero-day protection that isn’t being managed and updated in near-realtime is about as effective as you monitoring news of your installed services/programmes and updating them regularly. Because you are likely to update your WAF and apps when you hear about those, or regular scheduled updates will deal with them before you even learn about them.

    I guess there is security in layers, and if layers of security is more important than CPU consumption/response time/requests per second (ie have an abundance of processing, servicing few users, etc) then it might be a no-brainer.

    The only other time I can see a generic WAF being useful is if you have rolled your own framework and HTTP stack, and are running your own software. Because, you won’t get that right… So might as well have the extra protection of a WAF.

    Or, I guess, with really old unsupported software.
    But surely there is a newer take or fork of it?

    There is also the “am I worth it” factor.
    Like, what is your actual threat model?
    Defend against the usual script-based attacks (IE low hanging fruit), only expose/forward ports that are actually required, use some sensible security that isolates more vulnerable systems (IE a proxy) from more sensitive (ie a database or storage), and update regularly on stable/lts branches.

    Edit:
    I just googled bunkerweb.
    First we had firewalls. Then we got web application firewalls. Along came next generation firewalls. Now we have Next Generation Web Application Firewalls with paid features like “Pay per protected services” and “Best effort support included”

    Maybe I’m just salty

    • @[email protected]
      link
      fedilink
      English
      3
      edit-2
      7 months ago

      That got a bit long.
      Reading more into bunkerweb.

      Things like the “limit” feature are going to doink people on cgnat or large corporate networks. I’ve had security stuff tripped by a company using my software, and it’s a PITA cause all the requests from legit users come from only a few IP addresses.

      Antibot isn’t going to be helpful for things like JS requests, because cookies aren’t included by default with fetch requests - so the application needs to be specifically built for this (at which point, do it at an application level so it can scale easier?).
      And captcha. For whatever that is worth these days.

      Reverse Scan is going to slow down every request (as it scans the remote client for suspicious open ports, so a 500ms delay as default).

      Country is just geo-ip.

      Bad Behaviour is just rate limiting (although with a 24h ban). Sucks if a few corporate/cgnat users all hit a 404 and suddenly that entire company/ISP’s IP is blocked for a day.

      This seems like something to use when running a TOR server or something, where security is more important than user experience. Like, every feature seems to punish legit users

    • Perhyte
      link
      English
      27 months ago

      If there happens to be some mental TLS handshake RCE that comes up, chances are they are all using the same underlying TLS library so all will be susceptible…

      Among common reverse proxies, I know of at least two underlying TLS stacks being used:

      • Nginx uses OpenSSL.
        • This is probably the one you thought everyone was using, as it’s essentially considered to be the “default” TLS stack.
      • Caddy uses crypto/tls from the Go standard library (which has its own implementation, it’s not just a wrapper around OpenSSL).
        • This is in all likelihood also the case for Traefik (and any other Go-based reverse proxies), though I did not check.
    • @[email protected]OP
      link
      fedilink
      English
      17 months ago

      Very useful insights, thanks.

      I do currently have external stuff running via a Cloudflare tunnel (which is why I need DNS based LE certs for the internal proxy) but I don’t know if it’s setup correctly (beyond doing basic reverse proxying) and the admin backend for it feels like massive overkill for a home setup. Plus with Immich I run into the issue of a) dire warnings about it being in active dev and potentially insecure and b) filesize limits making away-from-home backups difficult.

      I could well be over thinking the whole thing.