Reverse Proxy for VPS VMs



  • I might need to reword the title as the discussion rolls on.

    For those of you who run Wordpress or NextCloud or similar web services on things like Vultr, do you take the time to try to configure a reverse proxy on the same VM?

    It seems like you get a bit of protection with say your Wordpress application listening on localhost:80 rather than port 80 (443) on the VM's Internet facing NIC, but I wonder if there's any actual benefit.



  • You can increase protection by setting up a Web Application Firewall.

    https://modsecurity.org/
    https://www.modsecurity.org/crs/
    https://owasp.org/www-community/Web_Application_Firewall

    Here's an example of setting up a web application firewall with Nginx and Nextcloud.
    https://riegers.in/nextcloud-with-modsecurity-3-web-application-firewall/



  • I'm running all my linux-based workloads in containers. Gives you a lot of benefits at the cost of a very small management overhead. My default config is to have workloads like NextCloud behind a Traefik or nginx reverse proxy. I can also easily chain in a snort container (or some other WAF), for example. But my main use case for a reverse proxy is certificate handling.

    As for the security aspect of a reverse proxy, well, no one will be able to directly reach your Wordpress installation., everything is terminated at the upstream proxy. But if the upstream proxy is just passing everything through, then there's no extra security. A WAF. on the other hand, can be of great help: It may inspect requests for exploits, scan data posted to your site, use externally maintained blacklists to block spammers and so on. While they are usually a PITA to configure, there are templates available for most WAFs and many popular applications, including Wordpress.



  • I like the idea of the web application firewall, and that looks like something that can setup on the same VM as what would be running Nextcloud, etc.