What's more secure for a website? Reverse Proxy or VM /w R.P.?

[Steace]

I currently have port 443 forwarded to a reverse proxy, Swag container in my case. The Plex port is also open but that's it.

 

I'd like to know if it's more secure to have websites/containers using Unraid Docker

OR

Use a VM and setup everything on a Linux Distro with everything set as my Docker containers, witch is a couples of containers proxied though swag, I'm also using Nginx on the Swag container to host some websites.

 

1. I don't plan of using docker inside the VM, just setup everything manually <-- I love that even if it's way more longer/complicated 🥳
2. The Distro on the VM will be secured as much as it's possible. 🚀
3. Everything pass through Cloudflare for the extra layer of protection ☁️

 

I always wondered what the answer to this question was... and yes I know I'm a bit paranoid, I've been hacked too many times already.

Obviously, I'm asking for Unraid, not in general.

 

Thank you

Steace

[Toggle]

I'm interested in шею How effective is it? 

[Steace]

шею? You mean Swag?

 

It's awesome, it's a mix of Nginx as a server, a reverse proxy with fail2ban, auto certs renew, etc.

Recommendations from MDN as of security as already configured with some extra headers that you can easily turn on.

Lot's of config for the most popular docker containers are in too.

If you like playing with config files instead of a GUI, that one's for you.

[jameson_uk]

On 11/4/2021 at 3:59 AM, Steace said:

I'd like to know if it's more secure to have websites/containers using Unraid Docker

OR

Use a VM and setup everything on a Linux Distro with everything set as my Docker containers, witch is a couples of containers proxied though swag, I'm also using Nginx on the Swag container to host some websites.

 

1. I don't plan of using docker inside the VM, just setup everything manually <-- I love that even if it's way more longer/complicated 🥳
2. The Distro on the VM will be secured as much as it's possible. 🚀
3. Everything pass through Cloudflare for the extra layer of protection ☁️

Are you asking whether it is more secure to expose your docker containers to the internet or use a reverse proxy in a VM?

 

There isn't really a simple answer as it comes down to how secure your containers are and how things are configured.

 

WIth a lot of containers not being configured for TLS, opening unnecessary ports and potentially running older web servers with unpatched vulnerabilities I have my services setup via a proxy server (which is actually running as a docker container itself rather than a VM).   The flip side of this is that there is a single point of access so if a vulnerability was found and exploited the hackers would most likely have access to whatever is behind the proxy; that said it is probably more likely that the proxy will get patched regularly.

 

I have my proxy server and the containers it sits in from inside their own docker network.  This in theory means that any exploit would be limited to only those services rather than exposing the whole of my network and other sensitive data  / devices.

 

It is all about risk.   The safest / most secure way of doing things it not to connect anything to the internet but that isn't exactly helpful.   I would always assume being hacked is a possibility (even though you should follow best practice and do things like regularly patch, don't reuse passwords, turn off things that aren't used....) and then consider what happens if you did get hacked.

 

 

[Steace]

I do almost the same as you, expose only my reverse proxy on the internet, and Plex like I said. ( I could use that reverse proxy for plex too but it's on another computer and isolated from everything else so I don't really care. They can listen to my movies if they want  )

 

I wasn't sure for Unraid, since it uses root as the user for docker. That's probably the case for VM's too anyway. I too have those on a separate docker network. Since it's root, I doubt that it matters. I've done it just so I could use "localhost" instead of the IP for the containers linked to it 

 

I'm probably just being paranoid. I've been running that reverse proxy with docker for at least a year. With 0 problem. I wanted it the be more secure, just in case something happen. But like you said. I could just make sure that my passwords and backups are encrypted.

 

Thanks