Security question - https via Argo tunnel and Reverse proxy to http Docker WebUI

[ph_]

Hi,

I am fairly new to Unraid, so far it is overall going ok. As I am generally concerned about security I have tried to follow the general forum guidelines as much as I could. Strong Passwords, using Bitwarden, restricted access to shares to name a few.  I still have an additional question though regarding my setup and exposing services to the internet. 

 

I have set up a few dockers e.g. Nextcloud, Airsonic etc. which I expose to the internet via subdomains. Each page/ service is secured with a strong password. I prefer this at least for nextcloud over a vpn solution like wireguard as I can share once in a while links to data directly from my server to others. 

As my provider apparently blocks ports 443/80 for connections to my server from outside, I set up an Argo Tunnel via the cloudflared docker to allow for connections. My real WAN IP does not get exposed, requests to my sites are handled directly by cloudflare, which also should provide some protection from ddos attacks. This also means I do not have to open any ports on my router, except for the wireguard one. The requests then go from cloudflared to my reverse proxy. I decided for Nginx Proxy Manager as it would work out of the box with my cloudflare certificate (I had trouble with getting the self-certificate requested by swag to be accepted by cloudflared and ran out of weekly certificate requests in the process - learned about the existence of testing-certificates by making that mistake) The connection from the cloudflare server via the argo tunnel to the reverse proxy should be secure via the certificate /https. 

 

My question is though the following : Some of the actual proxy hosts are connected via http to the reverse proxy, e.g. Piwigo to Nginx. Does this still qualify as secure as this connection is already "within the server" ? Or does this break "a secure https chain" and creates a vulnerability ? The domains all start with https://...

 

Feedback or some good links for reading would be much appreciated, happy to provide more info is necessary.

 

PS: Going forward, it might be good to just expose dockers directly via the domain which need to be accessed by others than me / one off cases in which it would be a hassle to make them download wireguard and set it up for them. 

 

Many thanks.