1

I have been scouring the internet for a solution or best practice to no avail. I have been playing around with Virtual Box Ubuntu server instances, and am trying to replicate a server environment that I could use for hosting a web application I have been mulling over in my head. I would really like to experiment using NGINX as a load balancer and static file server in front of a bunch of nodejs processes.

Basically, I have set up a series of Ubuntu Server Virtual Machines on my dev pc. I have one internet facing virtual machine with NGINX installed with three additional upstream servers that are set to an internal network.

I have the NGINX machine on the same internal network as the three upstream machines as well as being on a separate bridge network adapter. All four machines can ping each other and only the NGINX reverse proxy has access to the internet.

My question is, what is the best way (or even a good way) to update servers without adversely affecting the security benefits of being behind a reverse proxy? My understanding is that one of the benefits of using a reverse proxy is that it creates only one point of access for attackers to hit your servers, XSS/SQL Injection vulnerabilities notwithstanding.

Should I give my upstream servers temporary access to the internet to update applications or would it be better to setup the reverse proxy machine as also a forward proxy at the same time?

Thank you for your help!

Greg
  • 11
  • 2

1 Answers1

0

Just because a server has access to the Internet doesn't mean the Internet has access to that server.

You can (and should) configure the firewall on every box you have. You can also configure an independent firewall that protects all the boxes.

A common firewall configuration pattern is to allow all outbound traffic and then deny all inbound traffic except for established connections (i.e. those connections started by machines inside the firewall). This pattern will allow your boxes to request updates across the internet but will not allow anyone on the internet to connect to your NodeJS service.

On the reverse proxy box, you will have to add another rule to allow inbound traffic on ports 80 and 443.

There are other ways to solve this problem, such as running a proxy server on the DMZ box and configuring apt on all the other boxes to use that proxy. This will work in a situation where you can't give the internal boxes direct access to the internet, such as a PCI card data environment.

Ladadadada
  • 26,337
  • 7
  • 59
  • 90