Reverse Proxy for Single Public Facing Server
-
If you were self-hosting a VM that's to be public facing (like MeshCentral, NextCloud, etc.), would you bother with also setting up a separate VM as reverse proxy server for that traffic?
I would say "yes." Even if you're just proxy-ing traffic for only one server, you would still want the single ingress point for external traffic.
I think of it like virtualization. Even for a single server you still install a hypervisor on the bare metal. There's no downside to the one server being a VM and if if you add servers in the future, you just spin up more VMs. In the case of a reverse proxy, if you find yourself hosting more stuff, you can simply add configs to your reverse proxy and manage TLS certs in one place as well.
-
This post is deleted! -
@eddiejennings said in Reverse Proxy for Single Public Facing Server:
if you find yourself hosting more stuff,
I have only ever had one client where I had only a single internally hosted system. It seems to be either none or more than one.
Because of that I always plan a proxy.
-
I don't think the VM example relates to the proxy question.
The fact that you are self hosting probably plays more into this than anything else.
As a self hoster, do you have have more than one IP? If not, and you're going to have more than one site, proxy becomes a must (no one wants to deal with ports).
I suppose having multiple IPs doesn't preclude you from using a proxy, just makes it less of a demand. -
@jaredbusch The only one static IP or IP address is what kills me and so I have to agree that is why we have been shifting to proxies recently.
-
@dashrender said in Reverse Proxy for Single Public Facing Server:
I don't think the VM example relates to the proxy question.
The fact that you are self hosting probably plays more into this than anything else.
As a self hoster, do you have have more than one IP? If not, and you're going to have more than one site, proxy becomes a must (no one wants to deal with ports).
I suppose having multiple IPs doesn't preclude you from using a proxy, just makes it less of a demand.I think of it as a good practice to put something public-facing behind a proxy if possible, whether it's a single server or multiple. That was my connection to virtualization: not a technical connection, but a possible best practice of putting something behind a proxy by default instead of putting something behind a proxy as an exception.
-
@eddiejennings said in Reverse Proxy for Single Public Facing Server:
@dashrender said in Reverse Proxy for Single Public Facing Server:
I don't think the VM example relates to the proxy question.
The fact that you are self hosting probably plays more into this than anything else.
As a self hoster, do you have have more than one IP? If not, and you're going to have more than one site, proxy becomes a must (no one wants to deal with ports).
I suppose having multiple IPs doesn't preclude you from using a proxy, just makes it less of a demand.I think of it as a good practice to put something public-facing behind a proxy if possible, whether it's a single server or multiple. That was my connection to virtualization: not a technical connection, but a possible best practice of putting something behind a proxy by default instead of putting something behind a proxy as an exception.
That's pretty easy to do when you're self hosted, but if you're doing something like Vultr instances, I'm guessing it's a bit harder - unless Vultr allows for the creation of VMs that only exist on a private network.
-
@dashrender said in Reverse Proxy for Single Public Facing Server:
@eddiejennings said in Reverse Proxy for Single Public Facing Server:
@dashrender said in Reverse Proxy for Single Public Facing Server:
I don't think the VM example relates to the proxy question.
The fact that you are self hosting probably plays more into this than anything else.
As a self hoster, do you have have more than one IP? If not, and you're going to have more than one site, proxy becomes a must (no one wants to deal with ports).
I suppose having multiple IPs doesn't preclude you from using a proxy, just makes it less of a demand.I think of it as a good practice to put something public-facing behind a proxy if possible, whether it's a single server or multiple. That was my connection to virtualization: not a technical connection, but a possible best practice of putting something behind a proxy by default instead of putting something behind a proxy as an exception.
That's pretty easy to do when you're self hosted, but if you're doing something like Vultr instances, I'm guessing it's a bit harder - unless Vultr allows for the creation of VMs that only exist on a private network.
Just about all "cloud" providers let you easily create a private network within their own infrastructure now. I know Vultr, Digital Ocean and Linode all do at least.
-
@dashrender said in Reverse Proxy for Single Public Facing Server:
@eddiejennings said in Reverse Proxy for Single Public Facing Server:
@dashrender said in Reverse Proxy for Single Public Facing Server:
That's pretty easy to do when you're self hosted, but if you're doing something like Vultr instances, I'm guessing it's a bit harder - unless Vultr allows for the creation of VMs that only exist on a private network.
True and that why I specifically mentioned a self-hosting scenario. I think I have a thread from the past asking about whether or not people bother with reverse-proxy for things hosted in Vulture or the like.
-
@eddiejennings said in Reverse Proxy for Single Public Facing Server:
If you were self-hosting a VM that's to be public facing (like MeshCentral, NextCloud, etc.), would you bother with also setting up a separate VM as reverse proxy server for that traffic?
Generally, yes.
-
@eddiejennings said in Reverse Proxy for Single Public Facing Server:
I would say "yes." Even if you're just proxy-ing traffic for only one server, you would still want the single ingress point for external traffic.
It's nice if you want to have some extra security. It's not a lot, but there is some small security benefit.
-
@jaredbusch said in Reverse Proxy for Single Public Facing Server:
@eddiejennings said in Reverse Proxy for Single Public Facing Server:
if you find yourself hosting more stuff,
I have only ever had one client where I had only a single internally hosted system. It seems to be either none or more than one.
Because of that I always plan a proxy.
That too. And, like with hypervisors, only having one initially doesn't imply only one for forever.
-
@dashrender said in Reverse Proxy for Single Public Facing Server:
As a self hoster, do you have have more than one IP? If not, and you're going to have more than one site, proxy becomes a must (no one wants to deal with ports).
I can self host without a proxy. I still use a proxy, but not for that purpose.
-
@dashrender said in Reverse Proxy for Single Public Facing Server:
@eddiejennings said in Reverse Proxy for Single Public Facing Server:
@dashrender said in Reverse Proxy for Single Public Facing Server:
I don't think the VM example relates to the proxy question.
The fact that you are self hosting probably plays more into this than anything else.
As a self hoster, do you have have more than one IP? If not, and you're going to have more than one site, proxy becomes a must (no one wants to deal with ports).
I suppose having multiple IPs doesn't preclude you from using a proxy, just makes it less of a demand.I think of it as a good practice to put something public-facing behind a proxy if possible, whether it's a single server or multiple. That was my connection to virtualization: not a technical connection, but a possible best practice of putting something behind a proxy by default instead of putting something behind a proxy as an exception.
That's pretty easy to do when you're self hosted, but if you're doing something like Vultr instances, I'm guessing it's a bit harder - unless Vultr allows for the creation of VMs that only exist on a private network.
Not hard at all. It's a service, not a VM of its own.
-
@dashrender said in Reverse Proxy for Single Public Facing Server:
but if you're doing something like Vultr instances, I'm guessing it's a bit harder
Nope, we do it all the time, crazy easy. Free.
-
@eddiejennings said in Reverse Proxy for Single Public Facing Server:
@dashrender said in Reverse Proxy for Single Public Facing Server:
@eddiejennings said in Reverse Proxy for Single Public Facing Server:
@dashrender said in Reverse Proxy for Single Public Facing Server:
That's pretty easy to do when you're self hosted, but if you're doing something like Vultr instances, I'm guessing it's a bit harder - unless Vultr allows for the creation of VMs that only exist on a private network.
True and that why I specifically mentioned a self-hosting scenario. I think I have a thread from the past asking about whether or not people bother with reverse-proxy for things hosted in Vulture or the like.
I don't think that it makes a difference.
