Specifically from the standpoint of protecting against common and not-so-common exploits.

I understand the concept of a reverse proxy and how works on the surface level, but do any of the common recommendations (npm, caddy, traefik) actually do anything worthwhile to protect against exploit probes and/or active attacks?

Npm has a “block common exploits” option but I can’t find anything about what that actually does, caddy has a module to add crowdsec support which looks like it could be promising but I haven’t wrapped my head around it yet, and traefik looks like a massive pain to get going in the first place!

Meanwhile Bunkerweb actually looks like it’s been built with robust protections out of the box, but seems like it’s just as complicated as traefik to setup, and DNS based Let’s Encrypt requires a pro subscription so that’s a no-go for me anyway.

Would love to hear people’s thoughts on the matter and what you’re doing to adequately secure your setup.

Edit: Thanks for all of your informative replies, everyone. I read them all and replied to as many as I could! In the end I’ve managed to get npm working with crowdsec, and once I get cloudflare to include the source IP with the requests I think I’ll be happy enough with that solution.

  • TedZanzibar@feddit.ukOP
    link
    fedilink
    English
    arrow-up
    2
    ·
    5 months ago

    If it was just me, or if Tailscale wasn’t such an insatiable battery leech then I’d absolutely do that but the wife (and kids) acceptance factor plays a big role, and they’re never going to accept having to toggle a separate service on and off to get to their photos.

    Maybe I’m being overly paranoid but I work in IT and see the daily, near constant barrage of port scans and login attempts to our VPN service and it has an effect!

    • butitsnotme@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      5 months ago

      I use WireGaurd, it’s set to on demand for any network or cellular data (so effectively always on), no DNS records (I just use public DNS providing private range IP addresses). It doesn’t make any sort of dent in my battery life. Also, only the wiregaurd network traffic is routed through it, so if my server is down the phone/laptop’s internet continues to work. I borrowed my wife’s phone and laptop for 15 minutes to set it up, and now no one has to think about it.

      • TedZanzibar@feddit.ukOP
        link
        fedilink
        English
        arrow-up
        1
        ·
        5 months ago

        Thanks for the suggestion. I spent a good hour or two trying to make Wireguard work for me last night but failed. If I set it to only apply to Immich, nothing else would have Internet access at all. Likewise if I set the peer IP range to just my LAN subnet.

        After pulling my hair out for a while I gave up and uninstalled.

        • butitsnotme@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          5 months ago

          The peer range shouldn’t be your LAN, it should be a new network range, just for WireGaurd. Make sure that the server running Immich is part of the WireGaurd network.

          My phone and laptop see three networks: the internet, the lan (192.168.1.0/24, typically) and WireGaurd (10.30.0.0/16). I can anonymize and share my WireGaurd config if that would help.