I run a self-hosted server at home on which I have run a bunch of personal stuff (like nextcloud etc.). To prevent pointing DNS servers at my home router, I run a reverse proxy on a VPS that I rent (from Scaleway FWIW).
Today I was trying to figure to what extent that exposes my data to my VPS provider and whether I can do something about it. Disclaimer: this is just a hobby exercise. I’m not paranoid, I just want to learn for my own self how to improve security of my setup.
My reverse proxy terminates the SSL connection and then proxies the connection over a wireguard connection to my home server. This means that (a) data is decrypted in the RAM of the VPS and (b) the certificates live unencrypted in the storage of the VPS. This means that the VPS provider, if they want to, can read all the traffic unencrypted to and from my home server.
I was thinking that I can solve both problems by using Nginx’s SSL pass-through feature. This would allow me to not terminate SSL on the VPS solving (a) and to move the certificates to my home server solving (b).
But just as I was playing around with it, I realised that SSL pass-through would not solve the problem of trying to protect my data from the VPS provider. As long as my DNS records point at the VPS provider’s servers, the VPS provider can always get their own certificates for my domains and do a MitM attack. Therefore, I might as well keep the certificates on the VPS since I still have to trust them not to make their own behind my back.
In the end I concluded that as long as I use a VPS provider to route my traffic to my home server, there is no fool-proof way to secure my data from them. Intuitively it makes sense, the data crosses their hardware physically and thus they will have access to it. The only way to stop it would be to update the DNS records to point directly at my home server which I don’t want to do.
Is this correct thinking or is there some way to prevent the VPS provider from seeing my data?
Again, I’m trying to solve this problem as a hobby exercise. The most sensitive data that I have is stored encrypted at the filesystem level and I only decrypt it locally on my own machine to work on it. Therefore, the actually sensitive data that would be cost me a lot if compromised is never available unencrypted on the VPS. Due to the overhead of this encryption and other complications, I don’t do this for all my files.
Something else to consider is Cloudflare tunnels. They are free and quite handy.
Essentially, it creates a secure wiregiard connection between you and cf so you don’t need to open any ports or have a reverse proxy on your side. Then, cf becomes the end point and where dns points.
Cf essentially hosts your reverse proxy for you and you so all the config on their site once you get the tunnel setup. The Cloudflared docker is all that I had to set up.
Its essentially what you are doing with the vps, but purpose built and free.
I’m using a SSH tunnel to connect a port on my vps to a port on my home server. I have rhevssl certificates both on the vps and the home server (I trust the vps provider), but I’m pretty sure (correct me if I’m wrong!) that this would work with the certificates only on the home server. Could the vps provider do a mitm then? I’m not sure, the packets go in one port and are directly forwarded to my home server.
Can the vps provider get their own certificates? That’s a good question. I guess you could check the certificate when connecting to prevent tampering. Datetime of issue alone should be enough since vps providers can’t fake that. Unless you don’t trust CAs either :)
DNS is very leaky no matter where you run it, unless you run DNS over HTTPS (DoH). Full stop.
I’m no fan of DoH because it scales poorly. Nevertheless, a combination of Tailscale (or tailscale-like securort overlay mesh network) and an in-mesh DoH DNS relay going to be more secure than most other setups. Relay the DNS out through Tor at your own (performance) peril, but that’s going to he very secure.
I’m not a practitioner of this method, but it’s how I would approach it if I needed to.
I am sad, and ashamed, that you had to continuously point towards it being “a hobby exercise” - without which the only answers you would get are “change your VPS provider bro” or “you’re too scared bro”. Paranoid or not, these questions are important to understand and answer (network security is not easy when you get into such concepts), regardless where they are coming from. I am positively dismayed; aggravated even, that even in such a community where people know so much, the first thought that would come to their mind is “just trust them bro”.
That said, you are correct. The VPS can absolutely inspect your storage + RAM and scrape the keys/certificates. Considering that Cloudflare tunnels are much worse, I’d rather stick with a VPS, but the problems remain.
I wonder if LUKS can be used for the underlying storage hosting these certificates. Although, will that help if the RAM of the device is compromised?
If it was just storage/RAM scraping then that could be solved with SSL pass-through though. That way the reverse proxy would not decrypt the traffic and would forward the encrypted traffic further to the home server. I was actually setting that up a few hours ago. However, since the VPS provider owns the IP address of the VPS, they can simply obtain their own certificate for the domain. After all, Let’s Encrypt verifies your ownership of the domain by your ability to control the DNS entries. Therefore, even if the certificates weren’t on the VPS, the fact that I am redirecting traffic via their IP address makes me vulnerable to a malicious provider.
The “hobby exercise” was just to indicate that this is not for work and that I’m interested in an answer beyond “you need to trust your provider” which I do :) I agree, these are important questions! And they’re also interesting!
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !selfhosted@lemmy.world
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.
Rules:
Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
@dr_robot
Something else to consider is Cloudflare tunnels. They are free and quite handy.
Essentially, it creates a secure wiregiard connection between you and cf so you don’t need to open any ports or have a reverse proxy on your side. Then, cf becomes the end point and where dns points.
Cf essentially hosts your reverse proxy for you and you so all the config on their site once you get the tunnel setup. The Cloudflared docker is all that I had to set up.
Its essentially what you are doing with the vps, but purpose built and free.
I’m using a SSH tunnel to connect a port on my vps to a port on my home server. I have rhevssl certificates both on the vps and the home server (I trust the vps provider), but I’m pretty sure (correct me if I’m wrong!) that this would work with the certificates only on the home server. Could the vps provider do a mitm then? I’m not sure, the packets go in one port and are directly forwarded to my home server.
Can the vps provider get their own certificates? That’s a good question. I guess you could check the certificate when connecting to prevent tampering. Datetime of issue alone should be enough since vps providers can’t fake that. Unless you don’t trust CAs either :)
DNS is very leaky no matter where you run it, unless you run DNS over HTTPS (DoH). Full stop.
I’m no fan of DoH because it scales poorly. Nevertheless, a combination of Tailscale (or tailscale-like securort overlay mesh network) and an in-mesh DoH DNS relay going to be more secure than most other setups. Relay the DNS out through Tor at your own (performance) peril, but that’s going to he very secure.
I’m not a practitioner of this method, but it’s how I would approach it if I needed to.
I am sad, and ashamed, that you had to continuously point towards it being “a hobby exercise” - without which the only answers you would get are “change your VPS provider bro” or “you’re too scared bro”. Paranoid or not, these questions are important to understand and answer (network security is not easy when you get into such concepts), regardless where they are coming from. I am positively dismayed; aggravated even, that even in such a community where people know so much, the first thought that would come to their mind is “just trust them bro”.
That said, you are correct. The VPS can absolutely inspect your storage + RAM and scrape the keys/certificates. Considering that Cloudflare tunnels are much worse, I’d rather stick with a VPS, but the problems remain.
I wonder if LUKS can be used for the underlying storage hosting these certificates. Although, will that help if the RAM of the device is compromised?
Cheers
If it was just storage/RAM scraping then that could be solved with SSL pass-through though. That way the reverse proxy would not decrypt the traffic and would forward the encrypted traffic further to the home server. I was actually setting that up a few hours ago. However, since the VPS provider owns the IP address of the VPS, they can simply obtain their own certificate for the domain. After all, Let’s Encrypt verifies your ownership of the domain by your ability to control the DNS entries. Therefore, even if the certificates weren’t on the VPS, the fact that I am redirecting traffic via their IP address makes me vulnerable to a malicious provider.
The “hobby exercise” was just to indicate that this is not for work and that I’m interested in an answer beyond “you need to trust your provider” which I do :) I agree, these are important questions! And they’re also interesting!
Is there a way to be notified when certificates for a particular domain are created?
Apparently yes! Based on another comment in this thread: https://certificate.transparency.dev/monitors/.
You could try destination NAT with netfilter/iptables (DNAT) and terminate TLS on your home server.
This way packets will be forwarded to the home server without beign decrypted on the VSP.
deleted by creator