Reverse Proxy
A reverse proxy is a special type of web server that forwards data from other web servers. They improve security by allowing us to keep all of our other services behind our internal network and only expose the proxy to the World Wide Web.
Secure Web Application Gateway – more commonly referred to SWAG – is a community-driven project by LinuxServer.io to host an nginx server. We will be using this as a reverse proxy to manage provide access to our individual services through a centralized location.
{{Show difference between reverse proxy and connecting individual services to the internet.}}
Nginx ("engine x") is an open-source Web server, reverse proxy and load balancer that is used to power the majority of corporate domains. Nginx can be used to host a standard HTTP(S) Web server with PHP functionality and add-on modules. It can also be used as a reverse proxy which acts as the "public face" of that domain. It acts as an intermediate server that receives client requests and forwards that data along to another server behind the scenes.
{{Diagram of Cockpit on a server being linked through a relay server to outside internet}}
We are hosting Docker services on our server with access to their web interface linked to local ports. This is how we can access Cockpit through a Web browser from computers on our local network. By using a reverse proxy, we can route access to Cockpit through a web sub-domain – such as cockpit.example.com.
It is recommended that services like Cockpit are restricted to Local Area Network access.
SWAG makes it easy to automatically generate an SSL certificate using a variety of mechanisms. These form the foundation of the HTTPS protocol by verifying the identity of the server and encrypting data sent through a secure TCP connection.
SWAG also provides preconfigured settings for integration with other security-focused add-ons:
|
Dashboard |
This provides a graphical overview of the common device types, geographical regions and IP addresses accessing your SWAG reverse proxy server. |
| Front_hand |
This software offers intrusion detection that blocks malicious IP addresses that repeatedly fail authentication checks for your services. |
| Verified_user |
An open-source authorization portal that offers single sign-on and two-factor authentication for securing accessing your services. |
| Communities |
This projects offers proactive threat protection by fostering an open community to share information about malicious Internet actors. |
SWAG comes bundled with accessible default options that balance security and convenience. This also includes templates for each ofthe services you are making available. This will require first configuring and installing the software through Docker Compose using Portainer.
Swag also operates as a basic Web server, serving a site at both port 80 and 443. It does not include any proxy configuration by default and instead serves a basic HTML website that can be currently be accessed on your local network.