For those running a 'Reverse Proxy'

[muzicman0 84]

I used to use Caddy for my reverse proxy, but ended up behind a CGNAT, so currently I am using a different solution.  I am no longer behind CGNAT, so thinking of going back to Caddy.

My question is do any of you use any type of Geo Location filtering?  I tried setting up Caddy as a test to only allow connections from the US, but was unable to get it to work correctly.  

[darkassassin07 652]

I used to use cloudflares geo fencing options when I used their WAF (proxy) services for Emby, but it caught such a tiny amount of traffic that I never bothered to set it up directly in nginx when I stopped using cloudflares WAF. It was only something like 2 connections/month.

 

Instead I have nginx setup to only respond to exact subdomain matches. Any request that doesn't exactly match a known FQDN just receives a '444' (nginx's 'drop connection with no response' code). This includes connections just using my ip, or my base domain.

Been meaning to setup fail2ban to block anyone that gets 444'd as well as failed auth attempts, but I've been lazy...

Edited March 18, 2024 by darkassassin07

[TMCsw 249]

I actual do use Geo Location on my nginx reverse proxy but this really only gives any real help/security if you are using common ports (like 80/443/8096/8920) I use a 5 digit port for emby and and it's almost [maybe]never scanned... 

[muzicman0 84]

I'm using a Cloudflare Tunnel right now, and it works OK.  I may make all my users use Tailscale.  That would be decent security, but I think I have one user who uses a LG TV, so I doubt he could use it.

[crusher11 1101]

10 hours ago, darkassassin07 said:

I used to use cloudflares geo fencing options when I used their WAF (proxy) services for Emby, but it caught such a tiny amount of traffic that I never bothered to set it up directly in nginx when I stopped using cloudflares WAF. It was only something like 2 connections/month.

Mine is batting back several a day.