Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: How to securely expose an internal webserver to the internet
3 points by aborsy 21 days ago | hide | past | favorite | 4 comments
I would like to expose a web server such as the nextcloud to the internet. I want an authentication layer in front of it, as in the Cloudflare Access with ACLs. It will be on a custom domain and end to end encrypted with TLs. I prefer that the proxy in front is managed and secured by a company, since I am not an expert in security.

* Cloudflare Access: This is great, but Cloudflare terminates the TLS which is not acceptable (otherwise I will run the application in the cloud)

* Ngrok: The free tier is limited (doesn’t support custom domains and is too limited in bandwidth), and the pricing of the paid tier doesn’t fit

* A reverse proxy on a VPS with something like Authentik or Teleport in front of it. This would work but I prefer that I don’t configure and maintain the Authentik. It seems risky.

I am looking for recommendations.




You are on a cursed mission.

If you want someone else to do your auth for you (I.e, sign in with google account before you get proxied to the origin), you will need to allow them to terminate the TLS for you. Otherwise, they won't know the state of the auth mechanism.


If it's just for you, you could simply SSH forward the nextcloud's port to your machine. No need to deal with domains and TLS at all.


No it’s for public access. Still, a reverse ssh tunnel could expose it on a VPS, but there is no authentication and ACL.

SSH port forwarding is also typically slow.


Pinggy (https://pinggy.io) supports TLS tunnels (end to end encrypted). However, by design that means Pinggy cannot put any authentication layer in front of it. The connection will be end-to-end encrypted from the browser to your server.

Disclosure - I am working with Pinggy.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: