On Fri, Feb 16, 2024 at 7:57 AM Andy Marden <[email protected]> wrote:
> That's what I do with everything. Reverse proxy with https coming in to > nginx and then http to each device. Https is to much of a pain internally > esp since Google decided to thing for us and decide that self signed certs > are gonna give browser warnings. > > There are ways to make sure that your systems don't give warnings - use an enterprise CA, deploy the CA certificate to your internal systems. It doesn't have to be a pain. Saying "HTTPS is too much of a pain" is setting yourself up for security issues. > The risk is low enough (if my lan is compromised I have way buffety > problems). > > Please forgive me while I go on a bit of a tangent about security, in general... I'd humbly suggest you reconsider this view of network security. If your LAN is compromised, you may not know it. In fact, some of the most successful attacks (outside of ransomware) on organizations have been ones where attackers were able to get into the network and persist for years without detection. If you think encryption is "too painful" or "too much work", you're basically giving anyone that gets into your network (perhaps already is in your network) free reign to collect information for as long as they can, and making it really, really easy to do so. There's a saying in security - there are two types of organizations: Those who have been hacked, and those who know they've been hacked. Also, keep in mind that many attacks are "insider attacks" - attacks perpetrated by people who already have legitimate access to your network, but who choose to abuse that access. There are many motivators for this - greed, disgruntlement, dissatisfaction - but lack of relatively basic, proper security can make this much easier for them, and increase the amount of data they can get access to, and put you/the organization at risk. Finally, if you're deciding that encryption is too painful/too much work, it's indicative of a mentality toward security, in general, that says that "proper security is too painful." So, what else, besides encrypting traffic, are you sacrificing, because it is "too painful" or "too difficult"? I'm going to avoid the temptation to continue building out my argument, but, if your LAN is anything outside of your home network, you probably have a responsibility to protect data that is valuable to someone else. > > On 16/02/2024 at 12:31, Andrea Miconi <[email protected]> > wrote: > > Thanks for your answers. > > Now I'm using guacamole in a LAN and I don't need a reverse proxy. > When I have finished the configuration and everything is OK, I will > connect from the Internet using the reverse proxy on the firewall (OPNsense > with HA Proxy). > > If you assure me that it is already sufficient, then I will leave HTTP. > Instead I would like to know if I can use another port from the Internet > and let HAProxy redirect to 8080. > > That's not what *I* said - I don't think HTTP is sufficient, and I would install a reverse proxy and configure encryption *today.* I run Guacamole in my $DayJob, and I encrypt both my production system and the test/development system that I use. The return on the relatively small investment is too great. Please don't misunderstand me - I'm not saying that it's perfect or will defeat any and all attacks, just that it's an easy enough thing to do to make it sufficiently harder for someone on your network to intercept traffic between systems. -Nick
