It is my home network. So I think I am fine with insider action. As in anything related to security it is always a cost benefit.
My biggest issue is why the likes of Google deciding that they know best. Why shouldn't I have self signed certificates on my lan and that be ok with browsers? > > On 16/02/2024 at 14:21, Nick Couchman <[email protected]> wrote: > > > > On Fri, Feb 16, 2024 at 7:57 AM Andy Marden <[email protected]> wrote: > > > > > > > > > > That's what I do with everything. Reverse proxy with https coming in to > > nginx and then http to each device. Https is to much of a pain internally > > esp since Google decided to thing for us and decide that self signed certs > > are gonna give browser warnings. > > > > > > > > > There are ways to make sure that your systems don't give warnings - use an > enterprise CA, deploy the CA certificate to your internal systems. It doesn't > have to be a pain. Saying "HTTPS is too much of a pain" is setting yourself > up for security issues. > > > > > > > > > > > > > > > The risk is low enough (if my lan is compromised I have way buffety > > problems). > > > > > > > > > Please forgive me while I go on a bit of a tangent about security, in > general... > > > > I'd humbly suggest you reconsider this view of network security. If your LAN > is compromised, you may not know it. In fact, some of the most successful > attacks (outside of ransomware) on organizations have been ones where > attackers were able to get into the network and persist for years without > detection. If you think encryption is "too painful" or "too much work", > you're basically giving anyone that gets into your network (perhaps already > is in your network) free reign to collect information for as long as they > can, and making it really, really easy to do so. There's a saying in security > - there are two types of organizations: Those who have been hacked, and those > who know they've been hacked. > > > > Also, keep in mind that many attacks are "insider attacks" - attacks > perpetrated by people who already have legitimate access to your network, but > who choose to abuse that access. There are many motivators for this - greed, > disgruntlement, dissatisfaction - but lack of relatively basic, proper > security can make this much easier for them, and increase the amount of data > they can get access to, and put you/the organization at risk. > > > > Finally, if you're deciding that encryption is too painful/too much work, > it's indicative of a mentality toward security, in general, that says that > "proper security is too painful." So, what else, besides encrypting traffic, > are you sacrificing, because it is "too painful" or "too difficult"? I'm > going to avoid the temptation to continue building out my argument, but, if > your LAN is anything outside of your home network, you probably have a > responsibility to protect data that is valuable to someone else. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On 16/02/2024 at 12:31, Andrea Miconi > > > <[email protected]> wrote: > > > > > > > > > > > > > > > > > > > > > Thanks for your answers. > > > > > > > > > > > > Now I'm using guacamole in a LAN and I don't need a reverse proxy. > > > > > > When I have finished the configuration and everything is OK, I will > > > connect from the Internet using the reverse proxy on the firewall > > > (OPNsense with HA Proxy). > > > > > > > > > > > > If you assure me that it is already sufficient, then I will leave HTTP. > > > > > > Instead I would like to know if I can use another port from the Internet > > > and let HAProxy redirect to 8080. > > > > > > > > > > > > That's not what *I* said - I don't think HTTP is sufficient, and I would > install a reverse proxy and configure encryption *today.* I run Guacamole in > my $DayJob, and I encrypt both my production system and the test/development > system that I use. The return on the relatively small investment is too great. > > > > Please don't misunderstand me - I'm not saying that it's perfect or will > defeat any and all attacks, just that it's an easy enough thing to do to make > it sufficiently harder for someone on your network to intercept traffic > between systems. > > > > -Nick > > >
