(http.jameshfisher.com)

652 points jamesfisher | 3 comments | 28 May 19 07:57 UTC | HN request time: 0.765s | source

Show context

shurcooL ◴[28 May 19 12:30 UTC] No.20029367[source]▶

>>20028108 (OP) #

> It is not sufficient security to only bind to 127.0.0.1 (the “loopback interface”)

What would be a better, more secure thing to do when you have multiple web servers on one machine behind a SSL-terminating reverse proxy?

replies(1): >>20029481 #

cosarara ◴[28 May 19 12:51 UTC] No.20029481[source]▶

>>20029367 #

The thing to do is not run a web browser on that machine. Run the servers in a VM.

replies(1): >>20030753 #

notatoad ◴[28 May 19 14:57 UTC] No.20030753[source]▶

>>20029481 #

But this seems to be able to see servers accessible to the local machine, so if my Dev server in a VM is accessible from my browser, it's accessible to any webpage in my browser?

replies(1): >>20031177 #

1. cosarara ◴[28 May 19 15:36 UTC] No.20031177[source]▶

>>20030753 #

The reverse proxy is accessible from your browser and is properly configured to not accept random requests from any webpage (See: CORS). The others are not directly accessible, but only through the reverse proxy server. Does that make sense?

replies(1): >>20031576 #

2. notatoad ◴[28 May 19 16:19 UTC] No.20031576[source]▶

>>20031177 (TP) #

not really, no. i still don't see what the reverse proxy or the VM are bringing to the table here. If i'm understanding the necessary CORS config here, it's to simply not send any access-control-allow-origin header, which does not require a VM or reverse proxy, most HTTP services do that by default.

simply being accessed through a reverse proxy instead of directly doesn't add any additional security

replies(1): >>20032635 #

3. cosarara ◴[28 May 19 17:57 UTC] No.20032635[source]▶

>>20031576 #

Actually, you are right.

↑

I can see your local web servers