Pros & Cons – Firewall vs. Reverse Proxy

[9axqe]

Hello, I am trying to setup immich on my home NAS and I am brainstorming what's the best strategy for network connectivity, especially for guests (I regularly share photos with family, friends, etc.).

Immich is setup in Docker on a Synology NAS. I use the Synology reverse proxy already locally.

First, IPv4 vs. IPv6: I am tempted to make it IPv6-only. It simplifies a lot of things when it comes to keeping traffic local when on the home network. This decision is also entangled with the next point.

Second, securing the connection: geoBlock is one idea, what else would you recommend? The problem is, it's TLS up to the Syno reverse proxy.

Alternatively, I enable caddy reverse proxy on opnsense and I daisy-chain caddy and synology reverse proxy (I assume this should work fine), as caddy can then inspect the content of the traffic and probably significantly improve security. IPv4 becomes also a no-brainer if using caddy on opnsense router.

Any experience with having two reverse proxies daisy-chained and with the security benefits of using caddy vs. "just" opnsense?

[Monviech (Cedrik)]

There are no real security benefits (except encryption of http/s traffic) from using caddy as reverse proxy. Its benefit is being a TLS Termination Proxy that gets you easy TLS Certificates for your websites. You only get enhanced security (additional to encryption) if you combine it with crowdsec.

https://docs.opnsense.org/manual/how-tos/caddy.html#integrating-caddy-with-crowdsec

Also, running two reverse proxies daisychained will give you a bad experience. You should choose one and let it handle all the proxying.

[9axqe]

Thanks for the feedback. I'll go with firewall, as I already have crowdsec configured on opnsense.

Do you know if crowdsec will also monitor traffic which is not directed at the WAN interface of the opnsense router but rather an IPv6 (GUA) on the home network behind it?