1

I have a situation where a webserver behind a network firewall is ran inside of Docker containers. It is setup in this order:

  • Caddy webserver - acts as WAF, GEOIP block, IP blacklist, HTTP Security Headers modifications, TLS termination, rate limiting, and reverse proxy to NGINX
  • NGINX webserver - simply acts as a simple webserver in combination with PHP-FPM
  • PHP-FPM

None of the ports are exposed to the host except for Caddy TCP/80 and TCP/443. Caddy and NGINX share their own private Docker network and NGINX and PHP-FPM share their own private Docker network. All are regularly patched and updated.

From a layered security (defense-in-depth) point-of-view this seems to be a nice segregation of duties. It also performs well. Now for a tiny performance enhancement it was suggested to remove NGINX all together and simply use use Caddy as the direct webserver to pass scripts to php_fastcgi. What are the potential security implications and risks of this? As now the attack surface (PHP-FPM) is one layer closer to the attacker with only Caddy being in between, instead of Caddy and then NGINX being in between.

Improve this question
5
  • 1
    What are you trying to defend your server from? Without a concrete goal, it's impossible to tell whether or not having nginx in between serves any useful purpose. Commented Jan 23 at 9:31
  • 1
    It's an internal business application. Network Firewall also has IP whitelisting. The PHP webapp has authentication with MFA too. Moreover a MySQL container is used, only accessible in a PHP-FPM - MySQL network. Trying to prevent unauthorized access to data either indirectly through the webapp or directly to the database. Commented Jan 23 at 9:38
  • 2
    What is unauthorized access? Who is the attacker? What is the value of the data? Do you have any kind of SIEM? Why do you need a geoip block in a internal application? Security is seldomly reduced to do X or do Y. Commented Jan 23 at 9:40
  • Unauthorized access is well defined. The value of the data is enough the have multiple sufficient mechanisms in place. SIEM/XDR are in place but its not the scope of this question. GEOIP blacklist on application level is fallback in case of future (accidental) misconfiguration of the network firewall. Commented Jan 23 at 9:46
  • Additionally Caddy and NGINX now share an internal secret so that in case of (accidental) exposure of NGINX directly it will not be accessible as it did not come through Caddy first. Commented Jan 23 at 9:53

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.