Is it possible to completely hide all reverse proxy traffic from a VPS provider?

pz303 , 11 months ago

@dr_robot

Something else to consider is Cloudflare tunnels. They are free and quite handy.

Essentially, it creates a secure wiregiard connection between you and cf so you don't need to open any ports or have a reverse proxy on your side. Then, cf becomes the end point and where dns points.

Cf essentially hosts your reverse proxy for you and you so all the config on their site once you get the tunnel setup. The Cloudflared docker is all that I had to set up.

Its essentially what you are doing with the vps, but purpose built and free.

solidgrue , 11 months ago

DNS is very leaky no matter where you run it, unless you run DNS over HTTPS (DoH). Full stop.

I’m no fan of DoH because it scales poorly. Nevertheless, a combination of Tailscale (or tailscale-like securort overlay mesh network) and an in-mesh DoH DNS relay going to be more secure than most other setups. Relay the DNS out through Tor at your own (performance) peril, but that’s going to he very secure.

I’m not a practitioner of this method, but it’s how I would approach it if I needed to.

green_dot , 11 months ago

Best option is to directly NAT traffic from VPS to your home server, either directly to your IP or set up a wireguard peer and send traffic via wireguard to your local and do the SSL/TLS termination on your local.

You are best exposing just 443 port on the VPS and moving that traffic over wireguard. Server will have your local public key on the server, and you could implement a wireguard key rotation to change them frequently.

Traffic sent back will be encrypted with the certificate, and even if they get the wireguard server key, you can rotate it, but still they will see encrypted packets.

It depends what kind of things you’re doing on your local. If it is just a website thing, then reverse proxy is fine. Anything other than that, NAT would be cleanest one.

LUKS on the disks would encrypt it the data on the block storage level, and, in theory, they should not have a way of reding block storage files directly. But since it is a VPS they can, technically, gather data from host memory.

Next step might be going down a dedi server route, Luks encryption on disks. Only thing thats needed there would be sufficient network pipe.

eskuero , 11 months ago

Terminate the ssl connection at a reverse proxy hosted in your home server, and instead useiptables to redirect the traffic through the wireguard interface

dr_robot OP , 11 months ago

Thanks for the suggestion! That is also doable with Nginx's SSL pass-through. However, that is still vulnerable to the VPS provider obtaining a certificate. But indeed, it does appear that a combination of redirecting encrypted traffic (SSL passthrough or iptables) with cert monitoring appears to be emerging as a solution.

BTW, I prefer SSL pass-through over iptables, because I do keep one endpoint on the VPS and that's my static website which also needs a cert. With SSL pass-through I can terminate connections to the static website while redirecting all other connections as it can pre-read the destination domain. With iptables I would need two IP addresses to distinguish the connections.

taladar , 11 months ago

the VPS provider can always get their own certificates for my domains and do a MitM attack.

You can limit which CA’s will offer certificates for your domain with the CAA record in DNS. You can also at least detect if someone else creates a certificate for your domain if you watch the certificate transparency logs.

dr_robot OP , 11 months ago

You can limit which CA’s will offer certificates for your domain with the CAA record in DNS.

Yea, I already have that.

You can also at least detect if someone else creates a certificate for your domain if you watch the certificate transparency logs.

Did not know this before today, but now I have it switched on!

MigratingtoLemmy , 11 months ago

Thank you, this is most helpful

dinosaurdynasty , 11 months ago

CAA can also be used to disable http verification, meaning you would have to have control of DNS to be able to get a certificate (which the VPS ideally wouldn’t have).

taladar , 11 months ago

I didn’t know about that extensions. Thanks for mentioning it. Apparently you can also select which CA account should be the only one allowed to issue certificates for a domain via DNS too.

MigratingtoLemmy , 11 months ago

I am sad, and ashamed, that you had to continuously point towards it being “a hobby exercise” - without which the only answers you would get are “change your VPS provider bro” or “you’re too scared bro”. Paranoid or not, these questions are important to understand and answer (network security is not easy when you get into such concepts), regardless where they are coming from. I am positively dismayed; aggravated even, that even in such a community where people know so much, the first thought that would come to their mind is “just trust them bro”.

That said, you are correct. The VPS can absolutely inspect your storage + RAM and scrape the keys/certificates. Considering that Cloudflare tunnels are much worse, I’d rather stick with a VPS, but the problems remain.

I wonder if LUKS can be used for the underlying storage hosting these certificates. Although, will that help if the RAM of the device is compromised?

Cheers

dr_robot OP , 11 months ago

If it was just storage/RAM scraping then that could be solved with SSL pass-through though. That way the reverse proxy would not decrypt the traffic and would forward the encrypted traffic further to the home server. I was actually setting that up a few hours ago. However, since the VPS provider owns the IP address of the VPS, they can simply obtain their own certificate for the domain. After all, Let's Encrypt verifies your ownership of the domain by your ability to control the DNS entries. Therefore, even if the certificates weren't on the VPS, the fact that I am redirecting traffic via their IP address makes me vulnerable to a malicious provider.

The "hobby exercise" was just to indicate that this is not for work and that I'm interested in an answer beyond "you need to trust your provider" which I do :) I agree, these are important questions! And they're also interesting!

MigratingtoLemmy , 11 months ago

Is there a way to be notified when certificates for a particular domain are created?

dr_robot OP , 11 months ago

Apparently yes! Based on another comment in this thread: https://certificate.transparency.dev/monitors/.

CAPSLOCKFTW , 11 months ago

I’m using a SSH tunnel to connect a port on my vps to a port on my home server. I have rhevssl certificates both on the vps and the home server (I trust the vps provider), but I’m pretty sure (correct me if I’m wrong!) that this would work with the certificates only on the home server. Could the vps provider do a mitm then? I’m not sure, the packets go in one port and are directly forwarded to my home server.

Can the vps provider get their own certificates? That’s a good question. I guess you could check the certificate when connecting to prevent tampering. Datetime of issue alone should be enough since vps providers can’t fake that. Unless you don’t trust CAs either :)

muddybulldog , 11 months ago

If you’re concerned that you VPS provider is replacing your certificates you need to find another provider.

You should also look in to certificate transparency monitoring. I get notified anytime a certificate gets issued for one of my domains.

dr_robot OP , 11 months ago

No, I'm not concerned. This is just a theoretical exercise so that I can understand the trade-offs I'm making.

Edit: The certificate transparency monitoring sounds interesting. Did not know about that.

lemmy , 11 months ago

You are correct. The provider owns the IP and also VPS. They theoretically have the ability to do anything within those confines. Same thing with your nameserver provider with your DNS records and the domain itself with the registrar. There’s a certain level of trust that needs to be accepted for anything that goes outside the confines of your house. The good thing is those companies have more to lose than you by breaking that level of trust.

taladar , 11 months ago

Well, technically you only have to trust your DNS registrar minimally if you use DNSSEC and only use your DNS hoster’s servers as slave servers. The registrar could always DoS you of course by not entering new DNSSEC zone signing keys into the parent zone and the hoster by removing your zone from their servers but they can not technically publish any records in your name in that case or prevent individual records from being published (unless those are new and they just keep serving an old version of your zone).

MigratingtoLemmy , 11 months ago

Could you explain more about this? I’m very new to DNS, and cannot grasp how using DNSSEC prevent the VPS from tampering with DNS and how we only “minimally” rely on the DNS provider?

Also, could you explain more zone signing keys?

taladar , 11 months ago

I actually made a mistake in my previous post by writing zone signing keys when I meant key signing keys.

Basically in DNSSEC there is a hierarchy of keys all the way from the DNSSEC root zone keys. Each DNSSEC-enabled domain has some key signing keys which have a signature signed by the parent zone’s keys stored in the parent zone as DS records similar to the way NS records are stored in the parent zone. This is done by the registrar for your domain. So e.g. the DS records for itjust.works would be stored in the works zone and the ones for works would be stored in the DNS root zone.

The domain owner can then use the key signing key to sign a regularly changing zone signing key (e.g. KSK might be valid for a year and ZSK for a month with some overlap to avoid outages). Both KSKs and ZSKs are stored in the zone itself as DNSKEY records.

The zone signing key is then used to sign each individual record in the zone. There is also a mechanism to certify that all the names in between and the records of other types do not exist but I don’t know the details of that. It is specifically designed to prevent enumeration of all existing records though.

So if you do all your zone signing on, say, your home server and only publish the zone via zone transfer on some DNS slave servers the organisation or person running your DNS slave servers will not be able to do anything other than publish it as is, publish an outdated version they received from you before (in which case you could switch out your DNSSEC keys to make that invalid) or not publish it at all (Denial of Service) but they could not publish their own records or modify the records you published.

Of course the caveat with that is that it only works if the clients actually validate the DNSSEC signatures of the zone/records but more and more do in recent years.

brombek , 11 months ago

You could try destination NAT with netfilter/iptables (DNAT) and terminate TLS on your home server.

This way packets will be forwarded to the home server without beign decrypted on the VSP.

ablackcatstail , 11 months ago

That’s an interesting solution. But could the cloud VPS provider still see the metadata?

taladar , 11 months ago

They will always be able to see the peer’s IP and port, the time packets are sent and the amount of data of course. They will also be able to see the SNI field of the client hello TLS packet, telling them which domains the client is trying to reach.

cstine , 11 months ago

Technically you’re correct: your VPS provider can inspect your network traffic, the contents of RAM and anything on the disk.

Bluntly: you have to trust your VPS provider, and if you’re unsure they’re trustworthy you shouldn’t use them.

(Scaleway is legitimate, bound by actual useful data protection laws, and has a comprehensive privacy and security policy.)

ablackcatstail , 11 months ago

It sounds like you’re doing something very similar to me. I run my Lemmy and Mastodon server out of my home. I have a wireguard tunnel between that server and my cloud VPS. The cloud VPS handles reverse proxying. The information that I am most likely leaking is metadata. Metadata is surprisingly useful. In an ideal world we could secure and obfuscate everything. For the most part though, your traffic is secure and your cloud provider won’t be able to really get more than your metadata.

dr_robot OP , 11 months ago

I don't think it's just metadata that's leaking though. I would say it's the entire content of the connection. If the reverse proxy terminates the secure connection it will decrypt the data which will be available unencrypted in the VPS. Outside of the VPS instance the traffic remains entirely encrypted.

Admittedly this decrypted data is not easy to access - you would need to have root access and be able to capture the traffic from within the VPS. But a VPS provider has this kind of access - as they run the hypervisor, they have direct access to the RAM (and possibly even a much easier way to just log in as root into the VPS itself). I think you do have to trust the VPS provider not to peek into the VPS itself. As long as you're paying for the service, that's probably a safe assumption.

taladar , 11 months ago

There is no easy way to just log into the VPS as root just because you run the host. There are probably exploits that could do it but there is no simple included tool to do so.

It would probably be easier to just hook into the (likely known) VPS kernel doing something similar to the sslsniff tool from the bpfcc-tools package (hook into the openssl, gnutls,… ssl decryption functions basically).