I’m currently setting up several internal webapps (e.g. Confluence, JIRA, Racktables etc.) on a local VM server.
It’d be nice to be able to access these from anywhere (i.e. over internet), from both desktops/mobiles etc.
What are some options for exposing these web servers in a secure way?
I assume VPN (e.g. ZeroTier, Pritunl etc.) would be one.
Is there perhaps another that is more frictionless, especially for non-technical people?
If you already have a footprint in Azure/O365, check out Azure AD App Proxy.
You can stick a web server in a DMZ as a reverse proxy, then only allow secure web traffic to that reverse proxy from the internet, and only allow secure web traffic from the reverse proxy to the internal servers.
Commission an external vulnerability test afterwards to make sure you know your exposure (and update it regularly).
stick the servers in a DMZ, harden the servers, apply firewall filters on ports and expose only 443 (for webservers)
What about seamless VPNs? Something like a AlwaysOn VPN setup for Windows 10 and an On Demand VPN profile for iOS/Android. These can be setup to auto connect silently in the background based on URLs or Apps.
Barracuda’s WAF has a reverse proxy, with authentication from LDAP or radius (or both). You can protect any website with it.
Cloudflare Access could be an option
Cloudflare has a pretty cool tool if you use Okta.
Reverse application proxy + 2FA.
There are heaps of options for the proxy. Some UTM/Firewalls will have reverse proxies built in. You can build your own using HAproxy in Ubuntu, nginx/apache in any linux distro or IIS in Windows server. Then place the HAproxy in an edge DMZ separated from your other infrastructure. Be sure to harden your OS and do not domain join this infrastructure.
2FA can be achieved using a series of add-ons for confuence, eg: DUO
Be sure to configure your 2FA such that it doesn’t ask for 2FA when accessing resources from within the network or from known trusted IPs (eg: branch office public IPs).
Reverse proxy together with adfs and two factor authentication
If you have an HTML5 VPN portal you can publish those pages to it. This way you point your people to the URL and they log in and have bookmarks to all your internal sights.
Wow, didn’t know about this. This is neat. Seems you can apply conditional access and MFA requirements. You can even bring-your-own-domain-name.
more info: Application proxy documentation - Microsoft Entra ID | Microsoft Learn
Thanks for sharing!
+1 for setting up a proper reverse proxy (DMZ dependant of network setup and cloud / on-Orem)
Don’t go direct to servers running the systems, new machine / vm running apache / nginx with a correct dns and certificates to handle ssl and proxy pass down to the servers under (many setups can be found online, think atlassian has an almost step by step guide for nginx for confluence / jira)
Firewall the reverse proxy to only allow connections from ip(s) you know, harden all the things, scan regularly, setup a vpn as well if desired as that can also add 2factir auth
Don’t forget other security layers ex. WAF, hardened OS, tight FW policy, MAC (selinux), host firewall (inbound AND outbound) etc.
It’s fairly easy to set up. I have some of our internal IIS sites that rely on AD auth using Azure AD as it is able to change the user’s UPN to fit our on-prem requirements. I also just have App Proxy working like a reverse proxy for some of our static sites. No poking holes in firewalls needed.
I’m sure that’s what google is doing so everyone can access gmail