Do criminals use forward proxy servers? I might be screwed.
Discussion
This is a thing I have been meaning to ask you about. Where you host your proxy. I wonder if it is worth it for people who want to self host, to pool on a collocated server that just runs proxy services. Would it be cheaper than a VPS?
I guess reverse proxy as a service exists, but I pay for a 2 core vps unit, its like $10/month to route all of my ingress traffic. The main reason is security, complexity, and just general ownership of my data. Running all of my services on an vps (with storage) would be prohibitively expensive. I pay for the hardware once. Use it for a while, then upgrade and sell off the old gear. I don't like renting ANYTHING if I can help it :)
Also specifically, my cloud proxy is a dump stream forwarder, it does not terminate SSL traffic. It stores no certificates. I didn't want it to leak anything in the case it was compromised. It's purpose is literally to hide my IP address, and offer a buffer layer if something should happen to it.
HSTS should protect my users in the case it gets compromised and the cert changes.
Agree. I don't like renting anything either. I do pay for shared hosting for some stupid stuff I put up. But now that I have a half decent internet connection I'd prefer to host from home. I'd be nice to experiment with more than just PHP. I am just trying to figure out what I need for a proxy. Can you limit the bandwidth on yours so even if attacked it won't use more than half your bandwidth?
Since it's just a tcp stream proxy, nginx seems fairly limited on its tcp rate limiting. I'm considering switching to Envoy, but it's far more complicated to configure. I limit the number of connections per IP address, but I haven't figured out how to throttle those connections.
But the biggest thing I can do, since all traffic is coming from one IP address, is to rate limit using my networking equipment or hypervisor. If accessible, I can also limit throughput using my VPS firewall.
I was wondering if you could trick your isp at the data center into rate limiting on your behalf simply by paying for less bandwidth there than you do at home.
I'm sure you could. However my VPS has almost no restrictions that I've ever run into. I have something like 3tb total monthly capacity (each direction) which I've never come close to using, and I've had it sustain 1gb upload and download speeds when playing around. I had gigabit fiber, but now I'm down lower than that at this location.
I went with 500 Megabit because it was $30/mo cheaper than gigabit and still faster than the cable I was replacing.
Not much point in paying for gigabit if we never came close to saturating 300Mbps. Also, gbps is the limit of my lan. My access point is even less. I am not ready to upgrade my entire infra no matter how much fun that would be.
Yeah same here. I have all of the equipment to move to 10gb I bought slowly over time, but my living situation makes it useless.
How'd you get a 10g switch for less than the price of a car? I got a used HP v1910-48g for something like $40 a while ago.
Id share more, but I don't need the public/governments knowing my network setup XD They need to guess a little.
Yeah it's older now, and it wasn't cheap. Everything else was though. Network cards were luck on marketplace, someone sold me machines with them in it, i yanked them out and resold the gear. I found a few dozen LC fiber cables at a thrift store, and a friend sold me a couple sfp ethernet adapters cheap. I'm mostly fiber though.
I envy the fiber. I built a home office in my basement 5 years ago and like an idiot I put a pair of rj45 jacks with cat6 next to every outlet without putting it in conduit so I could upgrade. Realistically I'll be fine, they are all short runs in a low noise environment. I should be able to push it well past 10g. But still... Should have used conduit.
Yeah if you could spare the extra cash, then conduit is awesome for stuff like that! Yeah for 10g the fiber is too much and gets expensive for long runs. I only need it for the servers anyway.
I never messed with proxys for privacy. I thought one of the points was that cloudflare doesn't ding you like they do on a VPN?
I switch between both. Proxy is just when I don't want all of my machine traffic to be routed. My issue with cloudflare is also browser based. They use canvas fingerprinting which I disable. They can't tell the difference between a forward proxy and a VPN for http traffic. It comes from the same IP and the traffic should look identical to them.
Any proxy you recommend if I wanted to try something new?
I run Squid in a VPS. Keep in mind it doesn't really hide your traffic from your ISP, you can use TLS between your client and server, but TLS traffic is pretty identifiable so I don't think it offers very much protection, short of masking your physical IP address.