NodeBalancer with one Linode for safety?
Hi. This might be a stupid question, I don't know. If so I am sorry.
Let's say I have an application server on a Linode VSP. I am trying to take precautions to make it as secure as possible, but I still don't like that the data is standing directly there on a VPS that has a known public IP address.
Would it make sense to put a Nodebalancer in front of this one Linode? This seems like a cheaper and less maintainance option than for example setting up two linodes where on one there is just something like Nginx with reverse proxying to the application server and data on another, only privately exposed, linode.
I appreciate feedback from people that understand there things better than me.
2 Replies
watrick
Linode Staff
The way a NodeBalancer works is that it connects to the backend through a private IP address. This is a LAN connection within the data center, so it is available to any other Linode in the same data center. I would understand why this might be an appealing option for your use case, though I don't think it's really what you want or need.
It sounds to me like you want something like IP Obfuscation. Providers like Cloudflare provide this.
As for security, I would get started with our Secure Your Server and Security Best Practices guides if you haven't reviewed them yet. From there, I would also look into application-layer security. I'm referring to the application layer of the OSI model.
Thank you for your reply. After your comment I gave more thought to it and it doesn't make that much sense. If I trust the iptables, hiding server IP to external world doesn't help much. Breaching application layer, or even nginx if it's running in the same space as user's data is still vulnerable. I think I already did everything in Secure your Server, but I will check both documents you link again. Thanks!
I am reading on using LXC for separating nginx and backend services like PDF generation, etc…, that don't need access to user's data from the core application server that does.