Nginx with Application & Database on a Private Network


I want to have the following in a private network, so that the application and database cannot be directly accessed, perhaps using the Digital Ocean Cloud Firewall.

  • Nginx Reverse Proxy Server
  • Application
  • Database

To prevent access to the application server, would I need 3 separate Droplets, one for each?

Currently, Nginx & the application are hosted on the same Droplet, but I assume I will need to split these to prevent access to the application directly?

Thank you.

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

It depends on what you mean by access. It sounds like you want to separate out Nginx in case someone gains access to that server over the web somehow, so that they don’t gain access to the application.

You could have the application on a private droplet and configure it to refuse all connections except the private networking to Nginx, which proxies for it. In that case yes, you need a separate droplet.

For the database, you could have that on the same droplet as the application with no direct connections allowed to the web, or you could have it on a separate privately networked droplet much like the application, or you could have it on a privately networked managed database that DO now offers.

In my opinion, security-wise this all seems like it could provide some benefits, but perhaps not as many as you would maybe expect. If there’s a vulnerability in the application code that allows malicious users can exploit to gain access, having it proxied and on a separate droplet won’t help. Since the database needs to be accessible from the application, if they have control of the app, they likely have control of the database as well. It’s not a bad idea, but may be overkill depending on your needs.