Nginx with Application & Database on a Private Network

July 11, 2019 257 views
Nginx Ubuntu 18.04

Hello,

I want to have the following in a private network, so that the application and database cannot be directly accessed, perhaps using the Digital Ocean Cloud Firewall.

  • Nginx Reverse Proxy Server
  • Application
  • Database

To prevent access to the application server, would I need 3 separate Droplets, one for each?

Currently, Nginx & the application are hosted on the same Droplet, but I assume I will need to split these to prevent access to the application directly?

Thank you.

1 Answer

It depends on what you mean by access. It sounds like you want to separate out Nginx in case someone gains access to that server over the web somehow, so that they don’t gain access to the application.

You could have the application on a private droplet and configure it to refuse all connections except the private networking to Nginx, which proxies for it. In that case yes, you need a separate droplet.

For the database, you could have that on the same droplet as the application with no direct connections allowed to the web, or you could have it on a separate privately networked droplet much like the application, or you could have it on a privately networked managed database that DO now offers.

In my opinion, security-wise this all seems like it could provide some benefits, but perhaps not as many as you would maybe expect. If there’s a vulnerability in the application code that allows malicious users can exploit to gain access, having it proxied and on a separate droplet won’t help. Since the database needs to be accessible from the application, if they have control of the app, they likely have control of the database as well. It’s not a bad idea, but may be overkill depending on your needs.

  • Hey Carter, thanks for your response here.

    That is what we’re looking to do, re: private Droplet. Regarding the database, this was only for performance reasons - we thought the database querying being on a separate Droplet would be better for performance and allow all CPU power for the application to be secluded to it’s own Droplet.

    Do you know whether a private network refuses all connections outside of itself by default, or do firewalls need to be added to ensure security?

    Good shout on the managed database, we did look at this but as MySQL isn’t yet supported we’re going to wait before proceeding with that option.

    Thank you for your input here.

    Edit: Just thought of one last question. Would the Nginx server need to be on the private network with the other 2 Droplets, or would this be outside of the private network so that it can be accessed from the Internet?

Have another answer? Share your knowledge.