I have a server in my LAN used to share resources between familly members, like accessing the NAS or access to LDAP for emails. Some resources, like the email, are accessible from the Internet.
Presently, I'm using port forwarding to forward selected ports (HTTP, SMTP, LDAP) from the router to that server. But I'm wondering if proxying web and email protocols with nginx installed on the router would be safer?
If I had two servers, I would split the access to the shared resources creating a DMZ to install one server and control the access to the other server. But I have to go with only one box...
What would be the safest architecture? Pluses and minuses of both configurations?
Most of the services are used by the familly members and I could try to convince them to install a VPN client on all their devices (laptops and phones), but there are also public resources (web pages, emails) not used by a captive public. For this reason, I'm not sure a VPN is the best solution. Perhaps I'm wrong.
I don't think there is much difference in exposing them directly to exposing them over nginx, if you are not going to apply any policies.
So if you are going to serve some services to anyone you can leave it as it is.
Otherwise if you are going to provide to selective members, it makes sense to use some VPN.
Or you can combine the VPN and direct access to different services.
I'd do port forwarding in general. If any internet-facing process gets broken into, I'd rather not have it running on my router but on a separate device.
But depending on the actual application, adding a proxy that does the TCP termination and potentially SSL handling might be a good idea, too. Instead of, e.g., a node.js HTTP server that directly accepts TCP connections from the internet I'd rather make that node.js server only listen to 127.0.0.1:80, I'd put an nginx proxy on the very same server that hosts the node.js server and proxies requests to 127.0.0.1:80.
This allows me to fail-to-ban, lets-encrypt, request-monitoring, IP-range restrction, basic-auth and whatever security feature I want to have on every app that talks HTTP, no matter if it natively supports that.
So:
No proxy serivice on the router.
Port-forwarding to the applcation server.
Proxy on the application server.
Means to increase security within the proxy configuration.
As for multiple servers: What about virtualization? I'd run virtualization just for the ease of configuration, remote management and backup.