Which external vulnerabilities remain for a web server secured with mTLS?
Scenario:
A web server with a web app for remote staff. The web server is behind a reverse proxy (traefik) The web server has a host based firewall configured to allow connections only from the proxy on the designated port. Those connections use TLS. The only other open ports are ssh, zabbix agent and ntp from 10.0.0.0/8 (ssh and zabbix from specific IPs).
The proxy server listens on 80 and 443 and redirects 80 to 443 (and sets HSTS headers). The proxy server enforces mTLS for the domain hosting the webapp but also proxies for other web servers that use only regular TLS. The proxy server has a host based firewall configured to allow incoming 80/443 from anywhere and ssh and zabbix agent from private IPs. The proxy server currently runs a minimum install of Oracle Linux 8 with SELinux in enforcing mode.
The proxy is behind a network firewall that NATs the public IP to a private IP and only allows traffic to 80/443.
The client certs are generated using a private CA (on internal network, not connected to the Internet) and the certs are then installed in the users' cert store so they can access the web app URL from their browsers.
Question:
Assuming for the purpose of limiting the scope of this question that a) the certs remain uncompromised and b) there are no insider threats, what vulnerabilities remain for the web server? In other words, what attack vectors does an attacker have that is outside the network and who does not have access to a valid cert?
