Is reducing the webserver stack from Caddy, NGINX and PHP-FPM to Caddy and PHP-FPM only a reduction in layered-security?
I have a situation where a webserver behind a network firewall is ran inside of Docker containers. It is setup in this order:
- Caddy webserver - acts as WAF, GEOIP block, IP blacklist, HTTP Security Headers modifications, TLS termination, rate limiting, and reverse proxy to NGINX
- NGINX webserver - simply acts as a simple webserver in combination with PHP-FPM
- PHP-FPM
None of the ports are exposed to the host except for Caddy TCP/80 and TCP/443. Caddy and NGINX share their own private Docker network and NGINX and PHP-FPM share their own private Docker network. All are regularly patched and updated.
From a layered security (defense-in-depth) point-of-view this seems to be a nice segregation of duties. It also performs well. Now for a tiny performance enhancement it was suggested to remove NGINX all together and simply use use Caddy as the direct webserver to pass scripts to php_fastcgi. What are the potential security implications and risks of this? As now the attack surface (PHP-FPM) is one layer closer to the attacker with only Caddy being in between, instead of Caddy and then NGINX being in between.
