It’s that, plus “notifications can disrupt your sleep.”

“A much greater issue [than the blue light] is likely to be the content viewed,” says Peirson. “Reading work emails relating to impending deadlines is clearly going to cause anxiety, and anxiety is strongly related to insomnia.”

Gimp believes in you and loves you in a non clingy way.

Gimp might be able to perform that little logo-transformation favour for you libre of charge, but at least give it a call after for heaven’s sake.

I’d spend half the money on snail amnesia research. The rest I’d just squander.

stuck in the middle with you

I strongly disagree with this statement. Just because it’s hard to do doesn’t mean it isn’t what you rationally decide you want to do. The reason for staying and the reason for leaving are orthogonal to one another or else there wouldn’t be a conflict. Compare to substance addiction: You decide you want to stop, but you need.

It’s only fair.

The answer seems to always be “not segmented enough”. ;)

Haha, why do I even ask.

This is a good hint, I’m going to take a look at that. Thank you!

I never specified, I think, and probably wasn’t too clear on it myself. Thanks for your insights, I’ll try to take them to my configuration now.

This is exactly the type of answer I was looking for. Thanks a bunch.

So but in that way, having a proxy on the LAN that knows about internal services, and another proxy that is exposed publicly but is only aware of public services does help by reducing firewall rule complexity. Would you say that statement is correct?

Right, I agree with proxy exploit means compromised either way. Thanks for your reply.

I am trying to prevent the case where internal services that I don’t otherwise have a need to lock down very thoroughly might get publicly exposed. I take it it’s an odd question?

Re “bouncer”: Expose some services publicly, not others, discriminated by host with public dns (service1.example.com) or internal dns (service2.home.example.com), is what I think I meant by it. Hence my question about one proxy for internal and one public, or one that does both.

Right, I could have been more precise. I’m talking about security risk, not resilience or uptime.

“It’ll probably be the most secure component in your stack.” That is a fair point.

So, one port-forward to the proxy, and the proxy reaching into both VLANs as required, is what you’re saying. Thanks for the help!

The services run on a separate box; yet to be decided on which VLAN I put it. I was not planning to have it in the DMZ but to create ingress firewall rules from the DMZ.

One proxy with two NICs downstream? Does that solve the “single point of failure” risk or am I being overly cautious?

Plus, the internal and external services are running on the same box. Is that where my real problem lies?

I was thinking training montage, with Eye of the Tiger and everything.

In all seriousness, picture your dude’s face! He will have forgotten all about that bet (he might have even now) and one regular sunny day you CASUALLY walk on over to that conveniently located stage; “hold that drink for me for a second, honey”, and BAM. He won’t know what’s even happening, crying into both of your milk shakes in joy and confusion.

Plus, you’ll be super buff. There’s no downside, really.

You should start training in secret immediately! Stages are easy enough to come by once you’re ready.

One’s a crusty bus station, the other a busty crustacean.

What’s the difference between a dirty bus stop and a lobster that underwent plastic surgery?