|
Does anyone deal with https on their internal networks? I know I could buy a domain name and use let's encrypt with a reverse proxy. While at work I would do this, it just seems like a lot of work for internal only service at home..
|
# ¿ Feb 18, 2023 01:35 |
|
|
# ¿ May 14, 2024 08:28 |
|
Thanks, I figured the best path was buying a real domain, everything falls into place after that.
|
# ¿ Feb 18, 2023 01:45 |
|
Generic Monk posted:
I had similar problems a few months ago, it was this for me. Need permissions to match the uid/gid.
|
# ¿ May 25, 2023 22:08 |
|
Quixzlizx posted:I do have fail2ban set up so someone can't get into Foundry directly by brute-forcing credentials. What your describing does not really offer any sort of protection. It's trivial to find a dns record from an IP address. You need to make sure your network is properly configured and your auth mechanism is solid.
|
# ¿ Sep 23, 2023 21:06 |
|
Quixzlizx posted:Thanks for the replies. foundry.mysite.com is just my registered domain address that goes through a CF proxy DNS server before being pointed to my server. I also have a CF cert installed that Caddy requires for authentication per my settings. But that's all only relevant for traffic that is reaching my server through my domain address, rather than randomly port scanning my IP. Which was really what my original question was about, what happens when someone randomly port scans my IP on port 443 (the one forwarded port in my router) that doesn't even know the domain exists. Is cloudflare your proxy or just dns host, they offer both. If it's your proxy, there should be a way for caddy to only accept traffic from that proxy, such as a client certificate config or IP whitelist as suggested by others resulting in anything else being dropped. Dyscrasia fucked around with this message at 01:06 on Sep 24, 2023 |
# ¿ Sep 24, 2023 01:04 |
|
I think clarification is needed here too because I read a comment about an emby exploit.... I'd never expose a service directly to the Internet. Put a reverse proxy with authentication in front of it(or your choice of VPN etc)
Dyscrasia fucked around with this message at 04:19 on Sep 29, 2023 |
# ¿ Sep 29, 2023 04:16 |
|
dweepus posted:So when you say authentication in front of the reverse proxy, do you mean Login Prompt > Nginx proxy > Jellyfin login prompt? So having an authentication layer on both sides of the reverse proxy? More or less. I'd probably turn off the emby authentication and force all traffic through the reverse proxy. I don't trust services like emby or the *arrs to properly implement authentication. I use emby myself, but only on the local network. I'd be doing tailscale if I needed remote access.
|
# ¿ Sep 30, 2023 15:10 |
|
Ah shoot, in that case it's VPN all the way from my opinion.
|
# ¿ Sep 30, 2023 23:41 |
|
|
# ¿ May 14, 2024 08:28 |
|
mawarannahr posted:NetData is very easy to get running, FWIW. I'd even call it "batteries included." Netdata works great for home servers. The docker compose file works out of box to get all system stats. I've not tried to get it running on my fedora system with podman as a child to my Ubuntu servers parent yet.
|
# ¿ Feb 22, 2024 01:20 |