Hey babe love how our http communications are secure locally now. Blow job and a back rub?
this post was submitted on 28 Oct 2023
1 points (100.0% liked)
Homelab
827 readers
1 users here now
Rules
- Be Civil.
- Post about your homelab, discussion of your homelab, questions you may have, or general discussion about transition your skill from the homelab to the workplace.
- No memes or potato images.
- We love detailed homelab builds, especially network diagrams!
- Report any posts that you feel should be brought to our attention.
- Please no shitposting or blogspam.
- No Referral Linking.
- Keep piracy discussion off of this community
founded 2 years ago
MODERATORS
Next step, CloudFlare proxy so you don't leak your IP when accessing services.
And you can more safely host more public things like blogs.
When we were dating many years ago, my wife asked about some network concepts. I took it upon myself to draw out a network infrastructure on the white paper sheet covering the table. It was big with details. WTF was I thinking. She was a Dev so I wanted to flex. I think it worked 🤣
But, setting up your own offline root and intermediate issuing CAs is so much fun!
I too like my websites and web-based consoles to not pop up the https warning, so good on ya for getting that going
All my network devices have role based access via AD, and run through a RADIUS server. Most of my devices talk PEAP-MS-CHAPv2 for RADIUS auth, in a server per service environment like I have where the NPS server is separate from the DCs, a RAS & IAS cert on the NPS server is required for that communication.
This is like seeking appreciation for breathing.
I am using caddy, which I thought was a one stop shop, but I’m getting errors for the certain trusted by my antivirus.
I wont appreciate you, because SSL certs stop being used years ago. TLS however...
While pedantically true, it’s still referred to as a SSL certificate in common usage.
10 points for the subject lmfao I’ll go read now .. go easy on the gf, she probably rambles about makeup or skin care or something that makes your eyes gloss over
I wanted to do that aswell but was too stupid to figure out how. Guess I will give it another shor
Bravoooo
Congrats! Good job!
I have had local SSL and in house DNS servers for many years now, and I feel you because my wife couldn't care less.
She does find it annoying and confusing when we are traveling and the bedroom light doesn't switch off by itself 🤷 - our home is fully automated as well
Oh thanks for that, that was one of my next project, as I don't like unencrypted packets going out through Tailgate to my phone (or worse my GF phone) for my Home Assistant setup..
It's funny how most of questions are either already answered or get answered when I'm about to search. xD
I got this working as well and am super happy with it! I do have a few small issues though.
I have setup a wildcard cert to *.mydomain.dev pointing to my IP. Anyone can ping any of the subdomains and get my true IP because this setup requires me to have cloudflare setup dns only and if I set it to proxied, it doesn't work.
The second issue I have is some of my applications are not too happy with the setup on https. CasaOS will fail to load the login page unless I clear the cache every time. Pterodactyl won't let anyone externally get to a few of the pages. And a few more here and there I can't remember.
I've followed this nginx proxy manager tutorial and a couple others to get it working to where it's at now, but I can't for the life of me figure out my above issues with my knowledge and experience.
If anyone has any knowledge or resources for these issues please let me know as I've wanted to fix this for a while.
Interesting. I'm a noob - can you tell us if there were any complications or workarounds that the video didn't cover?
There was actually, cloudflare seemed to not like 2nd level subdomains. So using a wildcard cert for *.foo.bar.com didn't work for the setup as described in the video, but *.bar.com did.
The other thing was just specific to some of the services I use, like proxmox needed specific NGINX config that I mentioned in this comment. That was it really! DNS and NGINX isn't that foreign to me so I was comfortable, but it was pretty simple IMO. Give it a shot!
I also suggest using this https://www.youtube.com/watch?v=BKCj6A4CHV4&t=1342s
That was the route I always thought I had to go, but it's quite a bit more work/config. One day!
Welcome to the TLS family! I personally run my own CA, but the end result is the same. 🙂 Welcome and enjoy! 😛
Hiw can i set this up? Is it hard?
No, it is not so difficult. But you need a bit of planning.
First of all, you need a way to distribute your ROOT certificate to your clients. That's more a question of automation.
Second, you need to prepare the topology with certain rules. Things like dedicated certificates for people (identity), services (server certificates for dedicated subdomains), machine clients (for mTLS and zero-trust), infrastructure stuff like BMC/IPMI, UPS, routers...
Basically, the rules are:
- Self signed ROOT certificate
- Intermediate CA (signing certificate)
- (Optional) signing certificate
In case of multiple (dedicated) certificates, you want to make the split at the intermediate/signing level. The chain will help you enforce the rules.
You should decide which algorithm to use (RSA vs. ECC).
Finally, you need a piece of software that will create and sign the certificates for you. This software must authenticate you and check your request if it comforms to the rules above.
I'm using multiple instances of step-ca. Most of the famous certificate management solutions (the service side asking your authority for a certificate, including rekeying/renewal) support it. Which is good. Standard protocols are always better than in-house ~solutions~ workarounds.
To start building your CA:
- Learn about PKI (good start is RFC-5280
- Learn OpenSSL, how to deal with
openssl.conf, sections, ASN.1 - If you need additional information on the certificate, register for your own Private Enterprise Number. Do not abuse existing attributes!
- Prepare HTTP (plain HTTP, no TLS) server to serve your intermediate/signing certificates (for AIA protocol) and CRL (for validation)
- Put your intermediate/signing key/certificate to
step-caas a ROOT and you're good to go.
You can also incorporate HSM if you have one. Just configure its pkcs11 module in the OpenSSL and in the step-ca.
As it is quite a complex topic, feel free to drop additional questions. 👍
Finally! A ~~worth opponent~~ fellow who also cares about having proper OIDs and AIA :)
Prepare HTTP (plain HTTP, no TLS) server to serve your intermediate/signing certificates (for AIA protocol) and CRL (for validation)
Or create a repository on Github, point ca.yourdomain.com to Github Pages and publish there. Doing this solves the PKI chicken-and-egg problem for a homelab and doesn't tie up any resources to serve them.
HTTP! Not HTTPS! No chicken and egg problem here.
Thank you, I’m actually currently building my CA. Planning for an offline root. Question, what free or not enterprise prices software options are there? I have entrust at work, looking for something I can use at home.
For my Root I use OpenSSL with the pkcs11 module to keep the keys on a Yubikey, then I use Step CA as an intermediate/issuing.
Planning to use Yubikey for one of my subCAs. Do you know a good writeup on OpenSSL+Yubikeys?
Also, which Yubikey slot do you use for storing the cert/pkey?
Ha! You run the same stack as I do. 🙂
"not so difficult"
Well thanks, I feel like a complete moron, because that's a level of complexity way beyond what I could do/manage.
It's a bunch of terms I don't know about, but I don't think it's very hard after you learn a bit more and understand the reasoning behind the steps.
I'd personally not want to host a personal CA without HA though, so I suppose I'm sticking with EFF for this one
Sometimes my wife will ask me to explain technology things in great detail when she's having trouble falling asleep.
Lmfao
Yeah, that's normal. 🤓😎
If anyone wants to explain Nginx, reverse proxies and Cloudflare tunnels I'm here for it.
Think of a reverse proxy as a middle man.
Internet comes in to your internet connection and immediately asks “cool story bro…where do I find XYZ service?”
A reverse proxy works by your modem or router saying “ffs bro I have no idea, all I know is you need to go talk to Apache”
So the internet traffic walks over and says “the modem told me to talk to you about getting to XYZ service?”
Apache goes ahead and responds “dude I got you…that service. It lives over here at 192.168.0.12:1234. In fact let me go get it for you so that you don’t have to go anywhere else. Here’s what you are looking for, you can just go through me and I’ll get you the things you want.”
So the internet traffic continuously goes through Apache, Nginx proxy, traefik etc to get the things it wants and Apache Nginx etc just work as a middle man.
I have a lot of not very good YouTube videos explaining how to reverse proxy from Apache to a bunch of services…unifi proxmox esxi and others. As well as videos explaining how to get star certs setup and things like that.
But in a nutshell. That’s what’s going on.
I’m gonna get yelled at but… why? What does this do for the network? Does it make it faster? Safer? Just feels like another thing that could break and then the wife breaks me with “it’s not working.”
Lol. My wife does the sam
Sam sounds like a homewrecker
I hear Jodi is worse.
Well done! You'll celebrate even more if you are using a service like Let's Encrypt and the certificate auto renews without intervention.
Yup, it's through Let's Encrypt. It was a relatively painless setup. I'm quite pleased.
I use HAProxy on pfSense with wildcard LetsEncrypt certs and a firewall rule only to allow connections from the WAN IP Address.
It’s really easy and requires no certificates on the target servers.
My setups are similar. HAProxy as an SSL terminator for all domains. Unencrypted proxy to the services after that. Nginx can use v2 proxy which is nice.
I have a bunch of scripts that collect all the domains and then generate / renew the certs with acme.sh . HAProxy can reload certs with no downtime as well.
One day i will take my lazy ass and fix this too. Not today though, but some day!
I took the time months ago to setup a wildcart cert with letsencrypt but they’re only good for like 3 months. The first time it expired I was like meh fuck it lol