Comment

Comment on How do you all handle security and monitoring for your publicly accessible services?

Sorta, you have to install your certificate authority into the browser and it might complain about verifying that but it will still connect with the encryption.

source

Sort:hotnew top

peregus@lemmy.world ⁨1⁩ ⁨week⁩ ago
No no, what I meant is that if I connect to your server without the certificate installed don’t I just get the warning and I can still get through?

source
- j4k3@lemmy.world ⁨1⁩ ⁨week⁩ ago
  Not unless an http port is open too. If the only port is https, you have to have the certificate. Like with my AI stuff it acts like the host is down if I try to connect with http. You have to have the certificate to decrypt anything at all from the host.
  
  source
  - greyfox@lemmy.world ⁨1⁩ ⁨week⁩ ago
    If you are just using a self signed server certificate anyone can connect to your services. Many browsers/applications will fail to connect or give a warning but it can be easily bypassed.
    
    Unless you are talking about mutual TLS authentication (aka mTLS or two way ssl). With mutual TLS in addition to the server key+cert you also have a client key+cert for your client. And you setup your web server/reverse proxy to only allow connections from clients that can prove they have that client key.
    
    So in the context of this thread mTLS is a great way to protect your externally exposed services. Mutual TLS should be just as strong of a protection as a VPN, and in fact many VPNs use mutual TLS to authenticate clients (i.e. if you have an OpenVPN file with certs in it instead of a pre-shared key). So they are doing the exact same thing. Why not skip all of the extra VPN steps and setup mTLS directly to your services.
    
    mTLS prevents any web requests from getting through before the client has authenticated, but it can be a little complicated to setup. In reality basic auth at the reverse proxy and a sufficiently strong password is just as good, and is much easier to setup/use.
    
    Here are a couple of relevant links for nginx. Traefik and many other reverse proxies can do the same.
    
    How To Implement Two Way SSL With Nginx
    
    Apply Mutual TLS over kubernetes/nginx ingress controller
    
    source
  - peregus@lemmy.world ⁨1⁩ ⁨week⁩ ago
    Oh, I really didn’t know that. Thanks
    
    source