Kleopatra
Comment on Just created my own zero trust network!
BaroqueInMind@piefed.social 2 months agoHow?
archy@lemmy.world 2 months ago
possiblylinux127@lemmy.zip 2 months ago
That isn’t mutualTLS
It just is a frontend for gpg. You need OpenSSL for mutual certs.
tux7350@lemmy.world 2 months ago
Ya got three options.
Option A is to create your own certificate that is self-signed. You will then have to load the certificate into any client you want to use. Easier than people realize, just a couple terminal commands. Give this a go if you want to learn how they work.
Option B is to generate a certificate with Let’s Encrypt via an application like certbot. I suggest you use a DNS challenge to create a wildcard certificate.
Option C is to buy a certificate from your DNS provider aka something like cloudflare.
IMO the best is Option B. Takes a bit to figure it out but its free and rotates automatically which I like.
I like helping and fixing stuff, if you’d like to know anything just ask :D
RunningInRVA@lemmy.world 2 months ago
None of these are client certificates btw. These are just ways to have your server use TLS encryption with any client that connects but it offers no authorization. If you want authorization with client certificates you need to implement mTLS (Mutual TLS).
tux7350@lemmy.world 2 months ago
Oooo ya know I actually don’t know about these. I’ve done both A and B for my homelab and C for work.
Any good resources / insight into mTLS? I appreciate the response btw!
RunningInRVA@lemmy.world 2 months ago
Google?
possiblylinux127@lemmy.zip 2 months ago
www.youtube.com/watch?v=YhuWay9XJyw
You really should not expose stuff to the internet willy nilly. If you must you need to have extensive monitoring and security controls plus you should understand the application at a deep level.
SheeEttin@lemmy.zip 2 months ago
Nor is it authentication.
possiblylinux127@lemmy.zip 2 months ago
That is for server side certs not client side. I’m talking about Mutual TLS.
Setting up https is not going to stop bots. All it does is prevent man in the middle attacks. You want to limit who and what can access Jellyfin so that you don’t end up being a victim of an automated exploit.