greyfox

@greyfox@lemmy.world

This is a remote user, information on this page may be incomplete. View at Source ↗

⁨Comment⁩ on ⁨How do you all handle security and monitoring for your publicly accessible services?⁩ ⁨⁨3⁩ ⁨days⁩ ago⁩:
If you are just using a self signed server certificate anyone can connect to your services. Many browsers/applications will fail to connect or give a warning but it can be easily bypassed.

Unless you are talking about mutual TLS authentication (aka mTLS or two way ssl). With mutual TLS in addition to the server key+cert you also have a client key+cert for your client. And you setup your web server/reverse proxy to only allow connections from clients that can prove they have that client key.

So in the context of this thread mTLS is a great way to protect your externally exposed services. Mutual TLS should be just as strong of a protection as a VPN, and in fact many VPNs use mutual TLS to authenticate clients (i.e. if you have an OpenVPN file with certs in it instead of a pre-shared key). So they are doing the exact same thing. Why not skip all of the extra VPN steps and setup mTLS directly to your services.

mTLS prevents any web requests from getting through before the client has authenticated, but it can be a little complicated to setup. In reality basic auth at the reverse proxy and a sufficiently strong password is just as good, and is much easier to setup/use.

Here are a couple of relevant links for nginx. Traefik and many other reverse proxies can do the same.

How To Implement Two Way SSL With Nginx

Apply Mutual TLS over kubernetes/nginx ingress controller
⁨Comment⁩ on ⁨What is everyone using as a HTPC?⁩ ⁨⁨4⁩ ⁨days⁩ ago⁩:
The biggest question is, are you looking for Dolby Vision support?

There is no open source implementation for Dolby Vision or HDR10+ so if you want to use those formats you are limited to Android/Apple/Amazon streaming boxes.

If you want to avoid the ads from those devices apart from side loading apks to replace home screens or something the only way to get Dolby Vision with Kodi/standard Linux is to buy a CoreELEC supported streaming device and flashing it with CoreELEC.

List of supported devices here

CoreELEC is Kodi based so it limits your player choice, but there are plugins for Plex/Jellyfin if you want to pull from those as back ends.

Personally it is a lot easier to just grab the latest gen Onn 4k from Walmart for $50 and deal with the Google TV ads (never leave my streaming app anyways). Only downside with the Onn is lack of Dolby TrueHD/DTS Master audio output, but it handles AV1, and more Dolby Vision profiles than the Shield does at a much cheaper price. It also handles HDR10+ which the Shield doesn’t but that for at isn’t nearly as common and many of the big TV brands don’t support it anyways.
⁨Comment⁩ on ⁨Seriously good cold-climate heat pumps are headed to the US market⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
Here

H2i® models provide heating, even in outdoor temperatures as low as -13° F, producing up to 100% heating capacity at 5° F. These units offer year-round comfort even in extreme climates

Their technical documents show that they are down to about 20% of their usual heat output at that lowest temperature so they need to be sized up accordingly. The reality for most folks in an area cold enough to require these is they have backup heat sources for the coldest days anyways.
⁨Comment⁩ on ⁨How come LED Light Bulbs only last for about 2-3 Years?⁩ ⁨⁨4⁩ ⁨months⁩ ago⁩:
I’ve got several full color Hue bulbs that are the most used lights in my house. I haven’t had a single failure in a decade.

I was more than a little annoyed when they decided to stop supporting my original controller for them though.
⁨Comment⁩ on ⁨LAPD warns residents after spike in burglaries using Wi-Fi jammers that disable security cameras, smart doorbells⁩ ⁨⁨6⁩ ⁨months⁩ ago⁩:
I would think most wifi jamming is just deauth attacks. It is much easier to just channel hop, enumerate clients, and send them deauthentication packets.

This way you don’t need a particularly powerful radio/antenna, any laptop/hacking tool with Wi-Fi is all you need. There are scripts out there that automate the whole thing, so almost no deep knowledge of wifi protocols are required.

WPA3 has protected management frames to protect against this but most IoT cameras probably don’t support WPA3 yet.