Ah sorry I went down the wrong rabbit hole.
I’d imagine an isolated VLAN should be sufficient good starting point to prevent anyone from stumbling on to it locally, as well as any potential external intruder stumbling out of it?
chiisana
joined 1 year ago
Changing port is security by obscurity and it doesn’t take much time for botnets to scan all of IPV4 space on all ports. See for example the ever updated list that’s available on Shodan.
Disable password login and use certificates as you’ve suggested already, add fail2ban to block random drive-bys, and you’re off to the races.
Cloudflare tunnel is a thin client that runs on your machine to Cloudflare; when there’s a request from outside to Cloudflare, it relays it via the established tunnel to the machine. As such, your machine only need outbound internet access (to Cloudflare servers) and no need for inbound access (I.e. port forwarding).
but I haven’t find that much information on which labels should I add to set it up.
I’ve not automated creation of records for new services, but I’ve made it easier for myself by making hostname.domain.ext the dynamic DNS (managed by a simple cron job with curl commands interacting with the API), and all service.domain.ext just CNAME to the main record.
I don’t think I’ll be automating the creation of the CNAME records because something tells me I’d end up leaving a bunch of dead service DNS records behind.
Most likely some sum of (cores x Ghz) each processor in all servers? While it kind of makes sense, it feels like a much higher clock speed than what I’m used to seeing.
I have a single quad sock E5-4640 server, I think in terms of me having 4 processors with 8 cores at base 2.4Ghz each; I don’t regularly (or ever, for that matter) think in terms of me having 76.8Ghz.
360G8s should be single or dual sock E5 v2 processors. I can’t really math right now (insufficient caffeine), but I can’t seem to make the math work, so I’d imagine something that to be an aggregated across all three systems, not individual systems?
Think of the path the user go form their browser to your service as a children’s connect the dots game. They must go from their browser, to the internet, … eventually to your service, each step doing one thing to get closer to the service and back. Both Traefik and Nginx reverse proxy does the same thing, routing traffic from the entry point to your service, so you don’t need both.
I think the path currently might look something like this:
User -> Internet -> Cloudflare DNS (port 80/443) -> Cloudflare Tunnel (inside your network) -> Traefik (port 80/443) -> Service A
And now you want to add an extra route that goes something like:
User -> Internet -> Cloudflare DNS (port 80/443) -> Cloudflare Tunnel (inside your network) -> Nginx Reverse Proxy (can’t use port 80/443 because it’s taken by Traefik, so port XYZ but that costs a fee) -> Service B
If this understanding is correct, I’d recommend simplifying to just either Traefik or Nginx, as both does the same job of routing traffic from your entrypoint (Cloudflare tunnel) to your service.
For a Traefik based setup, you’d ideally put it on a bridged host network in docker, and have it listen there. Add individual service you’d want to expose (i.e. just the container of the web server for the app, not the database) to that network, and apply the appropriate container labels to expose it. It’d then be able to handle all the appropriate routing for you.
I don’t use Nginx, so I can’t touch on that, but I’d imagine similar setup in which you have Nginx listen to 80/443, then have it route the request to your service as needed based on whatever setup mechanism it uses.
Reminds me of some place that didn’t listen to their mods and devs… 🤔
A CA cert is higher up can sign for any desired domain. Certificates are a chain of trust and as long as the entire chain can be validated (by the root level installed by the user), then the entire cert will appear valid. During installation, that’s what gets installed and then the provider signs for whatever domain you’re visiting that they’d need (or want) to MITM.
Cloudflare uses LetsEncrypt, Google and a few other CAs to sign their certs. You’re not forced to use them as registrar, and they could (though they will lose accreditation very quickly) in theory sign any domain without you using them to host your domain’s DNS.
As the person I replied to mentioned, these kind of providers would often also get you to install a cert that they’d use to sign with. Once it is installed, the certificates wouldn’t appear broken anymore.
Just noticed the non-paywall link is no longer archive.ph. Thank you for making that change.
While archive.ph has been a long term alternative to way back machine from Archive.org, archive.ph had always been finicky and aggressive towards Cloudflare DNS users — failing in inexplicable ways that non-technical end users with no control over their DNS could diagnose themselves.