Jump to content


Photo

Security 101: Secure Connections

Secure Connect Security Remote Access Encrypted

  • Please log in to reply
319 replies to this topic

#301 fizzyade OFFLINE  

fizzyade

    Advanced Member

  • Members
  • 209 posts
  • Local time: 03:33 PM

Posted 23 September 2019 - 06:58 AM

There's a custom script plugin I saw mentioned on here the other day, that could potentially be used with acme.sh to automatically generate letsencrypt certificates very easily for free.

 

I guess somebody could write a plugin that calls acme.sh as well.



#302 Swynol OFFLINE  

Swynol

    Advanced Member

  • Members
  • 1062 posts
  • Local time: 03:33 PM
  • LocationWales, UK

Posted 23 September 2019 - 09:58 AM

There's a custom script plugin I saw mentioned on here the other day, that could potentially be used with acme.sh to automatically generate letsencrypt certificates very easily for free.

I guess somebody could write a plugin that calls acme.sh as well.

It depends what verification method you use. You cant really automate DNS verification with let's encrypt.

Sent from my ELE-L29 using Tapatalk

#303 Swynol OFFLINE  

Swynol

    Advanced Member

  • Members
  • 1062 posts
  • Local time: 03:33 PM
  • LocationWales, UK

Posted 23 September 2019 - 10:03 AM

Thanks for the response!

I'll take a look at Sophos Home, as well as Webroot. Any reason why this is recommended?

Why is connect better? Does it obscure the public IP address somehow? Or is it simply because the user won't know the domain name?

I'm familiar with Unifi hardware, but I'm still confused how Unifi hardware runs "behind" pfSense. @Tur0k mentioned he has this config as well. How do you load a Unifi router with pfSense?

I run a unifi usg at my wan edge. Behind this I have sophos utm (or pfsense in your case). Mainly only doing packet inspection and some geo IP blocking and black listing.

Wan traffic coming in first goes through cloud flare protecting my IP and giving some ddos protection and image hosting.




Sent from my ELE-L29 using Tapatalk

#304 fizzyade OFFLINE  

fizzyade

    Advanced Member

  • Members
  • 209 posts
  • Local time: 03:33 PM

Posted 23 September 2019 - 10:08 AM

It depends what verification method you use. You cant really automate DNS verification with let's encrypt.

Sent from my ELE-L29 using Tapatalk

Huh?  

 

I have loads of devices that automatically update their LetsEncrypt certificates without any interaction, it's a doddle, just host your DNS with a acme.sh supported provider use DNS verification, I use this very same configuration to automate the renewal of certificates on applications that don't have support for LetsEncrypt built it.



#305 fizzyade OFFLINE  

fizzyade

    Advanced Member

  • Members
  • 209 posts
  • Local time: 03:33 PM

Posted 23 September 2019 - 10:19 AM

Thanks for the response!

 

I'll take a look at Sophos Home, as well as Webroot. Any reason why this is recommended? 

 

Why is connect better? Does it obscure the public IP address somehow? Or is it simply because the user won't know the domain name?

 

I'm familiar with Unifi hardware, but I'm still confused how Unifi hardware runs "behind" pfSense. @Tur0k mentioned he has this config as well. How do you load a Unifi router with pfSense?

 

You don't, you run the USG Gateway software on it, it's pretty underwhelming in terms of functionality and power. I've got an unused USG 4 Pro sitting in my rack.  The interesting stuff like IPS/IDS can't be run on it properly if you have a fast internet connection as it maxes out on the 4 at 300 (give or take a bit, maybe 400) with that feature enabled.  It's a fairly basic product which is missing a lot of functionality from the GUI that can be configured via a json file, so once you start getting limited with the GUI be prepared to delve into the world of json!  The integration into the Controller is nice though, it's due a hardware refresh (they have the UDM now which seems to overlap other products), if it could push 1G through IPS/IDS and was priced reasonably then it'd probably be a good choice for a lot of folks.

 

I switched to using a NUC running Untangle, the moment I installed Untangle to test it I was so impressed.  It's like $50 a year for a personal license of it and well worth it.

 

I have a mixture of UniFi and Mikrotik switches (All UniFi AP's), the mikrotiks are used for the 10G network.



#306 Doofus ONLINE  

Doofus

    Advanced Member

  • Members
  • 12657 posts
  • Local time: 07:33 AM

Posted 23 September 2019 - 10:48 AM

I have a pfsense router and a USG Pro 4. I use both. USG behind the pfsense. The USG doesn't NAT. On pfsense I run Snort and Torguard (openVPN) interfaces. The USGs IPS is good, but it has a weak processor and can't handle the load above 250Mb/s. Running Snort on pfsense replaces the use of the USG IPS.

#307 fizzyade OFFLINE  

fizzyade

    Advanced Member

  • Members
  • 209 posts
  • Local time: 03:33 PM

Posted 23 September 2019 - 11:21 AM

I have a pfsense router and a USG Pro 4. I use both. USG behind the pfsense. The USG doesn't NAT. On pfsense I run Snort and Torguard (openVPN) interfaces. The USGs IPS is good, but it has a weak processor and can't handle the load above 250Mb/s. Running Snort on pfsense replaces the use of the USG IPS.

 

Yeah, didn't fancy the short lived USG XG?  :lol:



#308 Doofus ONLINE  

Doofus

    Advanced Member

  • Members
  • 12657 posts
  • Local time: 07:33 AM

Posted 23 September 2019 - 12:00 PM

Yeah, didn't fancy the short lived USG XG? :lol:


I wanted it, but $3000 was a bit too much.

#309 shocker OFFLINE  

shocker

    Advanced Member

  • Members
  • 441 posts
  • Local time: 05:33 PM

Posted 23 September 2019 - 12:47 PM

Quick question

 

I have a reverse proxy successfully configured with subdomain.domain.tld port 443 and on Emby network I have:

 

External domain: subdomain.domain.tld

WAN and LAN ports, default

Secure connection mode: Handled by remote proxy

No additional certificates added on network part, only on nginx.

 

Now when I'm connecting with Emby Connect in my profile I have the server ip address not the reverse proxy domain, and the traffic from the app is not going via reverse proxy.

 

Any idea why?



#310 darkassassin07 OFFLINE  

darkassassin07

    Advanced Member

  • Members
  • 770 posts
  • Local time: 07:33 AM

Posted 23 September 2019 - 01:21 PM

It depends what verification method you use. You cant really automate DNS verification with let's encrypt.

Sent from my ELE-L29 using Tapatalk

This depends very much on what features your dns provider has.
I use a free cloudflare account infront of my server which allows me to update dns records via cloudflares api. I then have a script that runs these two commands every two months refreshing my cert with acme.sh + letsencrypt:
/home/pi/.acme.sh/acme.sh --issue -d mydomain.com -d *.mydomain.com --force --dns dns_cf >> /home/pi/logs/cert.log
/home/pi/.acme.sh/acme.sh  --install-cert -d mydomain.com --key-file /home/pi/SSL/key.key --fullchain-file /home/pi/SSL/cert.pem --reloadcmd "sudo nginx -s reload" >> /home/pi/logs/cert.log

Edited by darkassassin07, 23 September 2019 - 01:21 PM.


#311 fizzyade OFFLINE  

fizzyade

    Advanced Member

  • Members
  • 209 posts
  • Local time: 03:33 PM

Posted 23 September 2019 - 01:38 PM

Yep, that’s very similar to my set up,

Here’s the list of providers that have support for automation of certificate renewal.

https://community.le...ts-encrypt/6920

Tbh, if your DNS provider doesn’t support it then I’d move provider.

Cloudflare is absolutely awesome.

#312 fizzyade OFFLINE  

fizzyade

    Advanced Member

  • Members
  • 209 posts
  • Local time: 03:33 PM

Posted 23 September 2019 - 01:50 PM

Quick question

I have a reverse proxy successfully configured with subdomain.domain.tld port 443 and on Emby network I have:

External domain: subdomain.domain.tld
WAN and LAN ports, default
Secure connection mode: Handled by remote proxy
No additional certificates added on network part, only on nginx.

Now when I'm connecting with Emby Connect in my profile I have the server ip address not the reverse proxy domain, and the traffic from the app is not going via reverse proxy.

Any idea why?


In advanced settings in the server make sure that the external domain is set to your TLD.

You need to set the connection address to the top level domain, you will then either need to enable hairpin NAT on your router so you can connect to the external IP from inside the network, if you can’t do that then you’ll need to set up split dns, either by adding records for your TLD on your router or by running a DNS server inside your network which resolves hosts inside the network to their local IP and forwards all other requests onto a different DNS server.



Have you got a port forward on 8192 going to 8192 on the server? If so, change it to forward port 8192 to 443 on your reverse proxy.

#313 shocker OFFLINE  

shocker

    Advanced Member

  • Members
  • 441 posts
  • Local time: 05:33 PM

Posted 23 September 2019 - 02:08 PM

In advanced settings in the server make sure that the external domain is set to your TLD.

You need to set the connection address to the top level domain, you will then either need to enable hairpin NAT on your router so you can connect to the external IP from inside the network, if you can’t do that then you’ll need to set up split dns, either by adding records for your TLD on your router or by running a DNS server inside your network which resolves hosts inside the network to their local IP and forwards all other requests onto a different DNS server.



Have you got a port forward on 8192 going to 8192 on the server? If so, change it to forward port 8192 to 443 on your reverse proxy.

 

I think you misunderstood the issue.

I don't have any connectivity issue and my ip's are public ip's there is no nat, no port forwarding.

My question is why when the pairing is done via emby connect the traffic is not sent via the reverse proxy and it's sent directly via ip:port of the Emby server.



#314 darkassassin07 OFFLINE  

darkassassin07

    Advanced Member

  • Members
  • 770 posts
  • Local time: 07:33 AM

Posted 23 September 2019 - 03:29 PM

WAN and LAN ports, default


So both the local and public ports for http are 8096, and https 8920?

'Public https port number' should be set to 443, while the local https port should stay as 8920.

The dashboard of your server should say:
In-home (lan) access:
Http://<embyserverip>:8096
Remote (WAN) access:
Https://subdomain.domain.tld:443

If the In-Home address is accessible externally, emby connect may try to connect to that before attempting the external address.
If that's the case you could try setting up your firewall on the emby server to only allow the nginx server to connect to it and no other devices.

#315 shocker OFFLINE  

shocker

    Advanced Member

  • Members
  • 441 posts
  • Local time: 05:33 PM

Posted 23 September 2019 - 03:38 PM

So both the local and public ports for http are 8096, and https 8920?

'Public https port number' should be set to 443, while the local https port should stay as 8920.

The dashboard of your server should say:
In-home (lan) access:
Http://<embyserverip>:8096
Remote (WAN) access:
Https://subdomain.domain.tld:443

If the In-Home address is accessible externally, emby connect may try to connect to that before attempting the external address.
If that's the case you could try setting up your firewall on the emby server to only allow the nginx server to connect to it and no other devices.


Sorry, yes the https is exactly as you described and http is ip:8096

The in-home is accessed externally, I think that might be the case.
I can block the port on my network firewall, in this case if I block 8096 Emby will fallback to the wan?

#316 darkassassin07 OFFLINE  

darkassassin07

    Advanced Member

  • Members
  • 770 posts
  • Local time: 07:33 AM

Posted 23 September 2019 - 03:42 PM

I believe so yes. Assuming your domain name is accessible both at home and externally, you shouldn't have any issues preventing everything but nginx from connecting to emby on 8096

/edit by that I mean, the remote address in the dashboard is accessible from home/away

Edited by darkassassin07, 23 September 2019 - 03:44 PM.


#317 shocker OFFLINE  

shocker

    Advanced Member

  • Members
  • 441 posts
  • Local time: 05:33 PM

Posted 23 September 2019 - 03:49 PM

I believe so yes. Assuming your domain name is accessible both at home and externally, you shouldn't have any issues preventing everything but nginx from connecting to emby on 8096

/edit by that I mean, the remote address in the dashboard is accessible from home/away


Yes the domain is fully accessible remotely.
Thank you for those information’s I’ll give it a try and come back with a feedback!

#318 fizzyade OFFLINE  

fizzyade

    Advanced Member

  • Members
  • 209 posts
  • Local time: 03:33 PM

Posted 23 September 2019 - 07:42 PM

This depends very much on what features your dns provider has.
I use a free cloudflare account infront of my server which allows me to update dns records via cloudflares api. I then have a script that runs these two commands every two months refreshing my cert with acme.sh + letsencrypt:

/home/pi/.acme.sh/acme.sh --issue -d mydomain.com -d *.mydomain.com --force --dns dns_cf >> /home/pi/logs/cert.log
/home/pi/.acme.sh/acme.sh  --install-cert -d mydomain.com --key-file /home/pi/SSL/key.key --fullchain-file /home/pi/SSL/cert.pem --reloadcmd "sudo nginx -s reload" >> /home/pi/logs/cert.log

 

 

slightly curious why you only run the script every 2 months, acme.sh will only request a new cert if it’s within the window for renewal on LetsEncrypt, otherwise it will just ignore the update request.

 

I have a cronjob which runs my cert script every 24 hours and also has an entry for startup, covers all bases should the machine be down when the job was due to run.

 

I guess whatever works for you is the perfect solution!

 

I'm currently trying to get acme-dns working with caddy, I have a VPS spun up to act as the name server for the records, but haven't managed to get a domain to validate yet. 



#319 darkassassin07 OFFLINE  

darkassassin07

    Advanced Member

  • Members
  • 770 posts
  • Local time: 07:33 AM

Posted 23 September 2019 - 09:28 PM

I didn't know acme.sh would exit if a renewal isn't necessary. I just figured if the cert is valid for 3 months, renewing every 2 months is a good balance between regular renewals and not spamming LEs servers for no good reason.
  • fizzyade likes this

#320 fizzyade OFFLINE  

fizzyade

    Advanced Member

  • Members
  • 209 posts
  • Local time: 03:33 PM

Posted 23 September 2019 - 09:56 PM

I didn't know acme.sh would exit if a renewal isn't necessary. I just figured if the cert is valid for 3 months, renewing every 2 months is a good balance between regular renewals and not spamming LEs servers for no good reason.


They’ve thought of that! iIt won’t connect to the LetsEncrypt servers if the renewal isn’t due.

It’s a really cool shell script.

I actually have quite a few machines on the network requesting certs, a mixture of Caddy servers and other servers where acme.sh is easy to deploy, can really recommend caddy and it’s well worth taking a look at, I run 2 caddy servers, one which is only internally accessible on the network and the other which is externally accessible, means I don’t need the DNS records for my internal server to be on Cloudflare.

I actually learned that acme.sh has some other features which I could use to simplify some of my usage cases from your post, going to investigate and see if I can clean up a few little bits here and there.
  • darkassassin07 likes this





Also tagged with one or more of these keywords: Secure Connect, Security, Remote Access, Encrypted

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users