crusher11 1127 Posted 10 hours ago Posted 10 hours ago 3 hours ago, Q-Droid said: Enable SNI (many do by default) so that IP based requests are rejected. What's SNI?
sh0rty 726 Posted 9 hours ago Posted 9 hours ago (edited) 38 minutes ago, crusher11 said: What's SNI? Server name indication. Simple: The reverse proxy just reacts when the specified hostname, e.g. emby.yourdomain.com is called by the client. Many simple bots, vulnerability scanners and automated scripts try to connect directly to your public IP address. Edited 9 hours ago by sh0rty 2
Q-Droid 1001 Posted 9 hours ago Posted 9 hours ago 10 minutes ago, sh0rty said: Server name indication. Simple: The reverse proxy just reacts when the specified hostname, e.g. emby.yourdomain.com is called by the client. Many simple bots, vulnerability scanners and automated scripts try to connect directly to your public IP address. This. And if your domain doesn't have a PTR record for reverse lookups then your IP is all they know and can't complete the TLS handshake to get any more info. Just don't run non-TLS services on the same IP. Most domains wouldn't need a PTR unless running an email server and if someone is then they should know enough to protect their services.
crusher11 1127 Posted 8 hours ago Posted 8 hours ago ...I have no idea what any of that means, either.
woofstream 4 Posted 7 hours ago Posted 7 hours ago I'd really love to enable SNI, how should I get started?
Lessaj 477 Posted 5 hours ago Posted 5 hours ago Nginx Proxy Manager (NPM) is a pretty easy way to get started with SNI since it has a web GUI for configuration. 1
woofstream 4 Posted 1 hour ago Posted 1 hour ago Thank you! I have that setup now, new IP address from my ISP as well. I am curious though, is the login page for Nginx Proxy Manager meant to be exposed on my IP or is there more I should do?
Lessaj 477 Posted 1 hour ago Posted 1 hour ago I don't actually use NPM to properly answer that question but I would assume no the login page should not be exposed, only the port that is used for whatever services you have configured to run behind it - which should only be reachable via domain name (SNI) on that port, which is probably 80 and 443. Some light research indicates that port 81 is the login page, definitely don't expose that.
woofstream 4 Posted 1 hour ago Posted 1 hour ago Makes sense. I accidentally put a 1 where a zero should have went in my port forwarding. Port 80 isn't showing a login page anymore, thank you!
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now