crusher11 1127 Posted 22 hours ago Posted 22 hours ago 3 hours ago, Q-Droid said: Enable SNI (many do by default) so that IP based requests are rejected. What's SNI?
sh0rty 726 Posted 21 hours ago Posted 21 hours ago (edited) 38 minutes ago, crusher11 said: What's SNI? Server name indication. Simple: The reverse proxy just reacts when the specified hostname, e.g. emby.yourdomain.com is called by the client. Many simple bots, vulnerability scanners and automated scripts try to connect directly to your public IP address. Edited 21 hours ago by sh0rty 2
Q-Droid 1002 Posted 21 hours ago Posted 21 hours ago 10 minutes ago, sh0rty said: Server name indication. Simple: The reverse proxy just reacts when the specified hostname, e.g. emby.yourdomain.com is called by the client. Many simple bots, vulnerability scanners and automated scripts try to connect directly to your public IP address. This. And if your domain doesn't have a PTR record for reverse lookups then your IP is all they know and can't complete the TLS handshake to get any more info. Just don't run non-TLS services on the same IP. Most domains wouldn't need a PTR unless running an email server and if someone is then they should know enough to protect their services.
crusher11 1127 Posted 20 hours ago Posted 20 hours ago ...I have no idea what any of that means, either.
woofstream 4 Posted 19 hours ago Posted 19 hours ago I'd really love to enable SNI, how should I get started?
Lessaj 477 Posted 17 hours ago Posted 17 hours ago Nginx Proxy Manager (NPM) is a pretty easy way to get started with SNI since it has a web GUI for configuration. 1
woofstream 4 Posted 13 hours ago Posted 13 hours ago Thank you! I have that setup now, new IP address from my ISP as well. I am curious though, is the login page for Nginx Proxy Manager meant to be exposed on my IP or is there more I should do?
Lessaj 477 Posted 13 hours ago Posted 13 hours ago I don't actually use NPM to properly answer that question but I would assume no the login page should not be exposed, only the port that is used for whatever services you have configured to run behind it - which should only be reachable via domain name (SNI) on that port, which is probably 80 and 443. Some light research indicates that port 81 is the login page, definitely don't expose that.
woofstream 4 Posted 13 hours ago Posted 13 hours ago Makes sense. I accidentally put a 1 where a zero should have went in my port forwarding. Port 80 isn't showing a login page anymore, thank you!
Q-Droid 1002 Posted 12 hours ago Posted 12 hours ago Unless you have a good reason for it you shouldn't open port 80 on the WAN side or any other port that isn't using TLS.
Lessaj 477 Posted 9 hours ago Posted 9 hours ago 2 hours ago, Q-Droid said: Unless you have a good reason for it you shouldn't open port 80 on the WAN side or any other port that isn't using TLS. I think it's needed for SSL auto renewal and probably has an auto redirect but I'm not sure. I had to set up 80 for certificate renewal with acme.sh and have a 443 redirect in the vhost (using httpd).
Q-Droid 1002 Posted 1 hour ago Posted 1 hour ago If he's going to redirect 80 to 443 then that defeats the purpose of using SNI to prevent domain name discovery as it will be revealed in the redirect. If port 80 is used only for cert renewal then I guess it could be done in a way that doesn't reveal anything, like a dead-end page. DNS-01 is another acme challenge option and it doesn't need inbound connections to validate. SNI is not a security feature. It's just handy when used this way to hide information and force snoopers to try harder. And if reverse lookups return the name then it's not useful in that regard.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now