Question about https

July 27, 2017

Well, after alot of trial and error i finally managed to get a web server running via IIS and went to make it accessible from the internet so i could acquire an ssl cert where i ran into a rather big problem.

My internet service is provided by telus who has decided ports 80 and 443 need to be blocked at the isp level for 'security purposes' or at least that is their excuse...

Anyone have any ideas on how i can acquire a free ssl cert without the use of port 80?

Well, after alot of trial and error i finally managed to get a web server running via IIS and went to make it accessible from the internet so i could acquire an ssl cert where i ran into a rather big problem.

My internet service is provided by telus who has decided ports 80 and 443 need to be blocked at the isp level for 'security purposes' or at least that is their excuse...

Anyone have any ideas on how i can acquire a free ssl cert without the use of port 80?

I was trying to use Certify to get a letsencrypt cert on windows 7

Edited July 27, 2017 by darkassassin07

July 27, 2017

Well, after alot of trial and error i finally managed to get a web server running via IIS and went to make it accessible from the internet so i could acquire an ssl cert where i ran into a rather big problem.

My internet service is provided by telus who has decided ports 80 and 443 need to be blocked at the isp level for 'security purposes' or at least that is their excuse...

Anyone have any ideas on how i can acquire a free ssl cert without the use of port 80?

I was trying to use Certify to get a letsencrypt cert on windows 7

https://emby.media/community/index.php?/topic/44757-setting-up-ssl-for-emby-wip/page-1?hl=letsencrypt

July 27, 2017

Ok, so my only option is to get a certificate via adding a txt dns record to my dns.

Now the hunt begins for a free dns service that allows adding txt dns records.

My current dns (dlinkddns.com) has no configuration at all, you just get to pick a name, and the dns I was using before I got a dlink router, dynu requires a pro account for txt entries.

July 27, 2017

I should really post a detailed version of my setup one of these days as I'm sure it would work meet the needs of 90% of Emby users and is dead simple and requires no maintenance once running.

Emby Server (built in self signed certs) -----> Cloudflare (SSL Full) ======= Signed SSL certs that works with all Emby clients

There is no need to renew any certs as Cloudflare takes care of everything and as an added bonus Cloudflare can be used to cache images to speed up browsing as well as obfuscate your server IP address.

July 27, 2017

Ok, so my only option is to get a certificate via adding a txt dns record to my dns.

Now the hunt begins for a free dns service that allows adding txt dns records.

My current dns (dlinkddns.com) has no configuration at all, you just get to pick a name, and the dns I was using before I got a dlink router, dynu requires a pro account for txt entries.

imo, the simplest way to get what you'r elooking for is to install nginx and run a reverse proxy. letsencrypt can be auto updated every 90 days w/ certbot, and you can specify the ddns in the nginx config for the SSL redirect. took me 10 mins to get everything running on linux, I can't imagine it would be harder in windows (and there is at least 1 reverse proxy tutorial for windows on this site already).

July 27, 2017

imo, the simplest way to get what you'r elooking for is to install nginx and run a reverse proxy. letsencrypt can be auto updated every 90 days w/ certbot, and you can specify the ddns in the nginx config for the SSL redirect. took me 10 mins to get everything running on linux, I can't imagine it would be harder in windows (and there is at least 1 reverse proxy tutorial for windows on this site already).

Yep, I recommend this solution as well.

July 27, 2017

I should really post a detailed version of my setup one of these days as I'm sure it would work meet the needs of 90% of Emby users and is dead simple and requires no maintenance once running.

Emby Server (built in self signed certs) -----> Cloudflare (SSL Full) ======= Signed SSL certs that works with all Emby clients

There is no need to renew any certs as Cloudflare takes care of everything and as an added bonus Cloudflare can be used to cache images to speed up browsing as well as obfuscate your server IP address.

I'd be interested in reading that.

July 28, 2017

Personally, I already had a domain that I moved over to google domains ($12 per year). I was using it for VPN to my home. I ended up using let's encrypt to handle my SSL certificates.

Google domains offers public DNS management for your domain. They support DDNS/A+ records, CNAME, TXT, among others.

I run a let's encrypt acme and HAproxy (as a reverse proxy) on my PFsense firewall.

The let's encrypt acme is setup to restart HAproxy after the certs for my subdomains are renewed. I am even starting to use it to provide SSL certs for my systems internally.

HAproxy hosts:

My Emby server.

My home automation management UI.

My remote control service for my home automation server,

My network monitoring service.

I am working on locking the system down:

A. Block traffic from known blacklist or spammer IP addresses. This is complete.

B. Limiting protocols to TLS 1.2 or higher, and forcing higher quality ciphers. This is complete.

C. client certificate authorization in order to limit access to only devices that have my client certificate aside from a white list address (example: Emby connect). Not done yet.

D. Automatically block sources that look like they are attempting a brute force attack. My home automation server already has this ability but I need to ensure that I implement something similar for Emby, my network monitor, and any other services I host on it. I am working with my network monitor to pickup the logs off of the services to determine host and bad password attempted.

Once locked down My plan is to add a security camera NVR, my wifi controller, and the router management interface to it.

In HAproxy I allow ssl encrypted connections on port 443 through my firewall. I have HAproxy setup to dynamically provide services based on the SNI request. It a also provides the appropriate certificate based on the sources URL request. Lastly, I had to provide ACLs in HAproxy to pass source ip address if it is determined to be from the public Internet.

Sent from my iPhone using Tapatalk

Edited July 28, 2017 by Tur0k

July 28, 2017

alright, I have finally managed to get an ssl cert via letsencript and point emby at it. (with the correct pass and domain name) After a clean restart I still can't connect on port 8920 through any means. However if I ping port 8920 via http://canyouseeme.org/ I do get a response now where I didn't with the self-signed cert.

I'm also getting this log with a few errors:

edit: in the first few lines of the log: "EnableHttps":false ??

server-63636798768.txt

Edited July 28, 2017 by darkassassin07

July 28, 2017

Personally, I already had a domain that I moved over to google domains ($12 per year). I was using it for VPN to my home. I ended up using let's encrypt to handle my SSL certificates.

Google domains offers public DNS management for your domain. They support DDNS/A+ records, CNAME, TXT, among others.

I run a let's encrypt acme and HAproxy (as a reverse proxy) on my PFsense firewall.

The let's encrypt acme is setup to restart HAproxy after the certs for my subdomains are renewed. I am even starting to use it to provide SSL certs for my systems internally.

HAproxy hosts:

My Emby server.

My home automation management UI.

My remote control service for my home automation server,

My network monitoring service.

I am working on locking the system down:

A. Block traffic from known blacklist or spammer IP addresses. This is complete.

B. Limiting protocols to TLS 1.2 or higher, and forcing higher quality ciphers. This is complete.

C. client certificate authorization in order to limit access to only devices that have my client certificate aside from a white list address (example: Emby connect). Not done yet.

D. Automatically block sources that look like they are attempting a brute force attack. My home automation server already has this ability but I need to ensure that I implement something similar for Emby, my network monitor, and any other services I host on it. I am working with my network monitor to pickup the logs off of the services to determine host and bad password attempted.

Once locked down My plan is to add a security camera NVR, my wifi controller, and the router management interface to it.

In HAproxy I allow ssl encrypted connections on port 443 through my firewall. I have HAproxy setup to dynamically provide services based on the SNI request. It a also provides the appropriate certificate based on the sources URL request. Lastly, I had to provide ACLs in HAproxy to pass source ip address if it is determined to be from the public Internet.

Sent from my iPhone using Tapatalk

I would not recommend exposing your security camera, wifi controller, and router management externally. There's really no reason you need to. Use a vpn to access those resources. You can attempt to lock down everything, but there's no guarantee you've hardened your infrastructure well enough that you've covered every vulnerability.

July 28, 2017

edit: in the first few lines of the log: "EnableHttps":false ??

Did you enable this?

July 28, 2017

the external domain I do have set, I just tried enabling "report https as external address" to no avail. :/

here's another log:

server-63636823433.txt

July 28, 2017

I would not recommend exposing your security camera, wifi controller, and router management externally. There's really no reason you need to. Use a vpn to access those resources. You can attempt to lock down everything, but there's no guarantee you've hardened your infrastructure well enough that you've covered every vulnerability.

You make a good point, making anything accessible to the outside has risks. Vulnerabilities could exist on the configuration, the protocols used, or in the application itself. Any access to the public Internet like

1. an un-patched home router.

2. a publicly trusted SSL encrypted site with client authentication certificates and brute force attack mitigation.

3. as well as VPN could become vulnerable to attack from the public Internet.

4. IOT devices - many of which are having security vulnerabilities baked in from manufacturers that can:

A. Traverse your home router and communicate with destinations on the big I.

B. Circumvent the software/firmware developer's design to facilitate things like root level command execution.

C. regular phone home processes across the big I.

I work in the IT field and while I do have a VPN tunnel to my home setup, that can access all my internal resources, learning about client certificate authentication, SSL management/automation and ssl offloading/load balancing/failover configurations on reverse proxies is valuable for me to experience and learn.

Sent from my iPhone using Tapatalk

Edited July 28, 2017 by Tur0k

July 28, 2017

well... I feel like a bit of an idiot...

the majority of the testing I have been doing has been via either localhost:8920 on the server, or <local ip>:8920 on my phone (same network)
I have occasionally tested with <public ip>:8920 or mydomain.com:8920 but I haven't tried that in a while since swapping quite a few settings...

on a whim I randomly tried using https://localhost:8920 and was connected (after a security alert about mismatched domain name)

next I tried https://<local ip>:8920 and that worked just as well.

I didn't even consider the prefix would be required as I have never had to enter a prefix (http-https://) to access any web page before.. though it seems it is only required for local connections, or at least connections using an IP or 'localhost'

Thank you all for your help sorting this out, this has been quite an adventure for someone very unfamiliar with this topic.

July 28, 2017

-snip-

Edited July 28, 2017 by darkassassin07

July 28, 2017

Thanks for the feedback.

July 28, 2017

well... I feel like a bit of an idiot...

the majority of the testing I have been doing has been via either localhost:8920 on the server, or <local ip>:8920 on my phone (same network)

I have occasionally tested with <public ip>:8920 or mydomain.com:8920 but I haven't tried that in a while since swapping quite a few settings...

on a whim I randomly tried using https://localhost:8920 and was connected (after a security alert about mismatched domain name)

next I tried https://<local ip>:8920 and that worked just as well.

I didn't even consider the prefix would be required as I have never had to enter a prefix (http-https://) to access any web page before.. though it seems it is only required for local connections, or at least connections using an IP or 'localhost'

Thank you all for your help sorting this out, this has been quite an adventure for someone very unfamiliar with this topic.

If you decide to use a reverse proxy like nginx you can set up a permanent redirect from http -> https so any client accessing your service(s) will not have to worry about the protocol.

July 28, 2017

You make a good point, making anything accessible to the outside has risks. Vulnerabilities could exist on the configuration, the protocols used, or in the application itself. Any access to the public Internet like

1. an un-patched home router.

2. a publicly trusted SSL encrypted site with client authentication certificates and brute force attack mitigation.

3. as well as VPN could become vulnerable to attack from the public Internet.

4. IOT devices - many of which are having security vulnerabilities baked in from manufacturers that can:

A. Traverse your home router and communicate with destinations on the big I.

B. Circumvent the software/firmware developer's design to facilitate things like root level command execution.

C. regular phone home processes across the big I.

I work in the IT field and while I do have a VPN tunnel to my home setup, that can access all my internal resources, learning about client certificate authentication, SSL management/automation and ssl offloading/load balancing/failover configurations on reverse proxies is valuable for me to experience and learn.

Sent from my iPhone using Tapatalk

I applaud you for wanting to learn more I would just be more cautious on your implementation. You should be treating your main tech stack as a production environment - you ~~don't~~ shouldn't learn/test on production. You can set up all of that in a homelab that is isolated if you want to experiment and learn.

July 28, 2017

I applaud you for wanting to learn more I would just be more cautious on your implementation. You should be treating your main tech stack as a production environment - you ~~don't~~ shouldn't learn/test on production. You can set up all of that in a homelab that is isolated if you want to experiment and learn.

I appreciate the warning, and will take it into consideration. For me, my home network is my box of legos. I get to build things up and then tear them down pretty well whenever I want. I am lucky that my wife is very forgiving.

To be honest with:

blacklist/spammer IP blocking

IDS

brute force attack source IP blocking.

I am pretty comfortable. Once I further augment my AAA with client certificate authentication I will be in a well protected state. My plan then is to determine how to break into it.

Sent from my iPhone using Tapatalk

Edited July 29, 2017 by Tur0k

Sign In

Question about https

Recommended Posts

darkassassin07 652

mastrmind11 722

darkassassin07 652

Jdiesel 1431

mastrmind11 722

mwongjay 74

Guest asrequested

Tur0k 148

darkassassin07 652

mwongjay 74

ebr 16171

darkassassin07 652

Tur0k 148

darkassassin07 652

darkassassin07 652

Luke 42077

mwongjay 74

mwongjay 74

Tur0k 148

Create an account or sign in to comment

Create an account

Sign in

Activity