Hi guys,

Just wanted to see why people would expose services either through a reverse proxy or normally, if technology like WireGuard and OpenVPN exist?

Convenience would probably be the top answer, but is it really worth the risk?

Thanks

  • hi65435@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Can you though? I used to do exactly these things and either on Android or iOS I had trouble installing a certificate. Well, in a way it’s not a a big issue anyway, probably it’s smart to go with public domains anyway (even for private resources)

    • ConfusionSecure487@alien.topB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      I have no issue at all on Android. I don’t use iOS, so I cannot verify on there.

      But I meant client certificates in this context. What I do:

      1. Use a public domain, pointing A and AAAA *.domain.tld to an traefik lb/reverse proxy. I use it on Kubernetes.
      2. use LE for that *.domain.tld, instead of direct domain certs to be more private (as all public CAs disclose the signed certs (https://crt.sh/))
      3. create a own CA for Client authentication
      4. set the own CA as trust anchor for clients in traefik for domains which require authentication
      5. create client certificates + keys for my users. (I don’t use the CSR way, as that makes it complicated for them). I use the pfx format, as this widely accepted by the browsers and systems. p12 should also work
      6. Add the client certificate on the devices. But I don’t but the CA as trust anchor on them. This would lead to warnings on the devices, as that would allow MITM attacks.
      • hi65435@alien.topB
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Ah ok that’s smart, so you don’t have to mess with installation and still can manage your own CA from the *.domain.tld. I just double-checked, I’m very sure it was on iOS but some years ago. Apparently it’s possible to install custom certs there as well but it’s a little painful

        edit: ok I think the general problem on iOS is to install custom certs globally, e.g. to use for the calendar I guess

        Personal Certificates can only be installed in Safari.
        NO other browsers are supported.

        https://kb.mit.edu/confluence/display/mitcontrib/Installing+Root+and+Personal+Certificates+on+iOS