Hi guys,

Just wanted to see why people would expose services either through a reverse proxy or normally, if technology like WireGuard and OpenVPN exist?

Convenience would probably be the top answer, but is it really worth the risk?

Thanks

  • ConfusionSecure487@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I have no issue at all on Android. I don’t use iOS, so I cannot verify on there.

    But I meant client certificates in this context. What I do:

    1. Use a public domain, pointing A and AAAA *.domain.tld to an traefik lb/reverse proxy. I use it on Kubernetes.
    2. use LE for that *.domain.tld, instead of direct domain certs to be more private (as all public CAs disclose the signed certs (https://crt.sh/))
    3. create a own CA for Client authentication
    4. set the own CA as trust anchor for clients in traefik for domains which require authentication
    5. create client certificates + keys for my users. (I don’t use the CSR way, as that makes it complicated for them). I use the pfx format, as this widely accepted by the browsers and systems. p12 should also work
    6. Add the client certificate on the devices. But I don’t but the CA as trust anchor on them. This would lead to warnings on the devices, as that would allow MITM attacks.
    • hi65435@alien.topB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Ah ok that’s smart, so you don’t have to mess with installation and still can manage your own CA from the *.domain.tld. I just double-checked, I’m very sure it was on iOS but some years ago. Apparently it’s possible to install custom certs there as well but it’s a little painful

      edit: ok I think the general problem on iOS is to install custom certs globally, e.g. to use for the calendar I guess

      Personal Certificates can only be installed in Safari.
      NO other browsers are supported.

      https://kb.mit.edu/confluence/display/mitcontrib/Installing+Root+and+Personal+Certificates+on+iOS