I have a network consisting of two servers an active directory server(192.168.0.3) and a file server(192.168.0.7) I need to create a self-signed certificate using the active directory server to enable domain users to access the file server
does anyone know the best configuration I tried most of the ways mentioned on the internet and I was not able to figure out the right way
For creating SSL certificates and Installing the Certificate Authority (CA) you can also use this link, you can follow the step by step procedure.
For accessing your file server you need in the same IP segment to sharing the same network prefix as defined by their IP addresses and the network mask, and also verify most normal FTP servers use port 21, SFTP servers use port 22 and FTP over TLS (implicit mode) use port 990 by default. These ports are not mandatory, however, so it's best to allow outgoing connections to arbitrary remote ports.
Related
I have set up a mosquitto-broker on my raspberry pi which I have running on my local network. I've tested this locally using the paho-mqtt package in python which is working, however I want to access this broker remotely (outside my local network).
From what I understand, the safest way to do this is to use TLS-authentication and configure mosquitto to listen on port 8883, rather than opening the un-encrypted 1883 port, where login credentials can be sniffed. This is where my problems start, as I suspect my ISP doesn't allow forwarding port 8883 to the (static) IP-address of my RPi. (Port wont open no matter what I try, and I've tried googling this specific issue.)
So my question is:
Is it possible to use another port than the default 1883 or 8883 (which my ISP hopefully allows to be opened) for accessing my locally hosted mosquitto-broker? For example one of the higher-valued ports, which I understand is not reserved for anything.
I'm imagining connecting to the broker by using my external IP-address with this port (xxx.xxx.xxx.xxx:yyyyy) and either tunneling this data to the 8883-port on the local network, or configuring mosquitto to listen on the selected port. Any tips on how I can solve this issue?
EDIT
Thanks for your answers! I just got off the phone with my ISP, and unfortunately they don't allow opening ANY ports because I live in a university dorm, so opening a different port won't work either. I guess using a cloud broker is the only option.
You can use any ports you want (or that your operating system will permit). MQTT uses certain ports by convention but is not restricted to using those ports. You're even welcome to encrypt on port 1883 if you want.
You'll need to do four things:
write the listener configuration directive correctly to use the port you want to use and make sure that you're listening on 0.0.0.0 in order to listen on all network interfaces, or the IP address of a specific network interface to listen on.
correctly configure encryption after the listener directive
ensure that the port you chose is accessible through any firewall your server may be running
properly configure any clients to use the port you configured and work with the encryption you configured
If you want to make it accessible over the Internet you'll need to open a port on your router as well.
If you do make it accessible over the Internet, please require authentication. Encryption won't stop strangers from connecting to your broker, it will just stop eavesdropping on them. Turn off allow_anonymous and set up some Mosquitto accounts.
i've setup a rasberry server with open media vault on board, so i'm using docker to setup multiple services such as:
pihole
plex
nextcloud
and much more
i would like to expose some of them on internet, while others only on LAN.
For internet i will use SSL from letsencrypt, while for LAN i can use a self-signed certificate.
Right now, i'm thinking to create multiple domains on two ports, one dedicated for internet and the other for lan, but... are there better alternatives (also from a security standpoint) ?
P.S.: right now i'm not considering VPN as an alternative
for the people who will read this, i solved in this way using only a nginx instance (on linuxserver swag image).
Created another server block (ports 8443)
Created a self signed certificate for the new server block
Opened on the router and port forwarded on 443 in order to expose only what i want to expose publicly using proxy-conf
Did the same for server block 8443 which is not exposed, so no port forwarding
I have successfully deployed my spring boot app to Compute Engine on ubuntu 18.04, it is behind Nginx proxy but currently Nginx is listening to 80 port, which is http. I need to set up secure connection. I have question about few details, im new to this, all i've done so far is write spring boot/react js apps on windows, in IDE.
Is it necessary to buy a domain for my compute engine or I can just make SSL for the external ip of compute engine ? On compute
engine only the back end rest api is deployed, the front end is on
Netlify and it's already working. I don't need a good sounding
domain name for back end because user won't see it, only front end
app will use the external ip of my compute engine to fetch data
from back end.
I have seen guides that set up SSL in the setting of Nginx, why is that ? Isn't the request first coming to the compute engine's external ip and only after that to Nginx ? Isn't it the job of compute engine to do secure connection by sending public key&certificate to front end and only then relay the request to Nginx ? Or does compute engine simply relay the https request that comes to it to Nginx right away, without securing it/doing any key&certificate sending ?
You can give some advice if you have any, i'm just trying to make a secure connection to my back end spring boot app which is behind Nginx on google compute engine, which currently works only with HTTP but not HTTPs.
1. Technically you're able to have SSL certificate for public IP, but it's rarely used. More details you can find in RFC 5280 and in this question.
Keep in mind that if your IP address changes your SSL certificate become useless.
I've checked a few SSL providers and found that you should be the owner of the IP to obtain such SSL certificate:
accordingly to the article Using an IP Address in an SSL Certificate posted by geocerts:
If you decide that you really need an IP in your cert there are
specific stipulations, conditions, and limitations to consider. The
biggest hurdle for most folks is that the IP address must be
specifically assigned to your company or organization (not your ISP or
hosting provider) as verified by an IP WHOIS lookup.
accordingly to the article Issuing SSL certificate for an IP address by LeaderSSL:
Quite frequent question: is it possible to issue an SSL certificate
for an IP address (and not for a domain name)? Yes, it is possible.
However, there are several requirements:
Only OV SSL certificates can be issued;
The company must own IP address (validation based on WHOIS information of IP-addresses).
same in the article WHAT IS AN IP ADDRESS SSL CERTIFICATE?:
An IP address SSL certificate secures connections directly with the IP
address submitted. Whereas typically an SSL certificate is issued to a
Fully Qualified Domain Name (FQDN), some organisations may need to
secure an IP address.
Only public IP addresses may be used and you must be the owner of the
IP address according to the records at RIPE.
As result, practically, it's almost not possible in case of GCE VM instance and it's easier to proceed with domain certificate.
2. In GCE all the connections to the external IP of VM instance passed through directly to the VM instance. GCE isn't able to secure connections on it's own. You should configure SSL certificate on VM instance. More details you can find in the documentation VPC network overview and IP Addresses.
In addition, you're able to use Google-managed SSL certificates or own SSL certificates on external HTTP(S) load balancers.
I have a website that I'm running locally at localhost:8000. I'd like to access my site from other devices on my network. I've tried to visit the site via my computer's internal IP address via: 127.0.0.1:8000but this doesn't work. Is this possible?
Three most probable things:
Check if there is a network route between the client and the server machine (commands like PING and TRACERT will help);
Check if the server machine has a firewall. If it does, there must be a rule allowing (opening) connections through that port (8000) in TCP;
Most likely, the problem is one of the two above. If not, there's one last thing:
Make sure the web server (the one that serves localhost:8000) is bound to listen to all IP addresses (not only 127.0.0.1).
To know that, search for servername bind all ip addresses on google. E.g., for apache HTTPD, it'd be apache bind all ip addresses.
here is what I do in similar cases:
search rejetto hfs on google, it is single executable less than 1Mb size and download it into your server machine.
after starting it, follow menu->IP addresses. these are all your possible addresess on the server side.
these are your IP addresses to enter, and your port is 8000 as you mentioned.
most possible IP addresses you will find are in the format of following:
192.168.?.?
10.0.0.?
169.254.?.?
besided you will probably need to add a firewall rule for your server app.
I use to develop my project on my localhost, on apache in ubuntu machine.
Sometimes i need to show progress to my costumer.
Is it possible to access to localhost from remote machine?
You can use a service that provides a tunnel to your local service, such as localtunnel, pagekite or ngrok. These services simplify setting up remote demos, mobile testing and some provide request inspection as well.
I find ngrok useful because it provides a https address, which is needed to test things like webcam access.
Terms used in this answer:
Host = machine with site on it
Client = machine you are trying to access the host from
If the host and client are on the same network, you can access the host from the client by entering
http://(hostname or ip address)
in your client's browser. If the site is not running on port 80 (for http) or port 443 (for https), add the post as so (this example is for if your server is on 8080, a common alternate port):
http://(hostname or ip address):8080
If the host and client are not on the same network, and you need to reach across the internet from the client to see the host, you will need to make your host available on the internet for the client to access.
This can be extremely dangerous for your information security if you're not sure what you're doing and I'd recommend getting a cheap-o hosting account (can get them for like $10/month at places like 1:1 hosting).
There are many methods to do this - the difference is security, easiness of the configuration and cost of the solution.
Following I am typing some methods with some analyses
Port Forwarding (with Dynamic DNS and SSL encryption)
This requires router configuration (to forward your routers public port to loclhoat port), however this requires you to have fixed ip address. In case your ip address is not fixed (in most cases) you need to use Dynamic DNS services to be able to use domain name instead ip address (there are lot of available free services). Here we still have security question open. To solve security question i.e. setup ssl certificate we can use Let’s Encrypt service ( https://letsencrypt.org/ ) to get free certificate, however we should configure local server to use the certificate or we should setup reverse proxy (in most cases nginx or apache) and configure proxy to use certificate.
Conclusion – Hard to setup if we want to have secure connection (can be done for free)
VPN
For this scenario we should use VPN services. We should connect our local machine to VPN then in other side we should connect our client's machine to VPN that will allow us to access to localhost by local IP address. We can set up our own VPN server however this requires knowledge to do it right.
Conclusion – Easy, Paid, Secure, Bad User Experience (connecting to VPN every time you need to connect to localhost)
Tunneling
For this scenario we can use free tunneling services (i.e. https://tunnelin.com/). The process is very straight forward i.e. Register a User, Connect your device to service (by running one line command on device), use Web interface to open/close secure tunnels to the device.
Conclusion – Free, Secure, Easy
Yes, if you have a public and static IP. Usually, ISPs offer static ips during a session (i.e. until you disconnect and connect again)