On the server, I installed the VPN using the "setup-ipsec-vpn" script of the hwdsl2 user. I found him here.
As a result of its actions, the script provided me with: User name, password and IPsec PSK code.
However, on the router, I have to put information about Tunnel password, handshake interval and Authentication. You can see the tab with the router configuration here. Unfortunately, I could not find such information (neither at Github nor on the server).
The router is a Huawei B525.
What can I do in this case? Do not complete these fields? Change some configuration in some way?
LNS address: IP (name) of the server
Host Name: Whatever
Tunnel password: IPsec PSK code
Handshake interval: 30s (dpddelay in vpnsetup.sh)
Authentication: Can be "Auto"
Related
I have successfully deployed my spring boot app to Compute Engine on ubuntu 18.04, it is behind Nginx proxy but currently Nginx is listening to 80 port, which is http. I need to set up secure connection. I have question about few details, im new to this, all i've done so far is write spring boot/react js apps on windows, in IDE.
Is it necessary to buy a domain for my compute engine or I can just make SSL for the external ip of compute engine ? On compute
engine only the back end rest api is deployed, the front end is on
Netlify and it's already working. I don't need a good sounding
domain name for back end because user won't see it, only front end
app will use the external ip of my compute engine to fetch data
from back end.
I have seen guides that set up SSL in the setting of Nginx, why is that ? Isn't the request first coming to the compute engine's external ip and only after that to Nginx ? Isn't it the job of compute engine to do secure connection by sending public key&certificate to front end and only then relay the request to Nginx ? Or does compute engine simply relay the https request that comes to it to Nginx right away, without securing it/doing any key&certificate sending ?
You can give some advice if you have any, i'm just trying to make a secure connection to my back end spring boot app which is behind Nginx on google compute engine, which currently works only with HTTP but not HTTPs.
1. Technically you're able to have SSL certificate for public IP, but it's rarely used. More details you can find in RFC 5280 and in this question.
Keep in mind that if your IP address changes your SSL certificate become useless.
I've checked a few SSL providers and found that you should be the owner of the IP to obtain such SSL certificate:
accordingly to the article Using an IP Address in an SSL Certificate posted by geocerts:
If you decide that you really need an IP in your cert there are
specific stipulations, conditions, and limitations to consider. The
biggest hurdle for most folks is that the IP address must be
specifically assigned to your company or organization (not your ISP or
hosting provider) as verified by an IP WHOIS lookup.
accordingly to the article Issuing SSL certificate for an IP address by LeaderSSL:
Quite frequent question: is it possible to issue an SSL certificate
for an IP address (and not for a domain name)? Yes, it is possible.
However, there are several requirements:
Only OV SSL certificates can be issued;
The company must own IP address (validation based on WHOIS information of IP-addresses).
same in the article WHAT IS AN IP ADDRESS SSL CERTIFICATE?:
An IP address SSL certificate secures connections directly with the IP
address submitted. Whereas typically an SSL certificate is issued to a
Fully Qualified Domain Name (FQDN), some organisations may need to
secure an IP address.
Only public IP addresses may be used and you must be the owner of the
IP address according to the records at RIPE.
As result, practically, it's almost not possible in case of GCE VM instance and it's easier to proceed with domain certificate.
2. In GCE all the connections to the external IP of VM instance passed through directly to the VM instance. GCE isn't able to secure connections on it's own. You should configure SSL certificate on VM instance. More details you can find in the documentation VPC network overview and IP Addresses.
In addition, you're able to use Google-managed SSL certificates or own SSL certificates on external HTTP(S) load balancers.
I wanted to create an Uptime check for my API which is an internal TCP load balancer under VPC network . I have a firewall set-up and i have allowed the IP Address for US region to access this internal TCP load balancer . But I am getting the error "responded with Skipping Unsafe Address". I have provided the IP Address of my internal TCP load balancer with port 8082 and protocol is HTTP and Resource Type is URL and I have given the value in path.
Currently, Stackdriver checks cannot check "non-routable" (also known as "private" IP addresses: (10.0.0.0 - 10.255.255.255, 172.16.0.0 - 172.31.255.255, 192.168.0.0 - 192.168.255.255). This is what accounts for the "Unsafe Address" error.
However, Private Checkers will be entering EAP soon, and you should be able to use them once they get to Beta. Private Checkers live on your VPC, and can probe non-routable addresses on your network.
The capability is now (June 2021) in beta - If you are interested please contact us (or me directly)and ask to join the beta program.
The new capability allows you to run Private uptime checks - which means you can run your uptime checks on a private network.
I am getting this error when I am running any "consul members" on consul server and clients. The port is in LISTENING state and I made sure there is no firewall blocking. I get this error when in run the same in the consul client:
Error retrieving members: Get http://127.0.0.1:8500/v1/agent/members:
dial tcp 127.0.0.1:8500: connectex: No connection could be made
because the target machine actively refused it.
When I make the above request with the private IP, I get the required output. Can I change the configuration anywhere so that it listens on the private IP for requests?
It seems that your consul members lacks the option -http-addr=....
Example
consul members -http-addr=10.10.10.10:8500
while assuming you use the standard port 8500 of the consul agent and that you started consul via:
consul agent -client=10.10.10.10 #...
Where to find the documentation?
In the Consul Documentation under Running an Agent: "Client Addr":
If you change this address or port, you'll have to specify a -http-addr whenever you run commands such as consul members to indicate how to reach the agent.
Or offline via consul members -help:
http-addr=<address>
Theaddressand port of the Consul HTTP agent. The value can be
an IP address or DNS address, but it must also include the port.
This can also be specified via the CONSUL_HTTP_ADDR environment
variable. The default value is http://127.0.0.1:8500. The scheme
can also be set to HTTPS by setting the environment variable
CONSUL_HTTP_SSL=true.
I am in a situation where I am running my GridServer and Nodes on the cloud and
when I want to access the Grid I use:
http://someip:4444/grid/console
When I want to access the node I use:
http:someip:<nodeport>/wd/hub
I think its a kind of threat as the IPs are publicly accessible. How can I limit that it shouldn't be opened by external users.
Is there any solution for it?
Selenium is not supporting that.
For that purposes you should make a p2p connection between you and grid.
VPN or ssh tunnel will work. Just forward remote server port to a local port:
ssh user#SERVER -L 4444:127.0.0.1:4444
Now, connecting to a local 4444 port will forward you to the remote address "SERVER". All the connection is secured by ssh login/password now and the traffic is hidden in a secure tunnel.
I am following this tutorial and I made the server work in the local network. Now I want to open to the internet. The tutorial does not go into details, except saying that "you need to forward TCP port 80 to your Web server". I did some research to understand what this means, but could not find a good step by step instructions. Can you direct me to any material that I can read to set up the server for the internet?
EDIT
As instructed here I connected to the router with 192.168.1.1 and opened the Port Forwarding/Port Triggering tab and I entered the following information:
Service Name HTTP
Start Port: 80
End Port: 80
Server IP Address: ServerIPAddress
Is this correct?
That means that you have to forward http request coming to your public_ip:80 to your private_ip:80.
This is usually done with proxies or firewalls.
As we are talking about home network here, i think you have a home box/router that provides you internet access.
So you have to login to your box/router and searh for a feature like routing/port-forwarding configuration settings.
Then configure it to forward port 80 to your web server private ip on port 80.