I've done that in the past, even for securing the admin pages of some software (there was once an issue where the admin page auth could be bypassed, this essentially adds another layer). With TLS it's okay for getting something up and running quickly.
Of course, for the things that matter a bit more, you can also run your own CA and do mTLS, even without any of the other fancy cloud services.
After coming across a brief tutorial of mTLS in this tool for locking down access to my family photo sharing [0] I have bounced around the internet following various guides but haven't ended up with a pfx file that I can install in a browser. Can you recommend any resource to understand which keys sign what, and what a client certificate is verified against?
The guides I find often contain the openssl incantations with little explanation so I feel a bit like stumbling through the dark. I realize how much I've taken stacktraces for granted when this auth stuff is very "do or do not, there is no error"
Firefox can be configured to use Kerberos for authentication (search for "Configuring Firefox to use Kerberos for SSO"); on Windows, Chrome is supposed to do so too by adding the domain as an intranet zone.
I mean, I'm aware of SPNEGO etc. It's just that it was... ignored(?) by the startups/the community/google? Whatever little support there is is comparatively a worse experience than what we've got now for no really good reason.
Good luck when the TCP or SSL stack has an issue. These bugs are rare but they do exist and you're getting fucked royally if your entire perimeter defense was a basic auth prompt.
Windows and Linux have both had their fair share of network stack bugs, OpenSSL had Heartbleed and a few other bugs, and hell you might even run into bugs in Apache or whatever other webserver you are using.
It would have taken several days to heartbleed your private key in 2013 if you also added fail2ban. Your home lab probably isn't on the high priority target list.
> Your home lab probably isn't on the high priority target list.
Yeah but these days with botnets widely available to hire? Everything is fair game and whatever you run gets indexed on Shodan and whatever almost immediately. The game has never been easier for skiddies and other low-skill attackers, and mining cryptocoins or hosting VPN exit nodes makes even a homelab a juicy target.
My homelab for example sports four third-hand HP servers with a total of about 256GB RAM and 64 CPU cores on a 200/50 DSL link. That's more than enough horsepower to cause serious damage from.
I've done that in the past, even for securing the admin pages of some software (there was once an issue where the admin page auth could be bypassed, this essentially adds another layer). With TLS it's okay for getting something up and running quickly.
Of course, for the things that matter a bit more, you can also run your own CA and do mTLS, even without any of the other fancy cloud services.
After coming across a brief tutorial of mTLS in this tool for locking down access to my family photo sharing [0] I have bounced around the internet following various guides but haven't ended up with a pfx file that I can install in a browser. Can you recommend any resource to understand which keys sign what, and what a client certificate is verified against?
The guides I find often contain the openssl incantations with little explanation so I feel a bit like stumbling through the dark. I realize how much I've taken stacktraces for granted when this auth stuff is very "do or do not, there is no error"
[0] https://github.com/alangrainger/immich-public-proxy/blob/mai...
Honestly, the most approachable way will be to use something like Keystore Explorer: https://keystore-explorer.org/
Alternatively, this guide focuses on Apache2 configuration but also goes through the certs https://www.openlogic.com/blog/mutual-authentication-using-a... (it’s a little dated though)
Here’s also something a bit more recent for Nginx https://darshit.dev/posts/two-way-ssl-nginx/
the fact that we have to keep reinventing kerberos all the time because it doesn't speak http is starting to legitimately annoy me.
Firefox can be configured to use Kerberos for authentication (search for "Configuring Firefox to use Kerberos for SSO"); on Windows, Chrome is supposed to do so too by adding the domain as an intranet zone.
HTTP auth can work with kerberos.
Chrome, Firefox, Internet Explorer -- all support some form of kerberos auth in HTTP/HTTPS.
I mean, I'm aware of SPNEGO etc. It's just that it was... ignored(?) by the startups/the community/google? Whatever little support there is is comparatively a worse experience than what we've got now for no really good reason.
1 reply →
Good luck when the TCP or SSL stack has an issue. These bugs are rare but they do exist and you're getting fucked royally if your entire perimeter defense was a basic auth prompt.
Windows and Linux have both had their fair share of network stack bugs, OpenSSL had Heartbleed and a few other bugs, and hell you might even run into bugs in Apache or whatever other webserver you are using.
It would have taken several days to heartbleed your private key in 2013 if you also added fail2ban. Your home lab probably isn't on the high priority target list.
> Your home lab probably isn't on the high priority target list.
Yeah but these days with botnets widely available to hire? Everything is fair game and whatever you run gets indexed on Shodan and whatever almost immediately. The game has never been easier for skiddies and other low-skill attackers, and mining cryptocoins or hosting VPN exit nodes makes even a homelab a juicy target.
My homelab for example sports four third-hand HP servers with a total of about 256GB RAM and 64 CPU cores on a 200/50 DSL link. That's more than enough horsepower to cause serious damage from.
1 reply →