←back to thread

The internet is no longer a safe haven

(brainbaking.com)
253 points akyuu | 5 comments | 16 Nov 25 13:12 UTC | HN request time: 0.869s | source
1. quaintdev ◴[16 Nov 25 15:56 UTC] No.45946006[source]
I do not have a solution for blog like this but if you are self hosting I recommend enabling mTLS on your reverse proxy.

I'm doing this for a dozen services hosted at home. The reverse proxy just drops the request if user does not present a certificate. My devices which can present cert can connect seamlessly. It's a one time setup but once done you can forget about it.

replies(2): >>45946395 #>>45948221 #
2. SoftTalker ◴[16 Nov 25 16:41 UTC] No.45946395[source]
That's fine if you're hosting stuff just for yourself but not really practical if you're hosting stuff you want others to be able to read, such as a blog.
replies(1): >>45946605 #
3. lukevp ◴[16 Nov 25 17:09 UTC] No.45946605[source]
You can mTLS to CloudFlare too, if you’re not one of the anti-CloudFlare people. Then all traffic drops besides traffic that passes thru CF and the mTLS handshake prevents bypassing CF.
replies(1): >>45947942 #
4. BehindTheMath ◴[16 Nov 25 20:00 UTC] No.45947942{3}[source]
You don't need mTLS for that. Just block all IPs beside for Cloudflare's ranges.
5. bogwog ◴[16 Nov 25 20:42 UTC] No.45948221[source]
Wireguard is much better. Not only is it easier to set up/maintain, it even works on Android and iOS. I used to use client authentication for my private git server, but getting client certs installed on every client browser or app was a pain in the ass, and not even possible for some mobile browsers.

Today, my entire network of self hosted stuff exists in a personal wireguard VPN. My firewall blocks everything except the wireguard port (even SSH).