Nginx ProxMox Proxy using Letsencrypt SSL cert

Why use a nginx proxmox proxy using letsencrypt ssl? 1st: why not? 2nd: Load balancing! Nginx is built to handle many concurrent connections at the same time from multitude of clients. This makes it ideal for being the point-of-contact for said clients. The server can pass requests to any number of backend servers to handle the bulk of the work, which spreads the load across your infrastructure. This design also provides you with flexibility in easily adding backend servers or taking them down as needed for maintenance. 3rd: Security! Many times Nginx can be secured to not allow access to certain parts of the underlying application so life doesnt throw you a curveball at 3AM on December 24th 2006(dont ask 🙁 ). 4th: Port firewall constraints! Sometimes you need to access an application on port 34563 but firewall doesn’t allow access on random ports. You can allow incoming connections on port 80 via nginx but proxy them to the app on 34563. 5th: seriously… why not….. Now you know why we may want nginx as  a frontend proxy for our underlying app. so let’s get to setting it up for our use case which is to protect proxmox from bad actors! and to provide reliable access to our proxmox for ourselves. We are going to setup nginx to forward all traffic from port 80 to port 443 where letsencrypt will provide us with ssl encrypted access! Install nginx light instead of full, so you have a smaller set of utilities but also a lighter install. you can install […]

Letsencrypt ssl cert for mumble

I needed to set up a mumble server for a friends minecraft community. The Mumble software uses a client–server architecture which allows users to talk to each other via the same server. It has a very simple administrative interface and features high sound quality and low latency where possible. All communication is encrypted to make sure user privacy using either a self signed cert or a cert purchased via a vendor. The great thing about Mumble is that it’s free and open-source software, is cross-platform, and is released under the terms of the new BSD license. Since letsencrypt is awesome and provides completely free certs to the end users, I figured it would be perfect to use in this attempt.  So I started on the road to acquire a letsencrypt ssl cert for mumble. First we need to acquire the letsencrypt client. for this you need git. git clone https://github.com/letsencrypt/letsencrypt cd letsencrypt ./letsencrypt-auto certonly –standalone –standalone-supported-challenges tls-sni-01 A text / curses bases dialogue will start. it will ask you to input your domain(s) you want a cert for. If you want multiple domains or multiple subdomains at the same time just separate them via a space or a comma, follow the prompts and it will install your cert in /etc/letsencrypt/live/<domain>/cert.pem. So far so good! now you need to install murmur/mumble-server on your machine. I would like to tell you how to do it but due to the nature of software it might change, the best way to do it is via checking the official mumble wiki for info […]

Heartbleed strikes again! new vulnerabilities patched by the Open SSL team

Heartbleed keeps giving head-aches to devs and programmers ever since it appeared this spring. The bug doesn’t let Open SSL catch a break and it keeps opening vulnerabilities to all versions (0.9.8, 1.0.0, 1.0.1 and 1.0.2). CCS Injection is one of the worst in the Heartbleed suite of bugs, and it is considered extremely serious by the OpenSSL team. The updated versions of OpenSSL were published today and some vulnerabilities were patched. The first three versions were patched and 1.0.2 beta release is currently still vulnerable and did not receive an update. Any user who has this Heartbleed bug is advised to upgrade his device as soon as possible to avoid further annoyance. CCS Injection is a serious bug that affects Open SSL’s Change CipherSpec processing by intercepting encrypted data and decrypting them via malicious intermediate nodes. It forces SSL clients to use weaker keys which then are exposed to malicious tools and nodes. It can exploit and tamper with contents and authentication information over encrypted communication via web browsing, VPN or E-mail. Attackers can use vulnerable clients and servers when users communicate with them and they can falsify on these communications. Attackers can hijack an authenticated session, although they cannot steal private keys, unless the users transferred his private keys via protected paths by SSL or TLS. Source: CloudFare