I took a look at the site to see if this was something I might want to poke around with but it doesn't inspire a lot of confidence when half the links on the site are dead. The website template still contains some of the "Lorem ipsum" text from the original template designer.

I was investigating differences between Incapsula and Cloudflare and ran into this video. Granted it is 5yrs old and who knows whether the tests were rigged to show one doing better than the other but wondered if anyone had actually tested their sites against things like SQLi or XSS attacks using Cloudflare.

Youtube Video

For those who manage public facing websites, what's your preferred WAF? Do you roll your own? Do you pony-up for CLoudflare or Incapsula or other? What do you wish your chosen solution had that it doesn't?

@tim_g Sorry, can't help you there. I no longer have the R710 or the MD1000. The server was running 2012 R2 when I had it.

@tim_g Yes it did. I had a SFF-8470 to SFF-8088 cable connected between the 2 and worked perfectly.

I had an H810 on a R710 server with MD1000 and all worked well. Never had any problems. Assuming you've got the right conversion cable since they have different connectors.

@jaredbusch said in Hot To Allow Site Access In Nginx By DDNS Instead Of By IP:

@nashbrydges said in Hot To Allow Site Access In Nginx By DDNS Instead Of By IP:

#!/bin/bash
host mydynamicdomain.ddns.net | grep "has address" | sed 's/.*has address //' | awk '{print "allow\t\t" $1 ";\t\t# DDNS IP" }' > /etc/nginx/conf.d/homeip.inc
service nginx reload > /dev/null 2>&1

This will get the IP address for the DDNS domain and inserts it into a file named "/etc/nginx/conf.d/homeip.inc", then reloads Nginx.

This will only work for a single dyndns domain. You will have to duplicate this for each user. You have said this was for more than one user.

It would be better to make the script a bit smarter.

Have it read the dyndns names from an input file andhave it populate all of them into a single include file.

1. This means you do not have to edit the crontab to make changes.
2. This mean you do not have to have multiple includes and multiple crons.

That's correct, Nowhere in this thread does it say it works for more than a single user. This however is very useful for me in cases where it will be used for a single user. And this is also a good place for me to start to see if I can adapt it or modify it for more than 1 user. A great learning opportunity for me and others who are still relatively new to using Nginx or Linux.

@jaredbusch said in Hot To Allow Site Access In Nginx By DDNS Instead Of By IP:

Retitle the topic appropriately.

If I thought the topic title wasn't appropriate, I would have titled it differently. I'm not married to the title so if you feel another title would better describe what's here, feel free to make a suggestion.

In a previous post, I was looking for a way to allow access to a website behind a Nginx proxy based on a dynamic DNS domain. I had already set the allow/deny statements in the config file for the IP ranges assigned to the company, now I just needed a way to also allow access for the CEO from home when he has a dynamic IP.

The beauty of this, for this setup, is that I can allow access from within the config file "location" and this could be different for each of the domains configured on this Nginx instance.

Btw, credit where credit is due.
https://blog.zencoffee.org/2013/12/dynamic-dns-filtering-nginx/

First, here is the config file before with the allow/deny rules for the IP ranges. This company has 2 sets of assigned IP ranges.

server {
   listen 80;
   server_name domain.ca;
   return 301 https://$server_name$request_uri;
}

server {
  listen 443 ssl http2;
  server_name domain.ca;
  
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Content-Type-Options nosniff;
  add_header Referrer-Policy strict-origin;
  add_header Content-Security-Policy "default-src" always;
  add_header X-Frame-Options SAMEORIGIN;
  ssl_stapling on;
  ssl_stapling_verify on;
  server_tokens off;

  ssl on;
  ssl_certificate /etc/letsencrypt/live/domain.ca/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/domain.ca/privkey.pem;
  ssl_session_timeout 5m;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:10m;
  ssl_dhparam /etc/ssl/certs/dhparam.pem;
  proxy_cookie_path / "/; secure; HttpOnly";


    location / {
    	allow 192.168.1.0/24; #obviously not the real IP range but represents IP range 1
        allow 192.168.2.0/24; #obviously not the real IP range but represents IP range 2
        deny all; #deny all other IPs
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://192.168.100.61;
        proxy_redirect off;

        # Socket.IO Support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
   }
}

Step 1:
I created a new file at /etc/cron.daily/ and named it getddns

Step 2
Added this code to the new file

#!/bin/bash
host mydynamicdomain.ddns.net | grep "has address" | sed 's/.*has address //' | awk '{print "allow\t\t" $1 ";\t\t# DDNS IP" }' > /etc/nginx/conf.d/homeip.inc
service nginx reload > /dev/null 2>&1

This will get the IP address for the DDNS domain and inserts it into a file named "/etc/nginx/conf.d/homeip.inc", then reloads Nginx.

Step 3
Make the new file executable

sudo chmod +x /etc/cron.daily/getddns

Step 4*
Change the config file to include the new homeip.inc file which contains the allow statement for the DDNS domain. You can see the new line in the "location".

server {
   listen 80;
   server_name domain.ca;
   return 301 https://$server_name$request_uri;
}

server {
  listen 443 ssl http2;
  server_name domain.ca;
  
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Content-Type-Options nosniff;
  add_header Referrer-Policy strict-origin;
  add_header Content-Security-Policy "default-src" always;
  add_header X-Frame-Options SAMEORIGIN;
  ssl_stapling on;
  ssl_stapling_verify on;
  server_tokens off;

  ssl on;
  ssl_certificate /etc/letsencrypt/live/domain.ca/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/domain.ca/privkey.pem;
  ssl_session_timeout 5m;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:10m;
  ssl_dhparam /etc/ssl/certs/dhparam.pem;
  proxy_cookie_path / "/; secure; HttpOnly";


    location / {
        include /etc/nginx/conf.d/homeip.inc; #THIS IS THE NEW LINE
    	allow 192.168.1.0/24; #obviously not the real IP range but represents IP range 1
        allow 192.168.2.0/24; #obviously not the real IP range but represents IP range 2
        deny all; #deny all other IPs
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://192.168.100.61;
        proxy_redirect off;

        # Socket.IO Support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
   }
}

That's it. Now the allow/deny rules will be updated once an hour with any changes to the dynamic IP address.

This is scheduled to run every hour but could be run every day instead if that's too frequent.

The nice thing about this option rather than using the firewall script from @Romo here is that, users can be presented with an appropriate Access Denied 403 page rather than being blocked at the firewall. For a service like the PiHole, @Romo's script makes more sense but for a website, I like the ability to present the access denied page.

Edit: Updated for spelling in title

Ok, I just found a ridiculously simple way of doing this. I'll post the how-to in a different thread.

@jaredbusch said in Nginx Allow Domain Instead Of IP Address:

@nashbrydges said in Nginx Allow Domain Instead Of IP Address:

@aaronstuder said in Nginx Allow Domain Instead Of IP Address:

Or maybe this?

https://mangolassi.it/topic/14787/how-to-setup-nginx-tls-certificate-based-authentication-vpn-alternative

Not really an option since I'm allowing a range of IPs assigned to the company in the Nginx config file. It wouldn't be viable to setup a cert on every endpoint in the company to allow access to the portal. This option works great if you're dealing with only a few endpoints that don't often change.

You could simply setup a second URL for external access and use certificate signing on that URL only. not

This is an option I hadn't thought of. That could work well.

@aaronstuder said in Nginx Allow Domain Instead Of IP Address:

Or maybe this?

https://mangolassi.it/topic/14787/how-to-setup-nginx-tls-certificate-based-authentication-vpn-alternative

Not really an option since I'm allowing a range of IPs assigned to the company in the Nginx config file. It wouldn't be viable to setup a cert on every endpoint in the company to allow access to the portal. This option works great if you're dealing with only a few endpoints that don't often change.

@aaronstuder said in Nginx Allow Domain Instead Of IP Address:

This is kinda what you want to do....

https://mangolassi.it/topic/15008/pihole-for-friends-and-family/

Not exactly. In this setup, the server firewall controls who can access. The way I have it setup is that the Nginx config file is managing the allow/deny rules and displays a 403 error for any IP not in the allow list.

Although I suppose that if I can't find a way to have Nginx resolve the IP to manage the allow/deny, this could be an option. Was trying to avoid relying on external functions but this could work at the server level. Only thing is, the visitor won't get the 403 error page.

I've easily setup the allow/deny rules in Nginx config files to limit access to a particular site based on IP address but what I'm trying to figure out is if there's a way to have similar rules based on domain names. I have a client who wants to limit access to his company portal to his satellite offices however still wants access from home for he and his executive team which are obviously dynamic IP addresses. He's already setup a DDNS service and can resolve his home IP address from the domain name. I'd like to be able to force Nginx to also resolve the IP based on that same domain name.

Anyone ever successfully set that up? My google-fu is failing me on this one.

@dave247 said in Enterprise 15K SAS drives vs consumer grade SSD in a Dell server?:

I'm putting Hyper-V on a decommissioned Dell R510 for a general LAB environment and testing, etc. I'm trying to scrounge up some spare drives (I have a lot) for a stable/reliable config. I have 8x 3.5" drive bays on this thing and my plan is to use slot 0 and 1 for two drives in RAID1 for the OS, then use the rest for a RAID10 array for storage (at a later time). Yes, I know usually you'd just do OBR10 but I'm not doing it that way.

Right now, I'm trying to decide which would be better: a set of 300GB 15K SAS Dell Enterprise drives or a set of consumer-grade 128GB Samsung 840 Pro SSD drives.

I assume both will work fine but I've never really used consumer SSD's on a Dell server before.. input?

I own 2 R510's with 12 bays and the H700 card. I know from experience that while the newer generation servers (X20 and X30 generation) often reject drives, this server and card combo, as long as you've updated your firmware and drivers, will accept pretty much any SSD drives. I have a R620 that failed to power up with more than 3 of a specific SSD but 12 of those same drives in the R510 worked beautifully.

Edit: for spelling.

@scottalanmiller said in ISPs inject malware into chat download streams:

@dashrender said in ISPs inject malware into chat download streams:

@scottalanmiller said in ISPs inject malware into chat download streams:

@dashrender said in ISPs inject malware into chat download streams:

@scottalanmiller said in ISPs inject malware into chat download streams:

@dashrender said in ISPs inject malware into chat download streams:

How do they MiT you on an encrypted connection? i.e. if you're using HTTPS, they have no ability to inject anything.

Oh there are ways. How do you think that tools like Palo Alto do deep channel inspection?

And of course there are ways - but I will never install an ISP cert as long as another internet connection option is available.

But once that option is gone, well, so is the free and open internet.

Lots of people don't have alternative options to check and see if they are getting an ISP cert or not.

Oh.. I think I see where you are going here... but now my question is - will that work?

Let's assuming I'm trying to download telegram, so I go to https://telegram.org. The ISP can't fake the cert for Telegram.org - I mean they can, but your browser won't trust their fake cert, unless they got the ISP's own root cert into the user's computer's root store.

But when EVERY site says you have a fake cert, I know no one that doesn't accept them. One time, sure. I stopped Dominica just the other night because some site had a cert problem and I knew something had happened. But when it is every site and you can't do anything without accepting them, you start accepting them. What else can you do?

You're held hostage by your ISP. Given no other choice you might be tempted to accept their terms but you'd be idiotic in accepting those terms of having to accept their cert. I'll give you that for majority of people, yeah, they wouldn't think twice. Which is sad.

@scottalanmiller said in ISPs inject malware into chat download streams:

@dashrender said in ISPs inject malware into chat download streams:

@scottalanmiller said in ISPs inject malware into chat download streams:

@dashrender said in ISPs inject malware into chat download streams:

How do they MiT you on an encrypted connection? i.e. if you're using HTTPS, they have no ability to inject anything.

Oh there are ways. How do you think that tools like Palo Alto do deep channel inspection?

And of course there are ways - but I will never install an ISP cert as long as another internet connection option is available.

But once that option is gone, well, so is the free and open internet.

Lots of people don't have alternative options to check and see if they are getting an ISP cert or not.

That would imply accepting the cert and installing the cert.

@scottalanmiller said in In Other News - iPhone 8 has earpiece issues:

@bnrstnr said in In Other News - iPhone 8 has earpiece issues:

I also use mine daily and have never had an issue. @scottalanmiller have you taken your phone or headphones in under warranty?

Warranty services is so awful with Apple. That itself is a bit of a product failure. Sometimes it is good, sometimes it is hell. I fear any Apple warranty interaction.

I wonder if you just got a bad phone. I've had an iPhone since their first introduction 10 yrs ago and I've always been happy with the product reliability and performance. I've also needed to bring both an iPhone and iPad in for warranty and in both cases have been nothing but happy with the outcome.

@coliver said in bitwarden - Open Source Password Management Tool:

@nashbrydges said in bitwarden - Open Source Password Management Tool:

It's too bad there is no 2FA available in any of the price points. I won't use a password manager, self-hosted or otherwise without 2FA. Looks like they'll be introducing this with their Enterprise version which is more expensive than LastPass. Probably just a matter of time before LastPass goes the way of LogMeIn and jacks up prices to some ridiculous amount. This tool may make more sense at that time.

Huh? https://help.bitwarden.com/article/setup-two-step-login/

You can use Google Authenticator in the free tier.

Ah, thanks for pointing that out. I was looking here.
https://bitwarden.com/#organizations

Guess the Duo 2FA is what's coming soon.

It's too bad there is no 2FA available in any of the price points. I won't use a password manager, self-hosted or otherwise without 2FA. Looks like they'll be introducing this with their Enterprise version which is more expensive than LastPass. Probably just a matter of time before LastPass goes the way of LogMeIn and jacks up prices to some ridiculous amount. This tool may make more sense at that time.