diff options
| author | mms <michal@sapka.me> | 2024-04-10 22:08:41 +0200 |
|---|---|---|
| committer | mms <michal@sapka.me> | 2024-04-10 22:08:41 +0200 |
| commit | 3f7488846906dce323f89bb44703cd4a2c7565cc (patch) | |
| tree | ac7f5bdd1884f384934b56bebebb65eb57c4e9ae /content/blog/2023/fixing-ipv6-and-securing-the-domain.md | |
| parent | 678093d4e186bd839a9c1d802ea88233bd192aeb (diff) | |
feat: nameplate and more composition
Diffstat (limited to 'content/blog/2023/fixing-ipv6-and-securing-the-domain.md')
| -rw-r--r-- | content/blog/2023/fixing-ipv6-and-securing-the-domain.md | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/content/blog/2023/fixing-ipv6-and-securing-the-domain.md b/content/blog/2023/fixing-ipv6-and-securing-the-domain.md new file mode 100644 index 0000000..ef00369 --- /dev/null +++ b/content/blog/2023/fixing-ipv6-and-securing-the-domain.md @@ -0,0 +1,19 @@ +--- +title: Fixing IPv6 and securing the domain +categories: +- blog +abstract: Mistakes were made +date: 2023-05-05T13:55:14+02:00 +year: 2023 +draft: false +--- +Ok, so [recent IPv6 enablement](/2023/now-served-from-ipv6/) didn't went smooth. Even though I've added the AAAA record and I was able to `ping6(8)` from my FreeBSD machine, I forgot about configuring the firewall. Sadly, I know very little about `pf.conf(5)`, so I used a [ready config](https://forums.FreeBSD.org/threads/ipv6-not-working-with-pf.66772/post-395165), changed the network interface, and added ssh. Voila, IPv6 works! Thanks for letting me know about this bug on my side, [Marco](https://twitter.com/marcodavids/status/1653862517309882369). + +Then I added [Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions). It's a security mechanism that cryptographically secures against man-in-the-middle attacks on the DNS level. I've enabled it in Vultr and copy-pasted a few records to Namecheap. Voila, it works! + +The last thing I've added was proposed by [chr bre](https://twitter.com/chrbre/status/1654194363247804416) - [HTTP Strict Transport Security](https://pl.wikipedia.org/wiki/HTTP_Strict_Transport_Security). This tells the browser always to use HTTPS, effectively blocking usage of non-encrypted HTTP. All I was needed to do was to add a [header to NGINX config](https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/) for server listening on port 443. + +After some testing, I've added [preload](https://hstspreload.org/) to the header and submitted it to Google. This submission will add this site to a list preloaded in Chrome, and other browsers, removing the first non-encrypted fetch of data. Of course, if I break HTTPS here, the site will stop working but what the hell. + +I now have a 100% rating on [internet.nl](https://internet.nl/site/d-s.sh/2074274/), which is cool. + |