diff options
| author | mms <michal@sapka.me> | 2023-12-06 10:27:03 +0100 |
|---|---|---|
| committer | mms <michal@sapka.me> | 2023-12-06 10:27:03 +0100 |
| commit | 68e6757b36687b3843ae1696278d752c9d09b482 (patch) | |
| tree | c51d33b0a814bc7df225dca8185952fe3b988b7d /content/site/updates/2023 | |
| parent | f7e9760d7f2f33d5e566a965960de87a0985dba4 (diff) | |
chore: move missplaced page
Diffstat (limited to 'content/site/updates/2023')
| -rw-r--r-- | content/site/updates/2023/fixing-ipv6-and-securing-the-domain.md | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/content/site/updates/2023/fixing-ipv6-and-securing-the-domain.md b/content/site/updates/2023/fixing-ipv6-and-securing-the-domain.md new file mode 100644 index 0000000..fc1ea14 --- /dev/null +++ b/content/site/updates/2023/fixing-ipv6-and-securing-the-domain.md @@ -0,0 +1,19 @@ +--- +title: Fixing IPv6 and securing the domain +category: +- site-info +abstract: Mistakes were made +date: 2023-05-05T13:55:14+02:00 +year: 2023 +draft: false +--- +Ok, so [recent IPv6 enablement](/2023/now-served-from-ipv6/) didn't went smooth. Even though I've added the AAAA record and I was able to `ping6(8)` from my FreeBSD machine, I forgot about configuring the firewall. Sadly, I know very little about `pf.conf(5)`, so I used a [ready config](https://forums.FreeBSD.org/threads/ipv6-not-working-with-pf.66772/post-395165), changed the network interface, and added ssh. Voila, IPv6 works! Thanks for letting me know about this bug on my side, [Marco](https://twitter.com/marcodavids/status/1653862517309882369). + +Then I added [Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions). It's a security mechanism that cryptographically secures against man-in-the-middle attacks on the DNS level. I've enabled it in Vultr and copy-pasted a few records to Namecheap. Voila, it works! + +The last thing I've added was proposed by [chr bre](https://twitter.com/chrbre/status/1654194363247804416) - [HTTP Strict Transport Security](https://pl.wikipedia.org/wiki/HTTP_Strict_Transport_Security). This tells the browser always to use HTTPS, effectively blocking usage of non-encrypted HTTP. All I was needed to do was to add a [header to NGINX config](https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/) for server listening on port 443. + +After some testing, I've added [preload](https://hstspreload.org/) to the header and submitted it to Google. This submission will add this site to a list preloaded in Chrome, and other browsers, removing the first non-encrypted fetch of data. Of course, if I break HTTPS here, the site will stop working but what the hell. + +I now have a 100% rating on [internet.nl](https://internet.nl/site/d-s.sh/2074274/), which is cool. + |