From 68e6757b36687b3843ae1696278d752c9d09b482 Mon Sep 17 00:00:00 2001 From: mms Date: Wed, 6 Dec 2023 10:27:03 +0100 Subject: chore: move missplaced page --- content/site/fixing-ipv6-and-securing-the-domain.md | 19 ------------------- .../2023/fixing-ipv6-and-securing-the-domain.md | 19 +++++++++++++++++++ 2 files changed, 19 insertions(+), 19 deletions(-) delete mode 100644 content/site/fixing-ipv6-and-securing-the-domain.md create mode 100644 content/site/updates/2023/fixing-ipv6-and-securing-the-domain.md (limited to 'content') diff --git a/content/site/fixing-ipv6-and-securing-the-domain.md b/content/site/fixing-ipv6-and-securing-the-domain.md deleted file mode 100644 index fc1ea14..0000000 --- a/content/site/fixing-ipv6-and-securing-the-domain.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -title: Fixing IPv6 and securing the domain -category: -- site-info -abstract: Mistakes were made -date: 2023-05-05T13:55:14+02:00 -year: 2023 -draft: false ---- -Ok, so [recent IPv6 enablement](/2023/now-served-from-ipv6/) didn't went smooth. Even though I've added the AAAA record and I was able to `ping6(8)` from my FreeBSD machine, I forgot about configuring the firewall. Sadly, I know very little about `pf.conf(5)`, so I used a [ready config](https://forums.FreeBSD.org/threads/ipv6-not-working-with-pf.66772/post-395165), changed the network interface, and added ssh. Voila, IPv6 works! Thanks for letting me know about this bug on my side, [Marco](https://twitter.com/marcodavids/status/1653862517309882369). - -Then I added [Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions). It's a security mechanism that cryptographically secures against man-in-the-middle attacks on the DNS level. I've enabled it in Vultr and copy-pasted a few records to Namecheap. Voila, it works! - -The last thing I've added was proposed by [chr bre](https://twitter.com/chrbre/status/1654194363247804416) - [HTTP Strict Transport Security](https://pl.wikipedia.org/wiki/HTTP_Strict_Transport_Security). This tells the browser always to use HTTPS, effectively blocking usage of non-encrypted HTTP. All I was needed to do was to add a [header to NGINX config](https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/) for server listening on port 443. - -After some testing, I've added [preload](https://hstspreload.org/) to the header and submitted it to Google. This submission will add this site to a list preloaded in Chrome, and other browsers, removing the first non-encrypted fetch of data. Of course, if I break HTTPS here, the site will stop working but what the hell. - -I now have a 100% rating on [internet.nl](https://internet.nl/site/d-s.sh/2074274/), which is cool. - diff --git a/content/site/updates/2023/fixing-ipv6-and-securing-the-domain.md b/content/site/updates/2023/fixing-ipv6-and-securing-the-domain.md new file mode 100644 index 0000000..fc1ea14 --- /dev/null +++ b/content/site/updates/2023/fixing-ipv6-and-securing-the-domain.md @@ -0,0 +1,19 @@ +--- +title: Fixing IPv6 and securing the domain +category: +- site-info +abstract: Mistakes were made +date: 2023-05-05T13:55:14+02:00 +year: 2023 +draft: false +--- +Ok, so [recent IPv6 enablement](/2023/now-served-from-ipv6/) didn't went smooth. Even though I've added the AAAA record and I was able to `ping6(8)` from my FreeBSD machine, I forgot about configuring the firewall. Sadly, I know very little about `pf.conf(5)`, so I used a [ready config](https://forums.FreeBSD.org/threads/ipv6-not-working-with-pf.66772/post-395165), changed the network interface, and added ssh. Voila, IPv6 works! Thanks for letting me know about this bug on my side, [Marco](https://twitter.com/marcodavids/status/1653862517309882369). + +Then I added [Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions). It's a security mechanism that cryptographically secures against man-in-the-middle attacks on the DNS level. I've enabled it in Vultr and copy-pasted a few records to Namecheap. Voila, it works! + +The last thing I've added was proposed by [chr bre](https://twitter.com/chrbre/status/1654194363247804416) - [HTTP Strict Transport Security](https://pl.wikipedia.org/wiki/HTTP_Strict_Transport_Security). This tells the browser always to use HTTPS, effectively blocking usage of non-encrypted HTTP. All I was needed to do was to add a [header to NGINX config](https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/) for server listening on port 443. + +After some testing, I've added [preload](https://hstspreload.org/) to the header and submitted it to Google. This submission will add this site to a list preloaded in Chrome, and other browsers, removing the first non-encrypted fetch of data. Of course, if I break HTTPS here, the site will stop working but what the hell. + +I now have a 100% rating on [internet.nl](https://internet.nl/site/d-s.sh/2074274/), which is cool. + -- cgit v1.2.3