1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
---
title: Fixing IPv6 and securing the domain
categories:
- blog
abstract: Mistakes were made
date: 2023-05-05T13:55:14+02:00
year: 2023
draft: false
---
Ok, so [recent IPv6 enablement](/2023/now-served-from-ipv6/) didn't went smooth. Even though I've added the AAAA record and I was able to `ping6(8)` from my FreeBSD machine, I forgot about configuring the firewall. Sadly, I know very little about `pf.conf(5)`, so I used a [ready config](https://forums.FreeBSD.org/threads/ipv6-not-working-with-pf.66772/post-395165), changed the network interface, and added ssh. Voila, IPv6 works! Thanks for letting me know about this bug on my side, [Marco](https://twitter.com/marcodavids/status/1653862517309882369).
Then I added [Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions). It's a security mechanism that cryptographically secures against man-in-the-middle attacks on the DNS level. I've enabled it in Vultr and copy-pasted a few records to Namecheap. Voila, it works!
The last thing I've added was proposed by [chr bre](https://twitter.com/chrbre/status/1654194363247804416) - [HTTP Strict Transport Security](https://pl.wikipedia.org/wiki/HTTP_Strict_Transport_Security). This tells the browser always to use HTTPS, effectively blocking usage of non-encrypted HTTP. All I was needed to do was to add a [header to NGINX config](https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/) for server listening on port 443.
After some testing, I've added [preload](https://hstspreload.org/) to the header and submitted it to Google. This submission will add this site to a list preloaded in Chrome, and other browsers, removing the first non-encrypted fetch of data. Of course, if I break HTTPS here, the site will stop working but what the hell.
I now have a 100% rating on [internet.nl](https://internet.nl/site/d-s.sh/2074274/), which is cool.
|
