aboutsummaryrefslogtreecommitdiffstats
path: root/posts/201609-letsencrypt.rst
diff options
context:
space:
mode:
Diffstat (limited to 'posts/201609-letsencrypt.rst')
-rw-r--r--posts/201609-letsencrypt.rst23
1 files changed, 19 insertions, 4 deletions
diff --git a/posts/201609-letsencrypt.rst b/posts/201609-letsencrypt.rst
index 060681f..2ba4221 100644
--- a/posts/201609-letsencrypt.rst
+++ b/posts/201609-letsencrypt.rst
@@ -147,7 +147,7 @@ Snippets
include mail.domain.conf;
}
-| The initial configuration already shows, that we now have three services that will need to be covered by the certificate, which we want to get. The |website-roundcube| webmail service I picked for demonstrational purposes as a hidden service. This is not meant to badmouth their security, but to show that you can hide your service behind a :abbr:`VPN (Virtual Private Network)`, if you choose to.
+| The initial configuration already shows, that we now have three services that will need to be covered by the certificate, which we want to get. The |website-roundcube| webmail service I picked for demonstrational purposes as a hidden service. This is not meant to badmouth their security, but to show that you can hide your service behind a |abbr_vpn|, if you choose to.
| To achieve something like that, you can use the |website-nginx| geo plugin. When you setup a VPN infrastructure, this will lead to you having a separate connection to your server within a |wiki-private_network|. For the sake of simplicity let us assume your server will have **172.16.0.1** and your client computer **172.16.0.2** as IPs in this setup.
| On your server you can now explicitely look for the correct client and allow or deny access. Another block for the |website-nginx| configuration can be used to let you include this in your domain configurations:
|
@@ -306,7 +306,7 @@ moar snippets
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag "none";
-| A little note on the **Content-Security-Policy** here: Usually one would try to have the targets (**default-src**, **connect-src**, **img-src**, **script-src**, **style-src**) be set to *'self'*. Due to the inline :abbr:`CSS (Cascading Style Sheets)` and Javascript in services such as |website-owncloud| and |website-roundcube|, this is not possible though, so *'unsafe_inline'* and *'unsafe_eval'* have to be added as well for some of them.
+| A little note on the **Content-Security-Policy** here: Usually one would try to have the targets (**default-src**, **connect-src**, **img-src**, **script-src**, **style-src**) be set to *'self'*. Due to the inline |abbr_css| and Javascript in services such as |website-owncloud| and |website-roundcube|, this is not possible though, so *'unsafe_inline'* and *'unsafe_eval'* have to be added as well for some of them.
| At this point you could of course also choose to create differing *'security_headers'* inclusions for the services you run.
| Depending on which are running, you will want to monitor your developer console in your browser closely after using this security header. It will tell you, if CFP is blocking some resource (and possibly making it unusable).
@@ -563,7 +563,7 @@ Your mail server can also use this certificate now (if your |wiki-mx_record| poi
Dovecot
+++++++
-The same counts for your :abbr:`IMAP (Internet Message Access Protocol)` server:
+The same counts for your |abbr_imap| server:
* */etc/dovecot/dovecot.conf*
@@ -574,7 +574,7 @@ The same counts for your :abbr:`IMAP (Internet Message Access Protocol)` server:
Prosody
+++++++
-| The :abbr:`XMPP (Extensible Messaging and Presence Protocol)`/Jabber server is unfortunately not able to directly access the data in */etc/letsencrypt/live/domain.tld*, because it runs as its own user (*prosody*).
+| The |abbr_xmpp|/Jabber server is unfortunately not able to directly access the data in */etc/letsencrypt/live/domain.tld*, because it runs as its own user (*prosody*).
| You can work around this issue by either changing many permissions, or copy the set of files over to */etc/prosody/certs/* and set these up in your configuration.
| I recommend the latter, as otherwise you will have to change many file and directory permissions, that are seemingly handled by |website-certbot| and thus lower the overall security of your system.
|
@@ -876,3 +876,18 @@ Renewal
<a href="https://prosody.im" target="_blank">prosody</a>
+.. |abbr_vpn| raw:: html
+
+ <abbr title="Virtual Private Network" >VPN</abbr>
+
+.. |abbr_css| raw:: html
+
+ <abbr title="Cascading Style Sheets" >CSS</abbr>
+
+.. |abbr_imap| raw:: html
+
+ <abbr title="Internet Message Access Protocol" >IMAP</abbr>
+
+.. |abbr_xmpp| raw:: html
+
+ <abbr title="Extensible Messaging and Presence Protocol" >XMPP</abbr>