Comments (11)
jessuppi
commented on May 28, 2024
As always thanks for your constructive criticism @NathanAdhitya
It definitely seems like a good idea to conditionally sign the IPs only if the sysadmin wants that, which is probably a rare case, so SlickStack should probably default to not doing that. It would probably also be fairly simple to add support for other names like localhost and such too.
About the Issuer do you mean support for third party CA's like ZeroSSL etc?
from slickstack.
jessuppi
commented on May 28, 2024
Perhaps some default ss-config options like this:
OPENSSL_CERT_DOMAINS="true"
OPENSSL_CERT_IPS="false"
OPENSSL_CERT_LOCALHOST="false"
from slickstack.
NathanAdhitya
commented on May 28, 2024
I think a more appropriate / better variable naming for readability's sake would be:
OPENSSL_CERT_INCLUDE_DOMAINS="true"
OPENSSL_CERT_INCLUDE_IPS="false"
OPENSSL_CERT_INCLUDE_LOCALHOST="false"
Also, consider checking my message in Discord. Thanks!
from slickstack.
jessuppi
commented on May 28, 2024
Ref: e98cb31
from slickstack.
jessuppi
commented on May 28, 2024
Update:
It's been almost a year since we changed to use -subj "/CN=localhost" and there's been no issues or complaints. I think at this point we can move ahead with removing IP addresses from the OpenSSL certs.
And probably, something like this:
"subjectAltName=DNS:${SITE_DOMAIN_EXCLUDING_WWW},DNS:${SITE_DOMAIN_INCLUDING_WWW},DNS:staging.${SITE_DOMAIN_EXCLUDING_WWW},DNS:dev.${SITE_DOMAIN_EXCLUDING_WWW}"
...depending on whether staging/dev are enabled in ss-config. I don't think there's any privacy concerns with always including the domains that are activated on a given SlickStack server, unless in some bizarre case where the cert is being used for a new domain already, and the old domains still exist in the cert or something, but that's virtually impossible to achieve with SlickStack anyways and I think stripping out the domains would be extreme and/or pointless.
from slickstack.
jessuppi
commented on May 28, 2024
Ref: https://github.com/littlebizzy/slickstack/blob/master/bash/ss-encrypt-openssl.txt
from slickstack.
jessuppi
commented on May 28, 2024
Per Discord chat:
from slickstack.
jessuppi
commented on May 28, 2024
Ref: c4d936e
from slickstack.
jessuppi
commented on May 28, 2024
The big one...
Ref: 40cd39c
from slickstack.
jessuppi
commented on May 28, 2024
This one is for localhost support...
Ref: 8a7f63d
...Note that, maybe we should also add support for arbitrary IP addresses?
from slickstack.
jessuppi
commented on May 28, 2024
Here's the supported options now in ss-config with their default values:
OPENSSL_CERT_INCLUDE_DOMAINS="true"
OPENSSL_CERT_INCLUDE_IPS="false"
OPENSSL_CERT_INCLUDE_LOCALHOST="false"
I think this covers nearly all scenarios while defaulting to safe default values... as far as my last post about arbitrary IP addresses, that seems to be localhost related, so perhaps our options would be enough already. And if it's not enough, it's a very niche case and probably not important enough to worry about for now. Closing this, thanks again.
from slickstack.
Related Issues (20)
- SS_ADMINER_PUBLIC="false" does not work as intended. HOT 9
- Allow tuning of PHP8 JIT settings (opcache.jit options in php.ini) HOT 4
- Cloudflare real visitor IP support in Nginx config HOT 18
- Option to allow only Cloudflare IPs to connect to origin server HOT 2
- OpenVZ PHP-FPM "Unable to set priority for the master process: Permission denied" HOT 8
- Support for custom Permissions Policy HTTP header in Nginx HOT 6
- Improve WP-Cron robustness for Multisite environments HOT 3
- Scanning WordPress core files to check if intact or broken HOT 4
- Redirect .php extension to WordPress if not exists HOT 4
- Why deny /wp-admin/load-styles.php and /wp-admin/load-scripts.php? HOT 3
- Nginx access log enabled by default but nginx.conf says not HOT 5
- Spam Content HOT 1
- Expose additional options for ss remote backup HOT 2
- support for local development ? HOT 1
- 403 Error on Static Assets with Query Strings on SlickStack.io HOT 1
- Implement Server-Wide Connection Limit to Mitigate Request Overload HOT 1
- ss-config had a build version update, but ss-update-config didn't HOT 4
- Can't get it to work out of the box? HOT 1
- 403 google bot error
- Consider optional cache warming script that can fire on cron schedules
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from slickstack.