I think this is a lesson that “just have a human check the AI’s output” will never work because AI easily generates more output than humans have attention.
But then tragedy struck. As soon as the hostname recipes.macchaffee.com landed in the Certificate Transparency logs, I was reminded that the internet is a hostile place since I immediately received requests from scanners searching for vulnerabilities or sensitive files (a common occurance).
It’s a good idea to use wildcard certs so that you don’t have to have make specific hostnames public. Sure, there are ways to discover non-obvious hostnames from DNS, but we don’t have to make things easy for bots.
Of the requirements the author lists, I hit all of them (except the one about multi-regional, which I don’t really get why if the hop is geographically close to your server; and the one with metrics, though that can be added. I guess the memory-safe part isn’t hit either, but if you find a memory-safety vulnerability in the kernel, you have bigger problems).
As for the SSL issue, you should use a wildcard certificate so subdomains don’t show up in certificate transparency logs.
It feels ddd to not even nod towards tailscale in the article. Not sure if this was an oversight or it doesn’t meet some some unmentioned criteria. Take a look at TailScale Funnel
I am a maintainer/work a lot on the fully open source, fully self-hostable zero trust overlay that powers the tunneling tech behind zrok called OpenZiti. zrok is also usable for free in a limited capacity if you don’t want to self-host at zrok.io. Lots of people like using it for simplicity, it’s nice to not have to host your own stuff, but if you want to you surely can.
Very nice article, thank you for this gem:
Does he really mean “flouting?”
🤦♂️ Thanks, edited! I’ll edit the title on the site tomorrow.
I see this mistake often:
It’s a good idea to use wildcard certs so that you don’t have to have make specific hostnames public. Sure, there are ways to discover non-obvious hostnames from DNS, but we don’t have to make things easy for bots.
I wrote up something earlier this month that may be a lot more lightweight/reliable than tuns: https://ersei.net/en/blog/no-ip-no-problem
Of the requirements the author lists, I hit all of them (except the one about multi-regional, which I don’t really get why if the hop is geographically close to your server; and the one with metrics, though that can be added. I guess the memory-safe part isn’t hit either, but if you find a memory-safety vulnerability in the kernel, you have bigger problems).
As for the SSL issue, you should use a wildcard certificate so subdomains don’t show up in certificate transparency logs.
It feels ddd to not even nod towards tailscale in the article. Not sure if this was an oversight or it doesn’t meet some some unmentioned criteria. Take a look at TailScale Funnel
I evaluated Tailscale in addition to many other excellent unmentioned options from https://github.com/anderspitman/awesome-tunneling
There’s a great many of these tunneling types of projects now-a-days. A great big list of them can be found at: https://github.com/anderspitman/awesome-tunneling.
I am a maintainer/work a lot on the fully open source, fully self-hostable zero trust overlay that powers the tunneling tech behind zrok called OpenZiti. zrok is also usable for free in a limited capacity if you don’t want to self-host at zrok.io. Lots of people like using it for simplicity, it’s nice to not have to host your own stuff, but if you want to you surely can.