So now your ISP sees all of your queries instead of CF. (Assuming the cloudflared option is using DoH)
I’ll trust Cloudflare over Comcast/AT&T/etc. any day of the week.
So now your ISP sees all of your queries instead of CF. (Assuming the cloudflared option is using DoH)
I’ll trust Cloudflare over Comcast/AT&T/etc. any day of the week.
I believe you. I’m just saying their non-firewalls (i.e., switches and APs) don’t have that limitation.
My firewall is a Fortigate 60F.
I would never use their firewalls/gateways, but their switches are pretty good for the price and their APs are decent (although tbh after 3 generations my next AP will likely be an enterprise Aruba).
That said, I still use Unifi in docker, everything is up to date, and nothing is requiring a sign-in to the cloud. Am I missing something? If it’s just the firewalls, then I’m not surprised since I’ve never been remotely tempted to use them, but it sure isn’t all of their devices.
In that case, if CF is taking to Traefik and not the actual origin server, you just need to forget about the origin certs altogether and use LE certs in Traefik.
If you, Traefik, and your origin server are on the same network, then it’s going to be one hop regardless of whether you’re hitting the Traefik proxy or the origin server. If Traefik is serving up the origin server’s cert and not the LE cert, then Traefik is misconfigured to pass through instead of proxy, but I’m still not sure that’s the case as it’s almost harder to configure it that way than the correct way as a proxy.
What IP:port is your origin server listening on, what IP:port is Traefik listening on, and how is Traefik configured to reach the origin server?
You said Traefik is getting certs from Cloudflare, but do you mean it’s getting Let’s Encrypt certs using a CF DNS challenge? And if that is the case, then your browser should trust the Traefik endpoint since LE certs are publicly trusted.
Are you sure you’re hitting Traefik when you get a cert warning? You need to update your internal DNS if not.
The CPU on the source used for compression is definitely the bottleneck for me. Internet is faster.
Third. The first thing I mention when one of my clients asks anything about PCI is to offload as much card processing onto third parties as possible.
And if you have nothing in place yet, then 100% offloaded should be possible (with the possible exception of secure payment terminals if you need to process physical cards).
That said, it is still possible to use your own hosted WordPress storefront and offload the payment processing via tokenization or redirection. But a turnkey solution like Shopify might be better if you lack the experience.
Haha fair enough. I should have known from the quotes. It is something I hear a lot from people who don’t know the difference, and I’m sure you do too.
Except they don’t. They may request a passkey which is just an oversimplification about what is going on behind the scenes, with information being passed back and forth as Steve described.
But the private key never leaves the device. This is such a huge distinction that is easy to overlook. But it is very, very important.
Adding my vote for Zabbix. It was a bit of a bear to set up and I had to write custom scripts to install the agents with TLS settings that were secure enough for me, but once it’s all set up it’s amazingly easy and intuitive to use and incredibly customizable.
This is the answer. Although you may need to look up the IP address (a lot of them use 192.168.100.1) and you may need to reconfigure your gateway/firewall/router to route that subnet out its WAN interface while still performing NAT.
Agree 100%. I self-host a lot of services but access to my passwords needs at least 3-nines uptime and the cost of providing that via Azure/AWS isn’t really worth it to me.
That said, I trust Bitwarden way more than I ever trusted Lastpass and I still use option 1 for highly sensitive accounts along with redundant Yubikeys (FIDO2, PIV, and GPG in that order) for anything that supports it.
I know plenty account SNI already, but thanks. You might want to study more yourself, since we’re being condescending.
https://blog.cloudflare.com/encrypted-sni/