Re: on to letsencrypt

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Tim:
>> The DNS records need to be fixed before all else.  They need to be
>> held on a public DNS server that propagates them to the other DNS
>> servers.


Jack Craig:
> First I get my static IP from AT&T actually a block of eight
> addresses of which only the first do they agree to pass through.  
> 
> 
> Second this used to work. I get my static IP from AT&T in a block of
> actually eight addresses only the first of which do they agree to
> pass through so I have been using DNS via name HTTP HTTPS for some
> time and only since I've upgraded to fedora 30 to have I had this dns
> battle .

Sounds ok.  One test would be to see if an outsider can ping your
public IP that's supposed to allow traffic through.  Though, that will
only work if your system responds to pings.  The other test is for
someone to try and browse your webserver at your public IP.

Your public IP has to route through to your own server.  You will
probably have to explain your network topology to us.  Which I've seen
you do, in general, further below.

But is your public IP in a range of "customer" addresses, or public
IPs?  If it's within the range allocated to an ISPs clients, other
networks around the world will consider your IP to be risky.  You'd
find doing mail a problem, at least.

> Networksolutions is my registrar, they provide to the world my domain
> name my primary and secondary DNS servers so I guess that's the
> external place where you were referring to?

Yes.

> So AT&T provides the internet road, networksolutions provides the
> signage along the road to my place .
> 
> isn't it the way it supposed to work?

Yes.

By the look of things you need to reconfigure your DNS records.  Point
the A record for your domain, and the www. subdomain at your
webserver's IP.  Point your MX record at whoever handles mail to your
domain name.  Point the NS record at the name servers for your domain.


>> If your plan is for you to run your webserver on your own computer
>> and for people to connect to it, you have to find out if that's
>> actually possible with your ISP.  Many will forbid it, or their
>> network structure makes it nearly impossible.  And you'll need to
>> be able to handle all the attacks you'll be under.  There probably
>> isn't a website on the planet that someone isn't trying to exploit.

> I was hoping that wireguard would provide that kind of coverage via
> vpn..
>  I have two routers in my access path the first one is the AT&T
> router and its firewall is set to forward packets only from ports 53
> for 43 and 80 those packets alone are forwarded to my internal server
> internal router which in turn contacts in my server on my 10.0.0 net

If you're also doing HTTPS, there will need to be port "443" passed
through, too.  I'm guessing "43" was a typo.  Both routers and your
computer will have to allow through the ports.  I see no point in
trying to be your own DNS server, though.

HTTPS *could* be a curly one to solve in your situation.  Certificates
can tied to an IP address.  While an outsider will be connecting to
your public IP forwarded through, your webserver will be using its
local IP, and the cert wouldn't match.  *If* the cert has to match your
public IP, you'd need to set your computer's IP to be your public one.

But that may not be the case with you.  Solve the DNS problem first.

> I thought that having two firewalls between me in the world would be
> a larger advantage but it sounds like what you're saying is that
> people can penetrate that no matter what.   that's depressing.  

While firewalls can prevent unwanted connections through a network,
they don't protect you from things that are done through the allowed
connections.  Your webserver will have to be able to handle people
trying to exploit it.

On my public website, the error logs are full of people trying to
connect to known exploits in wordpress and various other software
suites that people run on webservers.  I don't run those things, so
they just get errors.

You'll also need to be able to handle the legitimate traffic.  You'll
have multiple crawlers from search engines, including many you've never
heard of, as well as actual people browsing it.

That's why I don't run my public website on my own system.

_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure



[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux