I am trying to get HTTPS/SSL to work with linux devices running on an internal network at customers.
I am developing a website that needs to communicate with a linux device running as our customers to give access to physical devices like printer and scanners. This worked fine until Chrome updated their security which means that we cannot use the application cache anymore unless we are running HTTPS. This forces us to communicate with the linux device via HTTPS also, but we only have self signed certificates for the devices and these are rejected in the browser.
I have been trying to figure out a way of getting this to work without having to manually install certificates on the customer devices. One of the ideas of our product is that it can be used on all devices without installation.
So far I have had no luck in figuring out a way to get around the security in the browser, or setting up certificates in a way where the browser doesn't reject them.
Our website is running Angular and I have tried using the Request package where it should be possible to disable rejection of invalid SSL certificates but no luck.
I have considered using websockets but as the initial handshake will be done using a HTTPS request I expect this won't work either as the handshake cannot be done without the browser failing over the certificate.
I have also been in contact with GlobalSign that just confirmed everything I have read so far, that this can only be solved by installing a chain of trust on the devices that need to access the linux devices over the internal network.
So what I am looking for is any alternative way of communicating with the linux device that will work while the website is running HTTPS. Or some way of getting valid certificates for the linux device that won't be rejected by the browser.
How do the other devices see this website? By a pubic hostname? By private non-FQDN host? If the other devices see the website as any valid FQDN hostname, then you can issue a free LetsEncrypt SSL for that host, and use internally (once issued).
Related
I am a NOOB to programming and networking so please forgive me for any mistakes.
I have searched on stack,google for my problem but the solutions
i found didn't went well with me and so please do consider answering my question
even if you consider it is simple or duplicate question.
My Problem - I have a nodeJS server built using express and it can be accessed on
address http://192.168.209.239:8001/ now i want to access server using domain names like normal website say i want to access the server using http://myserver.app/
found Solutions - i found about DNS but i was not able to set it up, then i found that editing the etc/host file can solve this but domain name was only working on my laptop where the app is running, if i connect my phone to same network* and when i type the domain name it does not work.
I found about mDNS. but i was a very old post which told we can use Apple Bonjour but it is not working as i learned that Microsoft has done some implementation of mDNS
so make Bonjour work disable mDNS in registry and i am not willing to do that.
What i ask - please give me step by step guide how to stepup DNS or mDNS on my machine
so if any device connects to my network it can access the NodeJS app thought its browser using domain URL http://myserver.app/
I am using
nodeJS#16.13.2,
express#4.17.2,
Windows 11 version 21H2 build 22000.376
My Network is like I have connected my mobile hotspot to laptop
and any new device to connected to hotspot so may my mobile is kind of a wifi router.
if a different laptop connects to my hotspot i should be able to access the website using the domain name. myserver.app
My Phone is using Android 11
and please do consider
I do not want to use any online DNS providers like easyDns or AWS
i want a local solution which i can run on my laptop
Ideally you need to DNS server for this : but its wont work with dynamic IP as your machine ip can change after reboot
You can add domain as host entry on each machine : this will not work with mobile and also need to change ip as your machine / server ip change
If you have static ip , just go for any dns service provider easydns , aws and as its inetrnall ip will work for all devices which are in network
Found This may work for y https://www.noip.com/support/knowledgebase/how-to-configure-ddns-in-router/
Starting with Android 9 Pie it is possible to change DNS globally, provided they support TLS. Just go in
Settings → Network & internet → Advanced → Private DNS
When I connect to the Windows IoT board normally, accessing "minwinpc.local:8080" to get to the IoT device portal works fine in the same network. However, when the same is done through the built-in SoftAP (using WiFiDirectAdvertisementPublisher), the hostname cannot be resolved. The device portal is still reachable if accessed directly through the IP (by default 192.168.137.1 on SoftAP).
This behaviour can also be observed using custom services – i.e. hostname resolution only works through external networks, but not if the IoT board itself is hosting a SoftAP.
Is there any configuration that I need to apply or any settings I need to configure using PowerShell in order to enable name resolution on the SoftAP interface?
Update
Further testing:
Initial AJ_SoftAPSsid
Windows client: minwinpc:8080 works fine, minwinpc.local:8080 does not work
macOS client and Windows in VMware: minwinpc:8080 does not work, minwinpc.local:8080 works fine
iPhone hotspot with DragonBoard as client
Windows client: minwinpc:8080 works fine, minwinpc.local:8080 works fine
macOS client and Windows in VMware: minwinpc:8080 does not work, minwinpc.local:8080 works fine
Custom SoftAP hosted by DragonBoard
Windows client: minwinpc:8080 works fine, minwinpc.local:8080 works fine
macOS client and Windows in VMware: minwinpc:8080 does not work, minwinpc.local:8080 does not work, only direct access through IP works (192.168.137.1:8080).
Related questions:
MSDN forums (same question)
https://unix.stackexchange.com/questions/385235
https://superuser.com/questions/1239910/multicast-dns-over-softap-on-win10-iot
The windows client is automatically attempt to enrich the minwinpc:8080 to become minwinpc.local:8080. When it is a virtual client, it is dependant upon the host OSX name resolution, which doesn't do that automatic hostname enrichment upon lookup.
I see the following from:
https://msdn.microsoft.com/en-us/library/windows/desktop/dd815243(v=vs.85).aspx
... In addition, SoftAP does not provide the DNS resolution. In the case where an external DNS server is not made available using Internet Connection Sharing (see the discussion of ICS below), fully qualified domain name (FQDN) resolution between any two computers or devices connected with the SoftAP, including the computer hosting the SoftAP, would only work if both entities mark the network type of the SoftAP network as PRIVATE (HOME or WORK in the network category pop-up). Since the machine hosting the SoftAP always marks the SoftAP network type as PRIVATE, only the computers or devices connected to SoftAP need to mark the SoftAP network type as PRIVATE in order for FQDN resolution to work...
Which sounds like what you are experiencing is the intended behavior of SoftAP. If you would like to see this in action, flush the dns cache on the client and then wireshark the request, on windows, you should see at least two DNS requests when attempting connections to minwinpc:8080.
I got an email from my ISP that i have been victim of the mirai botnet as it decided to take over my security cameras. I thought i was safe from this since none of my devices use default passwords but it appears there was also a telnet vulnerability the bastards were using and were able to create an admin user on the camera server and hijack it. (I've since updated the firmware and wiped out the users and turned off UPNP)
With that said, i would like to get a much better handle on my network after this incident.
I have an ASUS RT-AC66R Router running Merlins firmware instead of stock ASUS.
I have scoured every settings page of the router and cannot find what i am trying to do. How can i setup a white list of MAC addresses to prevent unauthorized access to the camera server on my network? The only devices that should have access are my local machines and my phone which i can all get the MAC's for. I saw some options for IP address white/black listing but that will only do my good on the local network since my IP could be anything on my phone when connecting remotely.
So my next guess is that i need to setup a linux box to act as a firewall before my router?
Can someone point me in the right direction here? Newbie to networking but i know linux basics and and do software development in vb.net/js.
Also, how can i get some logging going so i can start looking at who is hitting my IP on a daily basis and start locking down my network better.
Thanks!
i would like to ask on how other linux computer can connect to my CentOS web Server.Btw, I'm using virtual box on those CentOS. I tried googling it but i giving me hard time to find a good answer, so im trying to ask here if someone knows about it. Advance thank you!
It depends on how you are trying to access the web server.
If you are simply trying to access a website you have on the server, then you have the following options:
If the ip address of the server is registered with DNS then it's pretty much straightforward.
If the ip address is not registered, etc. and it's under the same network as the other linux computer then you need to know what ip address the CentOS web server has which you will use to access via a web browser.
If the web server is located in another network, then you will have to look into port forwarding.
If you are trying to access the web server to do anything else but accessing a website (e.g. installing software, doing configuration, etc.) then you have the following option(s):
setup SSH to securely access the server remotely.
I have a client server environment and would like to secure the network traffic using IPsec. What is involved to get this implemented? The application is working fine, I just need to secure the traffic between computers.
What do I need - certificates on each computer for example? Do I need to make changes to the socket read/write code?
Since IPSec is implemented at the IP level, your application does not need to be changed for IPSec (and it will not notice anything about it).
What exactly is needed for IPSec depends - but you'd be better off asking this question on serverfault.