Two way SSL authentication used in a private network with private CA - application to lighttpd 1.4.45

This post shows a minimalist configuration for two way authentication (https + Client Side Verification) on a secure closed-membership network. A self-generated private CA issues server and clients certificates. The specific full example shown is for lighttpd v1.4.45 as server and Firefox browser v65.0 as client - but the general method has wider applications.

Read More

Redirect Wrong-addressed DNS Requests to Pi-hole, but Save Their Identities - UBNT Edge Router Lite

The term “Hard-coded DNS Clients” refers to clients which always wrongly-code a DNS request, sending it to a hard coded value they know instead of a DHCP recommended value. However some client make both rightly and wrongly addressed DNS requests, so here the term “Wrongly-addressed DNS requests” is used instead.

There are a number of discussions and tutorials on this topic on Reddit, UBNT community, and elsewhere. The usual solution is to implement a DNAT/SNAT pair of rules to deflect the DNS packet from the undesired external DNS server (e.g. to the desired pihole DNS server.

The problem with that usual solution is that, under certain circumstances, the wrongly addressed requests are conglomerated and recorded by pihole as coming from a single single address, the gateway, e.g. Using the UBNT ERLite 3 router is one such circumstance.

This post discusses a configuration to let the pihole know the seperate identity of each wrong-addressed DNS client, so each such clients statistics can be displayed seperately. In addition, for each client the rightly-addressed and wrongly-addressed DNS queries are counted seperately.

Read More

Configuration free sendmail/mail alternative - a 30 line script file

If the only thing a server uses mail for is system notifications, life can be simplified. Skip sendmail/mail program installation and configuration. No need to worry if the SMPT server is a security risk. Instead, set up a simple script which sends all notifications via an HTTPS API to an MTA (Mail Transfer Agent).

How is this possible? Because any notifcation is sent using one of the executables mail or sendmail So those executable only have to be sustututed with links to out simple script file.

Read More

Password free unattended backup with OpenPGP/gpg encryption key


Leaving a password in the clear to a backup script file is a nuisance because care must be taken not to accidentally make it public. Also, it’s a temptation for nosy people.

An OpenPGP/GnuPG standard assymetric key only requires a password during decryption, and not during encryption, which solves that problem. (OpenPGP standard, GnuPG implementation).

We show how to create an encryption key without a signing key.

We show a couple of examples of how to use the key:

  • unattended duplicity backup
  • auto backup of etckeeper data

Read More