Codebase for my homepage.
git clone git://vcs.sapka.me/michal-sapka-me
Log | Files | Refs

commit 2e94b35a38e4c51ad35ce95e7520609a8b5df183
parent 6e421843c870910b72824d92a1a67b48609a4abb
Author: MichaƂ M. Sapka <michal@sapka.me>
Date:   Fri,  5 May 2023 13:59:30 +0200

feat: article for 2023-05-05

Acontent/2023/fixing-ipv6-and-securing-the-domain.md | 23+++++++++++++++++++++++
1 file changed, 23 insertions(+), 0 deletions(-)

diff --git a/content/2023/fixing-ipv6-and-securing-the-domain.md b/content/2023/fixing-ipv6-and-securing-the-domain.md @@ -0,0 +1,23 @@ +--- +title: Fixing IPv6 and securing the domain +category: "software" +abstract: Mistakes were made +date: 2023-05-05T13:55:14+02:00 +year: 2023 +draft: false +tags: +- meta +- IPv6 +- DNSSEC +- Ok +--- +HSTS, so [recent IPv6 enablement](/2023/now-served-from-ipv6/) didn't went smooth. Even though I've added the AAAA record and I was able to `ping6(8)` from my FreeBSD machine, I forgot about configuring the firewall. Sadly, I know very little about `pf.conf(5)`, so I used a [ready config](https://forums.FreeBSD.org/threads/ipv6-not-working-with-pf.66772/post-395165), changed the network interface, and added ssh. Voila, IPv6 works! Thanks for letting me know about this bug on my side, [Marco](https://twitter.com/marcodavids/status/1653862517309882369). + +Then I added [Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions). It's a security mechanism that cryptographically secures against man-in-the-middle attacks on the DNS level. I've enabled it in Vultr and copy-pasted a few records to Namecheap. Voila, it works! + +The last thing I've added was proposed by [chr bre](https://twitter.com/chrbre/status/1654194363247804416) - [HTTP Strict Transport Security](https://pl.wikipedia.org/wiki/HTTP_Strict_Transport_Security). This tells the browser always to use HTTPS, effectively blocking usage of non-encrypted HTTP. All I was needed to do was to add a [header to NGINX config](https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/) for server listening on port 443. + +After some testing, I've added [preload](https://hstspreload.org/) to the header and submitted it to Google. This submission will add this site to a list preloaded in Chrome, and other browsers, removing the first non-encrypted fetch of data. Of course, if I break HTTPS here, the site will stop working but what the hell. + +I now have a 100% rating on [internet.nl](https://internet.nl/site/d-s.sh/2074274/), which is cool. +