I have setup Nginx as a reverse proxy listening to the 443 port for several blogs.
CONFIGURING NGINX TO WORK WITH STUNNEL HOW TO
At the very least perhaps consider sticking something like Cloudflare Access in front of it to limit access to specific users that have been authenticated externally. How to put Stunnel behind a Nginx reverse proxy to mask OpenVPN 1.
CONFIGURING NGINX TO WORK WITH STUNNEL ANDROID
Since then, BI + stunnel with private certs has worked without problems (including UI3, the Android app and the iOS app). Earlier this year I worked with the BI developers to resolve an issue in the Android app that broke support for private CAs. You’re still hosting a service and exposing direct access to it that probably isn’t battle-hardened for that kind of access given it lacks even basic SSL features. This tutorial illustrates the basics of setting up SSL with NGINX and shows how you can force traffic from port 80 HTTP to port 443 HTTPS.SSL/TLS Offloading. Actually, BI works fine with privately signed certificates. cert server-cert.pem key server-key.pem CAfile ca-cert.pem verify 3 sslVersion all options NOSSLv2 options NOSSLv3 options NOTLSv1 options NOTLSv1. It might be wise to note that SSL isn’t a panacea. At my server endpoint, it is using stunnel & I am not sure how to configure the CA certs. If any pre-auth vulnerabilities are discovered with its login screen, API, etc. It’s good you’ve added SSL but it still seems pretty risky to me to allow someone direct access to Blue Iris. To build Nginx to work with the Universal Modules, modify the build and configuration procedure as follows: In step 4, copy the module source code ngxhttpcspmodulesa.c and ngxhttpcspcommon.h instead of ngxhttpcspmodule.c. I just want to note here that this entire paragraph suggests Blue Iris is a piece of software which should not be exposed to the public internet. The configuration of stunnel is in /etc/stunnel/nf (assuming this is the same for redhat and debian). Click it to indicate that you can access the private key. As shown in the animated screenshot below, a check box replaces the Download Key Pair button. Blue Iris has a web interface that was not designed to work with HTTPS, it just runs an insecure web server and it suggests you use software called stunnel which is a huge pain. Type a name in the Key pair name field, such as NGINXkey.
This tutorial involves disabling some of Blue Iris’s security features. My own configuration file includes the lines: Debugging stuff (may useful for troubleshooting) debug 6 output stunnel.log log overwrite (I remember when I first started using Stunnel I didnt specify the 'overwrite' parameter, so stunnel.log soon grew to thousands of lines in length.
0 kommentar(er)
