evaluate what it takes to implement client certificates #3
Comments
|
Requested by Brandon @brandoncasaba |
|
I was looking at taking this on but it looks either simple or impossible. From what I can tell changing $http.get('some url') |
|
unfortunately withCredentails doesn't work with clientCerts. @dimaj and I have had a discussion on this, but I just haven't found time to dive into it - been working on other higher priority issues @zmNinja and my new pet project, oZone The proposed approach is this:
|
|
Hmm, Doesn't choosePrivateKeyAlias do all the work for you? OK clear enough anyway and closer to home for me, if I can find the time. |
|
Is there a system I can try with client certs? I have some code I want to test |
|
I just use Chrome these days, but this would be a quick guide to set up a test environment with Apache: |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
I was just looking for a way to setup zmNinja to use client certs and stumbled across this. Alternatively I have been looking for a way to have Apache only allow whitelist IPs, and to email me when a request comes in from something not on the whitelist, with a link that allows me to add them to the whitelist if I chose (so I can add my own cell phone when ever I need to). Client certs would be so much nicer though. |
|
I was recently playing with |
|
Thanks, cool idea, but then I'd have to open more ports through my router
and I'd still have to figure out a way to get zmNinja to do a complex knock
sequence for me.
Dave Goldsmith
Electrical Engineer - Astronics AES
Data Acquisition Lead - KWH
Veteran | Helicopter Pilot | Medic
+1.425.268.1938 | [email protected]
…On Tue, Feb 4, 2020, 1:43 PM Dmitry Jerusalimsky ***@***.***> wrote:
I was recently playing with port knocking. If your goal is to secure
access to your ZM server from external requests, y ou can install something
like knockd and configure it to allow access to your ZM server only after
a specific sequence of port connection attempts within a specific amount of
time.
when all rules are satisfied, you are granted access for a specific amount
of time from *your* IP address (i.e. address where "knocking" came from)
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<https://github.com/pliablepixels/zmNinja/issues/3?email_source=notifications&email_token=ADST3WJ5WQYJZWA3AMM56K3RBHOP5A5CNFSM4BBQH572YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEKZJPWY#issuecomment-582129627>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ADST3WMNFWU6V3VL5EQS24DRBHOP5ANCNFSM4BBQH57Q>
.
|
|
Well, you can open up a port range to get into your knockd server. Knocking
is done outside of zmNinja. There are knocking apps for Android, I'm sure
iOS will have something too.
Also, the cool thing about port knocking is that even thought you will be
passing a port range through, those ports are still closed as nothing is
being served on them. Your firewall software, or knockd, is going to
register that a connection attempt was made to this closed port and if
sequence of those attempts is correct, a new firewall rule will be added to
allow your up to access the port of choosing (which is also closed to
others who have not completed a secret knock sequence)
…On February 4, 2020 2:23:40 PM Dave Goldsmith ***@***.***> wrote:
Thanks, cool idea, but then I'd have to open more ports through my router
and I'd still have to figure out a way to get zmNinja to do a complex knock
sequence for me.
Dave Goldsmith
Electrical Engineer - Astronics AES
Data Acquisition Lead - KWH
Veteran | Helicopter Pilot | Medic
+1.425.268.1938 | ***@***.***
On Tue, Feb 4, 2020, 1:43 PM Dmitry Jerusalimsky ***@***.***>
wrote:
> I was recently playing with port knocking. If your goal is to secure
> access to your ZM server from external requests, y ou can install something
> like knockd and configure it to allow access to your ZM server only after
> a specific sequence of port connection attempts within a specific amount of
> time.
> when all rules are satisfied, you are granted access for a specific amount
> of time from *your* IP address (i.e. address where "knocking" came from)
>
> —
> You are receiving this because you commented.
> Reply to this email directly, view it on GitHub
> <https://github.com/pliablepixels/zmNinja/issues/3?email_source=notifications&email_token=ADST3WJ5WQYJZWA3AMM56K3RBHOP5A5CNFSM4BBQH572YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEKZJPWY#issuecomment-582129627>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/ADST3WMNFWU6V3VL5EQS24DRBHOP5ANCNFSM4BBQH57Q>
> .
>
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
|
I have ZoneMinder working through a reverse proxy (nginx) and using client certificates issued by my private CA. This works well when using a browser where I can install the client certificate but zmNinja doesn't have an option to include a certificate for authentication. I think this gives a lot of extra security to the setup and would be very useful to have. |
Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.
The text was updated successfully, but these errors were encountered: