Can I setup Public-Key-Pins when I setup a cronjob to renew the LetsEncrypt certificate every 30 days?
If the certificate is renewed then the Public-Key-Pin is also renewed right?
Background
I run a server with two external IPv4 addresses. IP-address A (IP-A) and IP-address B (IP-B).
Goal
I would like to access IP-A over HTTPS port 443 and SSH port 22 only. IP-B shouldn't listen to any incoming traffic.
Then I'd like the server to use IP-B only for all outgoing traffic. Or at least to tell the server to use IP-B for outgoing traffic only for specific commands.
Example in pseudo code:
1: I connect to the server over IP-A and call `ping example.com`
2: The server executes it and sends the ping requests outgoing from IP-B to example.com.
3: I can read the output of the command on my connection with IP-A
Why would I want this?
Because the management console I'll be using is on IP-A. I want IP-A not to be directly related to IP-B (at least for the outside world). Instead I want example.com to see "I got a ping request from IP-B.". And when someone connects to IP-B that IP address is not listening to anything. While IP-A is nowhere in their logs.
Ultimately I'd like to add even more addresses and be able to tell IP-A:
- Use IP-B for this command
- Use IP-C for this command
- Use IP-D for this command
- ...
Any thoughts on how to configure the above scenario? I'm currently using Ubuntu but I'm open to suggestions for other Linux distributions.
I'm having the following situation, I'm developing an API. I rewrite all traffic to one PHP script named: route.php, using mod_rewrite like:
1: RewriteEngine On
2: RewriteCond %{REQUEST_FILENAME} -f [OR]
3: RewriteCond %{REQUEST_FILENAME} -d
4: RewriteRule ^.* route.php [L]
Other files should not be accessible, that's why I am using a whitelist for accessing route.php only. Therefor I use this:
order allow,deny
<FilesMatch "route\.php">
allow from all
</FilesMatch>
I would like to send all 1xx, 2xx (except 200), 4xx, and if possible 5xx HTTP status codes to a PHP script (let's say error.php?code=404 that shows the dynamic error page for that statuscode. In this case I probably have to allow access to error.php also in the FilesMatch part.
I found partly what I want, described in this article, but I can't implement or manage to get it working the way I described above.
My purpose is for the error.php to show a JSON output (dynamically based on the statuscode) like {'statusCode':'404','status':'Not Found'} including all common (security) HTTP headers I use.
I'm considering to setup Two Factor Authentication on my SSH accounts (OpenSSH, Ubuntu). I was looking into Authy-SSH but I'm wondering what the possible disadvantages are?
Also, can I lock myself out when the server get it's time out-of-sync or when I lose my phone?
Firstly, I'm wondering what is the best way to isolate Apache's vhosts from each other. I suppose this has something todo with the Linux filesystem as well, since it's not a good practise to have folders (and files) like /var/www/site1.com/public_html and /var/www/site2.com/public_html under the same Linux user/group.
I found this similar post: Isolating Apache virtualhosts from the rest of the system but noticed this is about isolating the vhosts from the system. A good practice but not what I ment.
I don't want any possible way that site1.com can access files of site2.com and if possible also nothing unnecessary from the filesystem other than it's own directory and sub directories.
Secondly, what is the influence of chmod on the userrights. Let's say both sites run in their own user and usergroup. But site1.com has one file or directory with the chmod rights 777. Will site2.com be able to use that file/directory?