Author: Keith Tysinger

Everything you need to know about VPN services but were too afraid to Ask

Posted on | by Keith Tysinger | Leave a Comment on Everything you need to know about VPN services but were too afraid to Ask

VPN services offer a sense of security while being online, but are they worth the hassle and cost? My answer is yes! I find that my VPN is indispensable, especially living and traveling in other countries. For example, I can’t log in to my banking apps from the Philippines, and occasionally the bank even blocks my VPN connection (more about that later). Furthermore, I’m often getting blocked from my own servers because I may type in an incorrect password too many times. With a VPN I can change IP addresses in a second, and boom! I’m back in.

Let’s first make a distinction between proxies and VPNs. The chief difference between a proxy and a VPN is that proxies do not necessarily have encryption. Meanwhile, one expects robust encryption from a VPN provider. The way VPNs work is by encrypting your Internet connection before it leaves your computer. Your internet connection can then pass through your ISP and all sorts of Internet routers with strong encryption. Your data connection will end at a data center, where the VPN provider will decrypt your internet connection and send it back out to the original target.

The VPN data center can be anywhere in the world. Your IP address is swapped with one from the data center (the outgoing connection), so it seems you’re in the state or country of the new IP address. This feature allows you to, for example, “unblock” American Netflix from anywhere in the world.

There are many VPN companies competing for your business. Over and over, you will hear NordVPN is the best. I use it myself and can recommend their service with confidence. I am using their service with a residential IP address in the USA. Now, no company — not Netflix or my bank — can know that I am using a VPN. This is a very cool feature that NordVPN offers. Ultimately, VPNs serve no purpose if the service you are attempting to access blocks you. The big companies (like Netflix & HBO) have the big data center IPs blacklisted. A few companies can get you through without detection. NordVPN is one of the best, with or without the residential IP add-on.

Unblocking isn’t the best feature of VPNs. Privacy is the best part. Have you ever had your credit card number stolen? It literally happened to me three nights ago. That’s why I’m determined to always keep my VPN on. Some of the networks here and popular service apps may not be secure. Anywhere that offers free WiFi, including hotels, is another huge problem. A new trend at hotels is passwordless WiFi, which is unencrypted. A VPN is the best protection from your credit card numbers and other personal information being intercepted.

Finally, I’m not here to sell VPN services. Oh, who am I kidding? If you require a private VPN server, please feel free to send me an email. However, there is a safe and free option that most people are not aware of. Cloudflare offers a fantastic 1111 app that upgrades your DNS and data connections. They use the Wireguard protocol, so this is a legitimate free VPN service; however, you can’t change or choose your location like you can with a major VPN provider. The 1111 app is great for emergencies, like when you find yourself at a public WiFi spot with no data plan.

Lastly, if you want to stay safe on the Internet, never use a “free” VPN app. The reason is simple: no VPN company can offer free VPN services. Ad revenue isn’t nearly enough to support any kind of legitimate VPN service because running a VPN is an expensive endeavor. Many of the “free” VPN apps are known to only be scamware/malware. Good protection isn’t free, but you will find NordVPN to be an excellent value.

There are many topics I didn’t get to cover, like jurisdiction and the evolving politics surrounding VPNs and privacy in general. I fear what could happen if my technical writing crosses over into the political sphere.

Troubleshooting Http/3 and QUIC Problems: A Checklist

Posted on | by Keith Tysinger | Leave a Comment on Troubleshooting Http/3 and QUIC Problems: A Checklist

First, you can verify whether HTTP/3 is working on your website by using these sites: Http3check or Http3checker.

You need five things to make HTTP/3 work. While my examples primarily focus on Nginx, they can aid you in troubleshooting any web server.

1) A web server that supports HTTP/3 (Nginx since version 1.25.0).

Check the Nginx version and double-check to make sure it was compiled with the HTTP/3 module.

ShellScript
#Verify the version is >= 1.25
nginx -v

#Next check if the http_v3_module was compiled 
nginx -V 2>&1 | grep --color http_v3_module

2) Make sure your web server is configured for HTTP/3.

For Nginx, you must enable HTTP/3 in the Vhost file

ShellScript
server {
  listen 80;
  listen [::]:80;
  listen 443 quic;
  listen 443 ssl;
  listen [::]:443 quic;
  listen [::]:443 ssl;
  http2 on;
  http3 off;
  ssl_protocols TLSv1.3;
  {{ssl_certificate_key}}
  {{ssl_certificate}}
  ...

change http3 to on

You will also need an Http header to advertise your server’s support for http/3

ShellScript
add_header Alt-Svc 'h3=":443"; ma=2592000';

This will go in your Vhost file, as above. For Nginx, it will either go in the Server block or the Location block if you are running a reverse proxy. You need to verify that this header is there, or you have to add it yourself.

3) You will need a domain name and a valid, not self-signed, SSL certificate

4) You will need to use TLS 1.3. It’s sometimes a good idea to force TLS 1.3 as in the first example, adding ssl_protocols TLSv1.3. This is very appropriate, especially if only your own clients will be connecting to the instance, as opposed to a general website.

4) In your firewall, you need to open both TCP and UDP protocols for port 443

HTTP/3 uses UDP, unlike the previous versions of HTTP, which only used TCP. You will need to open TCP and UDP.

5) A modern web browser that supports Http/3 which is nearly all of them.

Also, TLS 1.3 has been available since 1998. I do not even try to support older hardware. Requiring TLS 1.3 enhances security at the expense of a few older clients. If you do not explicitly require TLS 1.3, the client can then downgrade to HTTP/2 or HTTP/0.9, which may allow hackers to take advantage of the vulnerabilities in these older protocols.

I hope my checklist was helpful!

CloudPanel Masters Reverse Proxies so you don’t have to

Posted on | by Keith Tysinger | Leave a Comment on CloudPanel Masters Reverse Proxies so you don’t have to

If you’ve ever experienced frustration when attempting to configure a reverse proxy, CloudPanel will simplify your life. CloudPanel is a free, no-frills hosting panel that is surprisingly robust and satisfying to use. It uses the Nginx server, ready for HTTP/3.

The self-hosting movement is in full swing, and CloudPanel is a perfect remedy for those of us who prefer a GUI hosting panel rather than using only the CLI. It excels at reverse proxies, even if—especially if—your project is Dockerized.

The best thing about CloudPanel is its built-in reverse proxy feature. CloudPanel will even add an SSL (Let’s Encrypt) certificate automatically, or you may import your own cert.

CloudPanel is so easy, in fact, I’m only going to post a few screenshots to explain everything you need to know.

You are halfway there!

Finished!

One final thing, you may want to turn on HTTP/3. Check out my blog post on how to use HTTP/3 in CloudPanel and Nginx.

Immich with OpenLiteSpeed as a reverse proxy

Posted on | by Keith Tysinger | Leave a Comment on Immich with OpenLiteSpeed as a reverse proxy

So, you have installed Immich and are now realizing that it needs a reverse proxy or another method to add some security to your instance. OpenLiteSpeed to the rescue! This tutorial will help you configure OpenLiteSpeed (OLS) with your Immich app.

Immich is a fantastic Google Photos alternative if you are willing to self-host. While LightSpeed is “drop-in replacement for Apache,” OLS is not. OLS is from Mars; Apache is from Venus.

You may be wondering, if OLS is so quirky, then why use it at all? The answer is simple: speed, plus the fact that it is free. OLS supports HTTP/3, which will speed up our Immich instance immensely. For the record, Nginx also supports HTTP/3. Apache reportedly has an HTTP/3 module in development, but I can’t find the beta version anywhere at the time of writing.

Another reason to use OLS is because CyberPanel, a companion web hosting panel, is free (with frustrating adverts). It’s excellent for hosting a few websites free of charge. Not only will you get the speed of HTTP/3, but also a free SSL certificate, which is required for HTTP/3.

To make things a bit easier, you can create your website’s config files (vhost) using your hosting panel and install the corresponding SSL certificate using your (sub)domain. This way, we don’t have to create the website’s vhost configuration file from scratch.

We have two methods to configure OLS: the OLS admin control panel or by editing the config files directly. OLS has a dedicated admin panel, which you will find hidden on port 7080, i.e., https://myserver.mydomain.com:7080. The username should be admin. If you have forgotten your password, SSH into your server and issue

OLS forgotten password

ShellSession
/usr/local/lsws/admin/misc/admpass.sh

 

After you log in, click on Virtual Hosts. If you are starting from scratch, click on the + sign to create a new vhost. Otherwise, find and click on the website that you have already created for your Immich app.

Under the Basic tab, select NO to Enable Scripts/ExtApps, and then select YES to Restrained.

Next, select External App and select Web Server

Add 127.0.0.1:2283 for the web server address and provide your web server a name. You can use the information listed below. Click save.

Click on Context, then create a new Proxy —click on Next

Enter / for the URL,

Upgrade: $http_upgrade
Connection: upgrade

For the Header operations. Click save.

Click on Listeners, then add your virtual host to each listener type.

Our Immich virtual host would need to be added to all three listener types in the above example.

Finally, you need to restart the OpenLiteSpeed server. Look for the big green button at the top and restart OLS. That’s it!

Another word about listeners. If you’re a keen observer, you’ve likely noticed that my configuration lacks the IPV6 listener for the default port. If your system doesn’t have IPV6, then you probably only have two listeners. If you are using IPV6, you should generally have 4 listeners. Even your mail servers need IPV6. We can see here that CyberPanel seemed to forget my IPV6 for the default port. Is it a bug or a feature? I had to add this manually.

Here is the final vhost config for OLS. I assume that you can simply use this config instead of going through all of the above steps with the OLS admin panel… but I don’t know for sure. Please let me know in the comments what you think!

ShellSession
docRoot                   $VH_ROOT/public_html
vhDomain                  $VH_NAME
vhAliases                 www.$VH_NAME
adminEmails               redacted@yourmomma.com
enableGzip                1
enableIpGeo               1

errorlog $VH_ROOT/logs/$VH_NAME.error_log {
  useServer               0
  logLevel                WARN
  rollingSize             10M
}

accesslog $VH_ROOT/logs/$VH_NAME.access_log {
  useServer               0
  logFormat               "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i""
  logHeaders              5
  rollingSize             10M
  keepDays                10
  compressArchive         1
}

index  {
  useServer               0
  indexFiles              index.php, index.html
}

extprocessor immich {
  type                    proxy
  address                 127.0.0.1:2283
  maxConns                500
  initTimeout             600
  retryTimeout            0
  respBuffer              0
}

context / {
  type                    proxy
  handler                 immich
  extraHeaders            <<<END_extraHeaders
Upgrade: $http_upgrade
Connection: upgrade
  END_extraHeaders


  addDefaultCharset       off
}

context /.well-known/acme-challenge {
  location                /usr/local/lsws/Example/html/.well-known/acme-challenge
  allowBrowse             1

  rewrite  {
    enable                0
  }
  addDefaultCharset       off
}

rewrite  {
  enable                  1
  autoLoadHtaccess        1
}

vhssl  {
  keyFile                 /etc/letsencrypt/live/redacted                /etc/letsencrypt/live/redacted/fullchain.pem
  certChain               1
  enableECDHE             1
  renegProtection         1
  sslSessionCache         1
  enableSpdy              15
  enableStapling          1
  ocspRespMaxAge          86400
}

websocket / {
  address                 127.0.0.1:2283
}

module cache {
storagePath /usr/local/lsws/cachedata/$VH_NAME
}

Final Thoughts

This is a lot of work for a simple reverse proxy. CloudPanel has a built-in reverse proxy, and so does AApanel, my favorite open-source hosting panel. For the record, I have given up on CyberPanel. The project appears to be all but abandoned, and there are too many adverts on the admin panel to make it usable or any bit enjoyable.