Conversation

Notices

1. Embed this notice
   napierge (napierge@mastodon.bsd.cafe)'s status on Sunday, 24-Nov-2024 16:31:21 JST napierge

   Is it good idea to host my website with #OpenBSD #httpd without domain name, just ip address? I do not need domain because of better remembering, but there are maybe other reasons why to use domain... I suppose there should be a problem with tls and maybe https, I'd like to use https but when site is just static https may not be required.

   • Embed this notice
     Solène :flan_hacker: (solene@bsd.network)'s status on Sunday, 24-Nov-2024 16:31:11 JST Solène :flan_hacker:

     in reply to

     • kasperd

     @napierge @kasperd you could use a self signed certificate with the IP address only. People will have a warning and need to manually trust the certificate.

     This is called TOFU (trust on first use). If you don't change the certificate for years, people who accepted it once will be fine.

   • Embed this notice
     napierge (napierge@mastodon.bsd.cafe)'s status on Sunday, 24-Nov-2024 16:31:18 JST napierge

     in reply to

     • kasperd

     @kasperd nice explanation thank you

   • Embed this notice
     kasperd (kasperd@westergaard.social)'s status on Sunday, 24-Nov-2024 16:31:19 JST kasperd

     in reply to

     There are many reasons why you should use a domain name.

     TLS is one problem as you already point out. Even for a static site there are reasons to use TLS.

     • TLS is not only about protecting the confidentiality but also about protecting the authenticity. Examples have been reported of lack of TLS being used to inject ads. And it could potentially be used to inject malware into static sites.
     • Even if the content of the site is public users might not want every network they traverse to know exactly which pages they are viewing.
     • Even a static site can have areas which require a link to access. (This might not apply in your particular case.)

     There are reasons besides TLS for why to use a domain name.

     At some point the IP address may need to change. That will be a lot easier to manage if you are using a domain name and just need to update a DNS record. Otherwise you will have track down every link to the IP and update them. Some of those may exist in users bookmarks, which will be difficult for you to update.

     Using a domain name with DNS means you can add redundancy as needed. If there multiple DNS records pointing to different IP addresses a browser will try them in turn. You can't get that kind of redundancy with a hardcoded IP address.

     Even if the site has no redundancy it will not be sufficient for you to remember one IP address. You will need to remember both the IPv4 address and the IPv6 address.

     Don't assume you can avoid that problem by only using IPv4. By now 45% of internet users have IPv6 and some of those don't have IPv4 anymore. There are workarounds for accessing legacy sites from an IPv6 connection, but some of those workarounds only work for sites with a domain name.

   • Embed this notice
     Solène :flan_hacker: (solene@bsd.network)'s status on Monday, 25-Nov-2024 17:42:13 JST Solène :flan_hacker:

     in reply to

     • kasperd

     @napierge @kasperd not really, doing a CA would only be useful if you had other people/computers using that CA, this is unrealistic in the case of a public website opened to anyone

     you can just self sign a certificate using openssl command like this:

     openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 3650 -nodes -subj "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=CommonNameOrHostname" (command from https://stackoverflow.com/a/10176685 )

   • Embed this notice
     napierge (napierge@mastodon.bsd.cafe)'s status on Monday, 25-Nov-2024 17:42:14 JST napierge

     in reply to

     • Solène :flan_hacker:
     • kasperd

     @solene @kasperd if I am understand well, to create self signed certificate I have to firstly create my own CA with LibreSSL, then create certificate request for my server no the same local as I create the CA and finally sign CSR to my server with my CA how describes this article https://dev.to/techschoolguru/how-to-create-sign-ssl-tls-certificates-2aai

     So to create self signed certificate I have to proceed always these three steps? And the IP will be mentioned in CSR as subjectAltName=