I've had mixed results with VPNs due to corp/hotel services blocking or shaping the traffic so wanted to explore an alternative.
Posts by kelvtech
-
-
Ha but I'm paranoid!
My traefik public edge uses the inbuilt Letsencrypt functionality so the TLS certs are verifiable so I've no need to add my offline CA into the mix. The bit I'm worried about is a brute force on the webdav password, I'll dig into sftpgo some more as I think it can detect and ban failed attempts but I still want a 2nd factor auth which is what mTLS provides.
I've just implemented a basic caddy service in LE, this is working for now, needs a little more testing but its doing what I want.
Now given you've had to deal with my 2nd ever github pull request and how clumsy it was I will completely understand if you don't want to bother with me any more on this
-
Thanks again. Will raise a feature request into Kodi for this.
As a hack I was thinking adding a small reverse proxy into LE so Kodi talks to a localhost process to request the webdav endpoint, the local proxy can then handle the mTLS negotiation. Appreciate this isn't the ideal but probably something within my reach to contribute in a meaningful timeline. I get its niche though so probably low user demand.
Any absolute blockers to this you can think off?
-
I've setup sftpgo which now serves a webdav share. I have traefik configured to proxy this share and configured to check for client certs against my cert authority. Testing this in Win11 works fine i.e. with a personal cert imported into the Win11 cert store I can successfully map a file explorer drive to the webdav endpoint. Without the personal cert in the Win11 cert store the connection fails.
I was hoping to find a solution in LE/Kodi to take the same approach as the above but I misunderstood the purpose of the SSL/TLS section of the wiki and realise thats only for Kodi to be happy to use to self-signed TLS connections.
I'd appreicate an experienced view on whether that I'm wanting to do is possible or not.