Using User Certificates for Hardening

Maybe I’m showing my lack of knowledge, but If I understand correctly a reverse proxy like Caddy/Nginx/HAProxy can be set up to require a connecting client to have a user certificate before it will initiate a TCP connection.

It seems like this would be a very good way for home users to harden self hosting services. You install a certs to yourself/family and it cuts off all the brute force attacks and possible unpatched vulnerabilities in the self-hosted apps. I would think that it would also get rid of a lot of probing as well since the connection would drop without a valid user certificate.

Especially if you have pfSense as your gateway router, this looks like it’s almost out of the box solution.

Am I missing something? Is there something difficult about setting this up?

You probably want mutual TLS (mTLS). It doesn’t quite work the way you described in that the connection is dropped silently if the client doesn’t have a valid certificate because there is still a TLS handshake taking place.

https://www.cloudflare.com/learning/access-management/what-is-mutual-tls/

I haven’t yet set this up myself, though.

2 Likes

I don’t think you have it quite right. a reverse proxy is good when needing to route traffic and be an SSL offload for HTTP services. The certificate portion is done in 2 different ways.

  1. You created a CA and you have self signed certificates you use on your reverse proxy and in this method you would have to install the CA on each machine in the trusted root for the self signed certificate sites to not have security errors like you are describing.

  2. You setup Letsencrypt so you can serve certificates from a already trusted CA that is already known to the device in which case you do not need to install a CA certificate on each machine.

The issue with the way you are describing is that it doesn’t matter if method 1 is used. If this site is publicly accessible then the only thing that will happen is let the end use know when they try to access the site is that the certificate was self signed and they can still access the site if they accept that cert should not be trusted. This will not get rid of probing, brute force or save you from vulnerabilities. This also applies to method 2.

Thanks @paolo - That is exactly what I was talking about. I didn’t know the correct name, so that really helps. I’m wondering if anyone here has set this up (especially with HAProxy on the server side and Android on the client side. (I believe this should provide a lot of the benefit of a VPN without the battery drain necessary to maintain a VPN connection.)

The article you recommended confirms that my thinking is correct, now I need to make sure that I get the implementation right.

Thanks for the reply @xMAXIMUSx - If you are interested, you might want to look at the link recommended by @paolo :

https://www.cloudflare.com/learning/access-management/what-is-mutual-tls/

This is exactly what I was referring to. Client certificates are not the norm, but for people who self-host small projects they provide a type of 2FA without the inconvenience. It should get rid of all the automated attacks. If the site is a high value target, or the owner is being personally targeted, then the attacker has to steal the cert from a trusted device. I’m not sure how difficult that is, but I’m pretty sure it is going to take someone who knows their craft well to spend time/energy doing it.

I see. Yeah I thought you were talking about normal TLS. This is something I haven’t heard of. I will be looking into this :slight_smile: