X-Git-Url: https://git.ralfj.de/web.git/blobdiff_plain/d777f5f44c0895418a5f30d462388c21d6d1f4f5..e806a32d3aa3ce53166c46b8eab5d77a9655c251:/ralf/_posts/2018-05-28-cloudless-contact-sync.md?ds=sidebyside diff --git a/ralf/_posts/2018-05-28-cloudless-contact-sync.md b/ralf/_posts/2018-05-28-cloudless-contact-sync.md index 9b3e190..9c2b717 100644 --- a/ralf/_posts/2018-05-28-cloudless-contact-sync.md +++ b/ralf/_posts/2018-05-28-cloudless-contact-sync.md @@ -50,10 +50,10 @@ table nat { ``` The plain iptables equivalent is ``` --A PREROUTING -d $IP/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination $IP:8053 --A PREROUTING -d $IP/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination $IP:44353 --A OUTPUT -d $IP/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination $IP:8053 --A OUTPUT -d $IP/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination $IP:44353 +-A PREROUTING -d $IP -p tcp -m tcp --dport 80 -j DNAT --to-destination $IP:8053 +-A PREROUTING -d $IP -p tcp -m tcp --dport 443 -j DNAT --to-destination $IP:44353 +-A OUTPUT -d $IP -p tcp -m tcp --dport 80 -j DNAT --to-destination $IP:8053 +-A OUTPUT -d $IP -p tcp -m tcp --dport 443 -j DNAT --to-destination $IP:44353 ``` Next, we have to configure the SSH daemon to permit reverse port forwarding to be configured by the client. @@ -124,7 +124,7 @@ All we still need to do is set up some crypto. We are going to obtain an SSL certificate for `$HOST` *for your laptop*, and use that to secure the connection to `https://$HOST`. Because only the laptop has the key to this certificate, the server at `$IP` cannot actually decipher the connection, it just forwards the encrypted bytes to the laptop where they are decrypted. The easiest way to obtain such a certificate is using [Let's Encrypt](https://letsencrypt.org/). -I am using my own [Let's Encrypt Tiny]({{ site.baseurl }}{% post_url 2017-12-26-lets-encrypt %}) for this purpose, but you can use any other Let's Encrypt client as well. +I am using my own [Let's Encrypt Tiny]({% post_url 2017-12-26-lets-encrypt %}) for this purpose, but you can use any other Let's Encrypt client as well. Since `$HOST:80` legitimately *is* your laptop at this point, the laptop should be able to obtain a certificate just fine. If you are using Radicale like me, just putting Radicale on port 80 is not going to work though as that provides no way to serve the ACME challenge file needed for Let's Encrypt.