This is the way to go. Do a simple website that says “hello world” then add all the other infrastructure around it until it’s a real webpage accessible on the Internet. Only then should you move onto something complex like mbin. Don’t skip the basics

Works fine in Firefox on Android

Haven’t found one that’s as good yet personally…

I had it working on a 5700xt a couple years ago

I’ve never heard it called anything but mTLS. :shrug:

Docker is fine for turnkey applications. Mounting external storage that persists across containers is a feature that enables that pattern.

Running Docker in a VM is also fine and has potential advantages. However I agree that it’s probably overly complex for many people.

I’m confused what you’re trying to accomplish here. Are you trying to make it look like the traffic is coming from your VPS for some reason? Nginx (amongst others) can reverse proxy tcp traffic.

This is basically “the first hit is free”

Yeah you can still do a lot of damage in a few hours, but 45 days is a meaningful reduction in exposure time from year+

That’s a complaint about those phones not PKI in general then. Though it’s surprising their enterprise support won’t let you since that is (or was) a fairly common thing for businesses to do.

Isn’t this just CRL in reverse? And CRL sucks or we wouldn’t be having this discussion. Part of the point of cryptographically signing a cert is so you don’t have to do this if you trust the issuer.

Cryptography already makes it infeasible for a malicious actor to create a fake cert. The much more common attack vector is having a legitimate cert’s private key compromised.

Browsers are only a (large) fraction of SSL traffic.

The term to look for is out of band management. Typically this will provide serial/console access to a device, and can often perform actions like power cycling. A lot of server hardware has this built in (eg idrac for Dell, IPMI generically). Some users will have a separate oobm network for remotely accessing/managing everything else.

Explicitly binding certain ports to the container has a similar effect, no?

It amazes me that so many people obsessed about self hosting everything use this service - really asking for it.

I didn’t say you were, I said you were asking about a topic that enters that area.

You’re entering the realm of enterprise AI horizontal scaling which is $$$$

I thought I had a lot of RAM with 64

Import it into the trust store in the browser/OS. It should be the same (or very similar) operation for a self-signed cert and a CA that isn’t subordinate to the standard internet root CAs.

If you can’t import your own root CA cert then you’re probably screwed on both fronts and are going to have to use certs issued by a public CA that’s subordinate to a commonly trusted root CA.

My point here is that there’s little distinguishing a self-signed cert and a cert issued by your own private CA for most people that are self-hosting.