I had it working on a 5700xt a couple years ago

I’ve never heard it called anything but mTLS. :shrug:

Docker is fine for turnkey applications. Mounting external storage that persists across containers is a feature that enables that pattern.

Running Docker in a VM is also fine and has potential advantages. However I agree that it’s probably overly complex for many people.

I’m confused what you’re trying to accomplish here. Are you trying to make it look like the traffic is coming from your VPS for some reason? Nginx (amongst others) can reverse proxy tcp traffic.

This is basically “the first hit is free”

deleted by creator

Yeah you can still do a lot of damage in a few hours, but 45 days is a meaningful reduction in exposure time from year+

That’s a complaint about those phones not PKI in general then. Though it’s surprising their enterprise support won’t let you since that is (or was) a fairly common thing for businesses to do.

Isn’t this just CRL in reverse? And CRL sucks or we wouldn’t be having this discussion. Part of the point of cryptographically signing a cert is so you don’t have to do this if you trust the issuer.

Cryptography already makes it infeasible for a malicious actor to create a fake cert. The much more common attack vector is having a legitimate cert’s private key compromised.

Browsers are only a (large) fraction of SSL traffic.

I thought it was fine with him?

The term to look for is out of band management. Typically this will provide serial/console access to a device, and can often perform actions like power cycling. A lot of server hardware has this built in (eg idrac for Dell, IPMI generically). Some users will have a separate oobm network for remotely accessing/managing everything else.

Explicitly binding certain ports to the container has a similar effect, no?

It amazes me that so many people obsessed about self hosting everything use this service - really asking for it.

I didn’t say you were, I said you were asking about a topic that enters that area.

You’re entering the realm of enterprise AI horizontal scaling which is $$$$

deleted by creator

MFW I trained for years to be the best athlete I can be

MFW my role is to just sit on the ground

I thought I had a lot of RAM with 64

Import it into the trust store in the browser/OS. It should be the same (or very similar) operation for a self-signed cert and a CA that isn’t subordinate to the standard internet root CAs.

If you can’t import your own root CA cert then you’re probably screwed on both fronts and are going to have to use certs issued by a public CA that’s subordinate to a commonly trusted root CA.

My point here is that there’s little distinguishing a self-signed cert and a cert issued by your own private CA for most people that are self-hosting.

Trust the self signed cert. Works similarly to trusting a CA.