I’d skip Active Directory but the rest seems reasonable.

Doing it all through infra as code and using ci/cd tend to be the most “devopsy” things.

I’ve never understood the point of postman. I usually just use curl

This is the way to go. Do a simple website that says “hello world” then add all the other infrastructure around it until it’s a real webpage accessible on the Internet. Only then should you move onto something complex like mbin. Don’t skip the basics

Works fine in Firefox on Android

Haven’t found one that’s as good yet personally…

I had it working on a 5700xt a couple years ago

I’ve never heard it called anything but mTLS. :shrug:

Docker is fine for turnkey applications. Mounting external storage that persists across containers is a feature that enables that pattern.

Running Docker in a VM is also fine and has potential advantages. However I agree that it’s probably overly complex for many people.

I’m confused what you’re trying to accomplish here. Are you trying to make it look like the traffic is coming from your VPS for some reason? Nginx (amongst others) can reverse proxy tcp traffic.

This is basically “the first hit is free”

deleted by creator

Yeah you can still do a lot of damage in a few hours, but 45 days is a meaningful reduction in exposure time from year+

That’s a complaint about those phones not PKI in general then. Though it’s surprising their enterprise support won’t let you since that is (or was) a fairly common thing for businesses to do.

Isn’t this just CRL in reverse? And CRL sucks or we wouldn’t be having this discussion. Part of the point of cryptographically signing a cert is so you don’t have to do this if you trust the issuer.

Cryptography already makes it infeasible for a malicious actor to create a fake cert. The much more common attack vector is having a legitimate cert’s private key compromised.

Browsers are only a (large) fraction of SSL traffic.

I thought it was fine with him?

The term to look for is out of band management. Typically this will provide serial/console access to a device, and can often perform actions like power cycling. A lot of server hardware has this built in (eg idrac for Dell, IPMI generically). Some users will have a separate oobm network for remotely accessing/managing everything else.

Explicitly binding certain ports to the container has a similar effect, no?

It amazes me that so many people obsessed about self hosting everything use this service - really asking for it.

I didn’t say you were, I said you were asking about a topic that enters that area.

You’re entering the realm of enterprise AI horizontal scaling which is $$$$