BeyondCorp @ Home: OpenID Connect Provider with Dex

In a previous post I showed you how to setup Keycloak to provide you with OpenID Connect and SAML capabilities. The problem with Keycloak is is that’s it’s a pretty big beast, whereas most of the time we don’t need all the functionality. It’s also tricky to run in a highly available fashion and is annoyingly slow to start up. In this post we’ll drop Keycloak in favour of Dex, a small OpenID Connect Provider that supports a number of backends including LDAP.

Read More

BeyondCorp @ Home: Authentication and authorization proxy with OpenResty

In a previous post I showed you how to set up Gatekeeper as a proxy to enfroce authorization on requests. The problem with Gatekeeper is that it required a lot of additional configuration, an additional proxy hop and is a separate component. What this post will do instead is use the OpenResty build of nginx with the OIDC plugin to avoid all of that. This brings the complexity back down to just running nginx with it acting as a Relaying Party to do authenticaiton and provide authorization information to backends.

Read More

Arch Linux and the HP Envy x360

Update 2019-06-09: Performing BIOS updates I recently decided to get myself a new laptop. Though work provides me with one, I make a point out of never using it for personal use. It can get a bit complicated around intellectual property laws. I’m also perfectly fine with my employer enforcing certain policies on their device that I just don’t want for my personal devices. For the device itself I decided I wanted a 13" model, with an AMD Ryzen CPU and Radeon graphics.

Read More

Emulating a Philips Hue bridge

As part of my home automation I wanted to emulate a Philips Hue bridge. The reason for that is that a lot of things provide out-of-the-box integration with Philips Hue. Aside from that, there’s a ton of apps and other cool things in the Hue ecosystem I wanted to unlock. However, we use the IKEA Trådfri system at home, even though we do have a first generation Philips Hue bridge. The reason for switching to the IKEA one was:

Read More

Home Automation

I’m addicted to home automation. There. Said it. But it’s just such a tremendous amount of fun to play with. I’m pretty sure it’s the SRE in me. Why do anything by hand when you can have computers do things for you? Why turn on the lights when you get home when it can happen automatically? Turn on the lights when you enter the bathroom? Barbaric! Turn them off? I’ve git better things to do!

Read More

BeyondCorp @ Home: Authorization

NOTE: A much simpler solution is describe in BeyondCorp @ Home: Authentication and authorization proxy with OpenResty In a previous post I showed you how to set up a “Lite” version of a BeyondCorp style access layer for a home or startup environment. The reason I called it lite is because though it does do full authentication, it didn’t have separate controls for authorization. Meaning if you could authenticate you were authorized, I couldn’t specify that for certain endpoints you have to be part of a specific group or be granted a certain role before you get access.

Read More

BeyondCorp @ Home

Update 2019-10-06: If you don’t need SAML, consider swapping out Keycloak for Dex instead. You can read all about that in this follow-up post. BeyondCorp is a different approach to securing access to networked applications and services. Unlike the traditional perimeter security model, BeyondCorp dispels the notion of network segmentation as the primary mechanism for protecting sensitive resources. Instead, all applications are deployed to the public Internet, accessible through a user and device-centric authentication and authorization workflow.

Read More

Directory Services 101: Securing your LDAP server

This post is part of a series on directory services. Current available installments are: Introduction Terminology Basic concepts Designing the DIT Setting up an LDAP server Securing your LDAP server Writing and testing ACLs Now that we have a directory service up an running it’s important we talk a bit about some security aspects. The configuration that was generated sets up the LDAP server in such a way that anonymous access is not allowed.

Read More

Directory Services 101: Setting up an LDAP server

This post is part of a series on directory services. Current available installments are: Introduction Terminology Basic concepts Designing the DIT Setting up an LDAP server Securing your LDAP server Writing and testing ACLs I consider setting up a Directory Service a pretty big pain in the ass, especially OpenLDAP. Microsoft fares much better with Active Directory which is also much more easily configured for folks less familiar with directory services in general.

Read More

Directory Services 101: Writing and testing ACLs

This post is part of a series on directory services. Current available installments are: Introduction Terminology Basic concepts Designing the DIT Setting up an LDAP server Securing your LDAP server Writing and testing ACLs ACLs, access control lists, are an important aspect of running a directory service. ACLs are how you control who can access which parts of the DIT and what things they can do. You can limit certain things like which attributes one can read or write.

Read More