I have recently had the need to redirect a few subdomains to another domain, due to old links still being used by public individuals.

I wanted a solution that would not require running another web server, so I started looking into a few different options.

Cloudflare Page Rules

While Page Rules do want I want, they were either not flexible enough (could only target a single subdomain), and would be relatively expensive for the number I would need.

Cloudflare Workers

Cloudflare Workers are pretty cool. They allow you to run JS code at the Cloudflare edge. …


In this blog post, we will look at the first part of my ideal setup, which is to secure inbound communication via an authenticating reverse proxy (OAuth2_Proxy), and Keycloak.

This setup will use the follow technologies:

Istio

Istio is a service mesh that allows you to define and secure services in your Kubernetes cluster. …


In the first two parts of this series, we looked at setting up a production Kubernetes cluster in our labs. In part three of this series, we are going to deploy some services to our cluster such as Guacamole and Keycloak.

Step-by-step documentation and further service examples are here.

Guacamole

Guacamole is a very useful piece of software that allows you to remotely connect to your devices via RDP, SSH, or other protocols. I use it extensively to access my lab resources, even when I am at home.

You can use this Helm Chart to install Guacamole on your Kubernetes cluster. …


In the first part of the series, we looked at installing a bare bones Kubernetes cluster in some CentOS 7 VMs. In this part, we are going to look at setting up some back-end services, like a load balancer and ingress.

Some important things needed to properly run a Kubernetes cluster are a storage class or manual storage configuration via volumes, a load balancer though not strictly needed makes accessing services much easier, and an ingress.

Step-by-step documentation is here.

Setting up Helm

Helm is known as the “package manager for Kubernetes”, it is a tool that is used to template Kubernetes manifest files in a way that makes it easy to install new applications. I use Helm for all my service installation on Kubernetes due to it’s ease, and simplicity when getting started. …


When you think about Kubernetes, you probably think AWS or GCP, a nice managed service where you can easily spin up resources and build applications on top of them. This is great, and honestly the best way to experience Kubernetes. However, if all you need is a lab to mess around in and experiment, or learn new things in, this can be very cost inefficient. That is why we are going to look at setting up Kubernetes ourselves.

In this post, we are going to look at the initial deployment of Kubernetes, from creating our nodes (in this case CentOS 7 VMs) to getting a cluster up and running. …


Helm-Vault is a new application designed to protect secrets contained in Helm Chart’s values.yaml files.

The Problem:

The problem with using Helm with Kubernetes is that there is no good way to secure your private configuration items stored in the YAML configuration files.

There are multiple reasons you may want to do this, such as to audit who is accessing what secrets, or to prevent unauthorized modifications to the environment. Another reason may be that you want to have publicly available documentation without worrying about scrubbing the files.

Current Solutions:

Currently available solutions require you to significantly modify the Helm Chart, or encrypt the entire document with GPG or a hosted KMS solution. …


While setting up a new Keycloak client in my lab over the weekend, I discovered something odd, a number of users in my Keycloak database who should not have been there.

Background:

In my homelab environment, I have been using Keycloak for securing my services, either directly for applications like Nextcloud, Confluence, and Jira, or indirectly, via a authenticated reverse proxy, for things that don’t such as single page applications like Hashicorp’s Consul or Jupyter. This has been a fine setup, and has allowed me to access my internal applications easily and securely from anywhere, with 2FA and seamless access when moving between services. …


In part two of this series, we are going to look at setting up a standalone-ha deployment of Keycloak on two CentOS 7 servers.

There are three different deployment types for Keycloak, Standalone, Standalone-HA, and Domain Clustered. Standalone deployments are single servers, this is good for a dev or test environment, but not very useful for production use. Standalone-HA are one or more servers which can both be used to serve authentication requests. This method requires a shared database, and each server is configured manually. In a Domain deployment, there is a master server known as the domain controller, and one or more host controllers which serve authentication requests. …


In this series, we will take a look at Keycloak, an open-source single sign on solution similar to Microsoft’s ADFS product.

In this first part, we will take a brief look at what SSO and Keycloak are, and why they are used.

What is Single Sign On

Single sign-on (SSO) is a property of access control of multiple related, yet independent, software systems. Wikipedia

What this means is that we can use a single authentication service to allow users to login to other services, without providing a password to the service that is being logged into.

This is different than connecting each of these applications to LDAP, as this requires providing a username and password to every service that you want to login to. …


If you use FreeNAS, it’s probably because you care about your data. Part of data security is ensuring the availability of your data. To that end, you need to ensure that said data is backed up. There are generally two reasonable ways to backup your data from FreeNAS. One, local backup (using ZFS replication), and two, cloud backup.

In this article, we will look at setting up cloud backups to Backblaze B2, an economical cloud backup solution similar to Amazon S3.

Step 1: Sign up

Sign up for a Backblaze account here. Once you have created an account, go to the “My Settings” tab, and under “Enabled Products”, check the box beside B2 Cloud Storage. …

Justin Gauthier

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store