Ooops

joined 2 years ago
sorted by: new top controversial old
It's self hosting Sunday! What's up selfhosters? Infrastructure edition in c/selfhosted@lemmy.world
[โ€“] Ooops@feddit.org 1 points 2 days ago* (last edited 2 days ago)

If it wast just AI, but the idiotic crawlers everywhere are getting worse by the day it feels.

I still have some ancient RPi running a basic homepage with some reverse proxies. A few weeks ago and after stopping to care about that thing years ago I realized that the access log that was just happily sitting there for years without getting to relevant sizes has suddenly grown by nearly 1GB, most of it in the last 6-8 months because I never bothered to set up logrotate.

But hey... I wanted to test setting up Anubis for quite some time. So now I can watch them run circles in the (still experimental) honeypot feature reading pages and pages of non-sensical babbling ๐Ÿ˜‚

Question for Reasonable Security in New Server Setup in c/selfhosted@lemmy.world
[โ€“] Ooops@feddit.org 5 points 5 days ago* (last edited 5 days ago)

Security through obscurity never works, so changing you SSH port does barely anything

... for security that is.

What it does is keep a lot of automated bots from spamming your server. No, they don't have any chances to get access when key authentification is used (and they won't try either... most go for the incredible low hanging fruits like admin/admin user/password sets), but they can become a strain on your own ressources.

What actually helps (and is usually configurable with any firewall) is rate limiting access. Just blocking someone's access for 10 seconds after a failed attempt will make absolutely no difference for you but a big one for those spammers. Now add some incremental increase after multiple fails and you are perfectly set.

PS: 53 is the standard port for DNS when your server operates as such.

PPS: Don't use it. People should really let that stuff die and exclusively run encrypted DNS (via TLS, HTTPS or Quic...)

linux-android: turn any old Android phone into a Linux desktop or a smart home server in c/linux@lemmy.ml
[โ€“] Ooops@feddit.org 0 points 5 days ago (7 children)

What I ask myself here is why I should have unused phones lying around in the first place?

If I somehow think constantly wasting money on a new model just because there is a new number written on its packaging is worth it, I would not actually think in terms of reusing old hardware.

If I am however thinking about using hardware instead of just throwing it away while still functional why wouldn't I use a phone as anyone else as a phone?

What package manager do you use for arch based distros? in c/linux@lemmy.ml
[โ€“] Ooops@feddit.org 1 points 1 week ago

I didn't have any actual issues with the native install either.

But with [multilib] activated there were dozens and dozens of 32bit libraries pulled alongside their regular version that I didn't actually need. And I use Wine a lot more than Steam anyway. So once Wine went fully 64bit I decided to get rid of all that legacy multilib 32bit stuff.

Steam via flatpak also works and will do until they, too, fully switch over to WoW64 implementation.

calendars off the cloud - what do you use? in c/selfhosted@lemmy.world
[โ€“] Ooops@feddit.org 1 points 1 week ago (1 children)

Mainly my normal phone app. But for a long time it's not sync'd to some google cloud (which would be the default) but a Radicale instance.

I used Nextcloud before but honestly it's a mess to maintain. So much that I would not suggest it without planning to extensively use a lot of the different available addon functions.

Just for file sharing and caldav/carddav I will pick some simple solutions (like Radicale and Syncthing) over Nextcloud any day.

Need some ELI5 on proxy_pass in Nginx, in particular regarding having Anubis in the chain in c/selfhosted@lemmy.world
[โ€“] Ooops@feddit.org 1 points 1 week ago* (last edited 1 week ago)

And to give you a reference to some of the details glossed over...

The anubis instance listening to a socket doesn't work as described there. Because the systemd service is running as root by default but your web server would need access to the socket. So you first need to harmonise the user the anubis service runs as with the one from your web server with the permissions of the /run/anubis directory.

(see Discussion here for example)

Also having one single setup example in the docs with unix sockets when that isn't even the default is strange in the first place...

Half the Environmental Variables are just vaguely describing what they do without actual context. It probably makes perfect sense when you know it all and are writing a description. But as documentation for third-person use that's not sufficient.

Oh, and the example setup for caddy is nonsensical. It shows you how to route traffic to Anubis and then stops... and references Apache and Nginx setups to get an idea how to continue (read: understand that you then need a second caddy instance to receive the traffic....).

PS: All that criticsm reads harsher than it is meant to be. Good documentation needs user input and multiple view points to realize where the gaps are. That's simply not going to happen with mostly one person.

Need some ELI5 on proxy_pass in Nginx, in particular regarding having Anubis in the chain in c/selfhosted@lemmy.world
[โ€“] Ooops@feddit.org 1 points 1 week ago* (last edited 1 week ago) (2 children)

More than once. But -not actually surprsing by a work in progress by mostly one single person- it's not actually what I would call well-structured or even coherent. ๐Ÿ˜…

More than once googled for a detail I didn't understand and ended up on the issue tracker realizing I'm not alone and some behavior is indeed illogical or erratic.

And then some of it is of course referencing forwarding- and header-information, how it's handled, where it's flattened... and as my question should have told you, I don't even much clue how it is handled normally.

Need some ELI5 on proxy_pass in Nginx, in particular regarding having Anubis in the chain in c/selfhosted@lemmy.world
[โ€“] Ooops@feddit.org 1 points 1 week ago

It isn't webdav per se. It's the website presented by a webdav server. So there should be no functional difference between this and yet another webserver in a decentralized setup.

Yes I know that I can easily change things around to have the reverse proxy run ignored. I was more interested in the "why it happens" than a practical solution (for that I could just move the reverse proxy one block up...).

Need some ELI5 on proxy_pass in Nginx, in particular regarding having Anubis in the chain in c/selfhosted@lemmy.world
[โ€“] Ooops@feddit.org 1 points 1 week ago

Logs of what exactly? I don't even know where to look. Neither is nginx logging an error, nor is a request ending on an unavailable port and just timing out logged anywhere. How would I set up extensive logging of anything but errors and accesses?

As far as I'm concerned this is not some error but something regarding the details how proxy_pass works, that I don't understand.

In fact it isn't even an actual problem per se. I can easily move the reverse proxy up one block so only the actual pages are protected. But the point is that I want to understand why a request that should be routed internally (and is without Anubis in the mix) ends up there. I would suspect some way the default headers are transmitted screwing things up.

Need some ELI5 on proxy_pass in Nginx, in particular regarding having Anubis in the chain in c/selfhosted@lemmy.world
[โ€“] Ooops@feddit.org 1 points 1 week ago* (last edited 1 week ago)

I have tried localhost and 127.0.0.1 after initially using the internal 192.168.x.x IP and the behavior is always identical.

26
Need some ELI5 on proxy_pass in Nginx, in particular regarding having Anubis in the chain (feddit.org)
submitted 1 week ago* (last edited 1 week ago) by Ooops@feddit.org to c/selfhosted@lemmy.world
11 comments fedilink
 

As this will -thanks to me being quite clueless- be a very open question I will start with the setup:

One nginx server on an old Raspi getting ports 80 and 443 routed from the access point and serving several pages as well as some reverse proxies for other sevices.

So a (very simplified) nginx server-block that looks like this:

# serve stuff internally (without a hostname) via http
server {
	listen 80 default_server;
	http2 on;
	server_name _; 
	location / {
		proxy_pass http://localhost:5555/;
                \# that's where all actual stuff is located
	}
}
# reroute http traffic with hostname to https
server {
	listen 80;
	http2 on;
	server_name server_a.bla;
	location / {
		return 301 https://$host$request_uri;
	}
}
server {
	listen 443 ssl default_server;
	http2 on;
	server_name server_a.bla;
   	ssl_certificate     A_fullchain.pem;
    	ssl_certificate_key A_privkey.pem;
	location / {
		proxy_pass http://localhost:5555/;
	}
}
#actual content here...
server {
	listen 5555;
	http2 on;
    	root /srv/http;
	location / {
        	index index.html;
   	} 
    	location = /page1 {
		return 301 page1.html;
	}
    	location = /page2 {
		return 301 page2.html;
	}
        #reverse proxy for an example webdav server 
	location /dav/ {
		proxy_pass        http://localhost:6666/;
	}
}

Which works well.

And intuitively it looked like putting Anubis into the chain should be simple. Just point the proxy_pass (and the required headers) in the "port 443"-section to Anubis and set it to pass along to localhost:5555 again.

Which really worked just as expected... but only for server_a.bla, server_a.bla/page1 or server_a.bla/page2.

server_a.bla/dav just hangs and hangs, to then time out, seemingly trying to open server_a.bla:6666/dav.

So long story short...

How does proxy_pass actually work that the first setup works, yet the second breaks? How does a call for localhost:6666 (already behind earlier proxy passes in both cases) somehow end up querying the hostname instead?

And what do I need to configure -or what information/header do I need to pass on- to keep the internal communication intact?

What package manager do you use for arch based distros? in c/linux@lemmy.ml
[โ€“] Ooops@feddit.org 10 points 1 week ago* (last edited 1 week ago) (2 children)

Paru, so Pacman & AUR...

With exactly one exception: Steam via flatpak because that's the single package left that would need 32bit libraries from multilib-repo since Wine finally left those dependencies behind.

How do you setup swap when installing Linux if the system has SSD? in c/linux@lemmy.ml
[โ€“] Ooops@feddit.org 1 points 2 weeks ago

I don't think there is a better "default" because the default has to be the general setting everyone can live with. But that of course also means it's not particularly good for any use case.

In general desktop users prefer lower values for snappy behavior when switching thorugh different apps (~10 often recommended). People mainly focusing on preformance of the primary running app prefer higher values (which may, depending on setup) include gamers.

Also there is zram/zswap now (basically compressed swap in memory instead of on disk) which is faster than tradittional swap.

But in the end you can only try out values and watch your systems behavior or run benchmarks to find the proper value for you personally,

view more: next โ€บ