overview for Ooops

Systemd v261-rc1 is out with the 'birth date field' in c/linux@lemmy.ml

[–] Ooops@feddit.org 10 points 2 days ago* (last edited 2 days ago) (3 children)

Debian daring to suggest that using your real name to identify yourself on the system is a reasonable choice for most people. So get the torches and pitchforks...

Also don't tell those people about the fact that such fields for additional information (like real name, address etc) exist in most user-handling parts of their software since forever.

You get asked for your real name when creating a new user for longer than Linux even exists. It's just that noone actually cares. But now that's suddenly an horrific anti privacy policy because the narrative demand that it is.

Systemd v261-rc1 is out with the 'birth date field' in c/linux@lemmy.ml

What do you use for selfhosting cloud storage? in c/selfhosted@lemmy.world

[–] Ooops@feddit.org 2 points 5 days ago

Occasionally I need to run an “occ” command after an install to fix some indexes

That then fails and breaks it (in about 1 out of 3 cases). Which requires rolling back everything, running the commands again pre-update, then updating and praying to not have to do another re-install (~ 1 out of 5).

What do you use for selfhosting cloud storage? in c/selfhosted@lemmy.world

[–] Ooops@feddit.org 6 points 5 days ago* (last edited 5 days ago) (5 children)

I actually moved away from classical self-hosted cloud storage solutions after trying the usual suspects like opencloud, nextcloud etc.

And for me the time and effort (also the ressource-hogging if you don't use quite overpowered servers) just weren't worth it. Not when the used interfaces most of the time are open standards anyway and simpler solutions do the job:

Radicale for contacts and dates via a webdav subset. Webdav concidently being widely supported for integrating online storage into any filesystem (or as the backend for several other things like for example syncing my bookmarks over several devices and browsers). SFTP or the million tools being just a frontend for it.

One shiny platform like for example Nextcloud to do it all might be nice for a lot of users when they have someone dedicated to maintain it. But for selfhosting (as in: mainly for myself) the constant attention needed to fix stuff was quite tedious.

When I think of "Google Drive" or "Dropbox" alternatives nowadays it's just a drive hooked up to some low-spec device and accessed via one (or several) already existing open standards.

(Bonus point: that lost phone is simply cut off by deleting its keys - unlike so many dedicated platform where you have to manage -if you even can- multiple dedicated users and their rights just to easily separate your personal access from your devices that are by design not all equally secure.)

Any way to compress game files on linux? in c/linux@lemmy.ml

[–] Ooops@feddit.org 18 points 1 week ago* (last edited 1 week ago)

Have in mind that compressed filesystem would be slower.

Often the opposite is true, depending on case. Compressed files load faster, so if you have the cpu power to spare (which you usually have in games while loading) and loading speed is the bottle-neck then compression speeds things up, often considerably.

And even in the age of ssds processing data and moving it through ram is much faster than the disk, so even for writing some amount of transparent compression is possible without affecting speeds.

There's a better way to use Linux in c/linux@lemmy.ml

[–] Ooops@feddit.org 2 points 1 week ago

Might be just my experience but what actually keeps people from switching is a proper support time line. Long-term and rolling releases can keep people using them for years after which they actually know what they want, what they can get used to and they don't wanjt. Most distros however screw up something at the inevitable upgrade long before that, which then leads to "well, guess I could reinstall and try something else anyway".

Dirty Frag: Universal Linux LPE - allows any unprivileged local user to gain root access on a vulnerable Linux system - no patch available in c/linux@lemmy.ml

[–] Ooops@feddit.org 5 points 2 weeks ago

Setups like Android or those new fancy ummutable distros don't actually make anything more secure. If the underlying OS is drectly exploited they don't protect you. Not having a mechanism included to get you root permissions regularly, doesn't help you against exploits achieving the same in unplanned ways. In fact -allthough that's a minor issue- you can probably specifically target the latter distros even after a patch: After all we are talking about direct changes to binary code here. On that level you could get ideas about manipulating the overlay to access the unpatched files.

In the end the most effective way to be more secure is not a mass produced thing like Android that locks out everyone (and not even being that good at it because there are masses working to circumvent it to get control over their device back), but to minimise you attack surface: Don't have stuff activated you don't need. Have a kernel compiled for your device with only exactly the components you really need. Or whitelist all kernel modules you need and nothing more. Explicitly declare what a user can do and access actively (see: SELinux, AppArmor with strict policies) instead of relying on the underlying passive permission system.

Dirty Frag: Universal Linux LPE - allows any unprivileged local user to gain root access on a vulnerable Linux system - no patch available in c/linux@lemmy.ml

[–] Ooops@feddit.org 11 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

Update: Kernel 7.0.5 just released

Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")

Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")

Fixes: 7da0dde68486 ("ip, udp: Support MSG_SPLICE_PAGES")

Fixes: 6d8192bd69bb ("ip6, udp6: Support MSG_SPLICE_PAGES")

For those running Linux with Window Managers (or Desktop Environments too), how do you make sure that on lid close: the laptop suspends and locks? in c/linux@lemmy.ml

[–] Ooops@feddit.org 8 points 3 weeks ago

Also HandleLidSwitchExternalPower= for when it's still plugged in when you close the lid.

ISPs as publically owned Utilities in c/linux@lemmy.ml

[–] Ooops@feddit.org 3 points 1 month ago

Germany's problem is not building stuff but corruption.

Our street/sidewalk was opened up f****ing 7 times in the last 3 years for fiber-optic cables. Because if there is money to be spend they will find a way to give it to some buddies for putting the 2nd, 3rd or 10th set of redundant cables into the ground.

Oh, and guess what is not available here... a fiber connection, because actually connecting those cables is not where they can make money. And if they somehow manage this some day... I'll pay insane prices compared to any other country.

Which is both again caused by corruption, a.k.a. a few big companies and their well-paid lobbyists working hard to be the only option.

Anthropic Mythos shaping up as nothingburger in c/linux@lemmy.ml

[–] Ooops@feddit.org 15 points 1 month ago (1 children)

Anthropic Mythos shaping up as nothingburger

AI PR doing AI PR stuff... At this point they will push any outrageous claim about capabilities or spend nearly any amount of money to keep that insane AI bubble from bursting.

It's self hosting Sunday! What's up selfhosters? Infrastructure edition in c/selfhosted@lemmy.world

[–] Ooops@feddit.org 1 points 1 month ago* (last edited 1 month ago)

If it wast just AI, but the idiotic crawlers everywhere are getting worse by the day it feels.

I still have some ancient RPi running a basic homepage with some reverse proxies. A few weeks ago and after stopping to care about that thing years ago I realized that the access log that was just happily sitting there for years without getting to relevant sizes has suddenly grown by nearly 1GB, most of it in the last 6-8 months because I never bothered to set up logrotate.

But hey... I wanted to test setting up Anubis for quite some time. So now I can watch them run circles in the (still experimental) honeypot feature reading pages and pages of non-sensical babbling 😂

26

Need some ELI5 on proxy_pass in Nginx, in particular regarding having Anubis in the chain (feddit.org)

submitted 1 month ago* (last edited 1 month ago) by Ooops@feddit.org to c/selfhosted@lemmy.world

11 comments fedilink

As this will -thanks to me being quite clueless- be a very open question I will start with the setup:

One nginx server on an old Raspi getting ports 80 and 443 routed from the access point and serving several pages as well as some reverse proxies for other sevices.

So a (very simplified) nginx server-block that looks like this:

# serve stuff internally (without a hostname) via http
server {
	listen 80 default_server;
	http2 on;
	server_name _; 
	location / {
		proxy_pass http://localhost:5555/;
                \# that's where all actual stuff is located
	}
}
# reroute http traffic with hostname to https
server {
	listen 80;
	http2 on;
	server_name server_a.bla;
	location / {
		return 301 https://$host$request_uri;
	}
}
server {
	listen 443 ssl default_server;
	http2 on;
	server_name server_a.bla;
   	ssl_certificate     A_fullchain.pem;
    	ssl_certificate_key A_privkey.pem;
	location / {
		proxy_pass http://localhost:5555/;
	}
}
#actual content here...
server {
	listen 5555;
	http2 on;
    	root /srv/http;
	location / {
        	index index.html;
   	} 
    	location = /page1 {
		return 301 page1.html;
	}
    	location = /page2 {
		return 301 page2.html;
	}
        #reverse proxy for an example webdav server 
	location /dav/ {
		proxy_pass        http://localhost:6666/;
	}
}

Which works well.

And intuitively it looked like putting Anubis into the chain should be simple. Just point the proxy_pass (and the required headers) in the "port 443"-section to Anubis and set it to pass along to localhost:5555 again.

Which really worked just as expected... but only for server_a.bla, server_a.bla/page1 or server_a.bla/page2.

server_a.bla/dav just hangs and hangs, to then time out, seemingly trying to open server_a.bla:6666/dav.

So long story short...

How does proxy_pass actually work that the first setup works, yet the second breaks? How does a call for localhost:6666 (already behind earlier proxy passes in both cases) somehow end up querying the hostname instead?

And what do I need to configure -or what information/header do I need to pass on- to keep the internal communication intact?