Login

Recent searches

No recent searches

Search options

Only available when logged in.
social.coop is one of the many independent Mastodon servers you can use to participate in the fediverse.
A Fediverse instance for people interested in cooperative and collective projects. If you are interested in joining our community, please apply at https://join.social.coop/registration-form.html.

Administered by:

Server stats:

485
active users

social.coop: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.4

#nginx

10 posts8 participants0 posts today
Public
jexner

When you self-host immich behind an nginx reverse proxy, be aware that the nginx default configuration blocks uploads of big files!

I fell into that trap!

discussion.scottibyte.com/t/im

ScottiByte's Discussion Forum · Immich - How to Bust the UPLOAD LimitsDid you know that your self-hosted applications behind NginX Proxy Manager (NPM) may have upload limits imposed upon them? This tutorial shows how to install Immich, a self-hosted picture/video server, how to serve it via NPM and how to lift the file uploads limits on NPM. Immich is used as an example of how upload limits on your NPM hosted applications may be affecting your Home Lab applications. Although I show how to install Immich, this is more about how to work past the file upload limit...
#immich#nginx
Public
Problem Fox
Tried to remote SSH into my #RaspberryPi earlier and couldn't get in. The connection was closed by the server. My #Agate #geminiProtocol server didn't respond, and #nginx was there but returned 404 for my #smolWeb site.

Just tried physically turning it off and on again and it sat dead.

So I disconnected everything, blew on the SD card pins, tried again. As if by magic everything is working perfectly.

I hate it when it just restarts and you can't find out why it stopped.
Public
Jessie Nabein :neofox_peek_owo:

#NoAi #nginx #network #networking #apache #webdev

Yet another AI bot to block:

ChatBot for WordPress with AI – WPBot
wordpress.org/plugins/chatbot/

Sample request with UA

34.222.202.101 - - [09/Apr/2025:02:35:32 +0200] "GET / HTTP/2.0" 403 107 "-" "Mozilla/5.0 (compatible; wpbot/1.3; +https://forms.gle/ajBaxygz9jSR8p8G9)"
WordPress.orgAI ChatBot for WordPress – WPBotAI ChatBot for WordPress - Automated 24/7 Live Chat Customer Support. NATIVE, Lead Generation, Conversational forms, ChatGPT, DialogFlow, HelpDesk
Public
/dev/loop0

I'm having lots of fun researching about #HLS, as I develop a video platform as a side quest and try to keep things on a budget, my plan is to have #nginx proxying to #minio but using subrequest auth to serve the streams. Will use #ffmpeg to encode the videos for adaptive streaming and encryption. I think everything I have cooking in my head should work, now down to implement the missing parts before gluing everything together. Oh, and I'm thinking on hosting on an OVH dedicated server.

Public
Felix Palmen :freebsd: :c64:

Just released: #swad v0.2

SWAD is the "Simple Web Authentication Daemon", meant to add #cookie #authentication with a simple #login form and configurable credential checker modules to a reverse #proxy supporting to delegate authentication to a backend service, like e.g. #nginx' "auth_request". It's a very small piece of software written in pure #C with as little external dependencies as possible. It requires some #POSIX (or "almost POSIX", like #Linux, #FreeBSD, ...) environment, OpenSSL (or LibreSSL) for TLS and zlib for response compression.

Currently, the only credential checker module available offers #PAM authentication, more modules will come in later releases.

swad 0.2 brings a few bugfixes and improvements, especially helping with security by rate-limiting the creation of new sessions as well as failed login attempts. Read details and grab it here:

github.com/Zirias/swad/release

New features: Configurable rate-limits for new session creation Configurable rate-limits for failed login attempts (per session, realm and user name) Configurable types of proxy headers (X-Forward...
GitHubRelease swad 0.2 · Zirias/swadNew features: Configurable rate-limits for new session creation Configurable rate-limits for failed login attempts (per session, realm and user name) Configurable types of proxy headers (X-Forward...
Public
Felix Palmen :freebsd: :c64:

Released: #swad v0.1 🥳

Looking for a simple way to add #authentication to your #nginx reverse proxy? Then swad *could* be for you!

swad is the "Simple Web Authentication Daemon", written in pure #C (+ #POSIX) with almost no external dependencies. #TLS support requires #OpenSSL (or #LibreSSL). It's designed to work with nginx' "auth_request" module and offers authentication using a #cookie and a login form.

Well, this is a first release and you can tell by the version number it isn't "complete" yet. Most notably, only one single credentials checker is implemented: #PAM. But as pam already allows pretty flexible configuration, I already consider this pretty useful 🙈

If you want to know more, read here:
github.com/Zirias/swad

GitHubGitHub - Zirias/swad: Simple Web Authentication DaemonSimple Web Authentication Daemon. Contribute to Zirias/swad development by creating an account on GitHub.
Continued thread
Public
Steve Leach

I thought I was joking when I started writing that. But.. trivial extra overhead, fortune's ready to apt-get install. My little web service front-end is #nginx + #FastAPI in #Python.

It'd be nothing to make a reject filter for bad URIs that aren't valid for this system and return subprocess.getoutput() and write what's returned back to the curious caller.

Some of the code calling is surely logging weird replies it gets. That'd be fun.

Not high priority fun, but on the list.

Replied in thread
Public
Felix Palmen :freebsd: :c64:

DId lots of smaller improvements to #swad ... but first, I had to hunt down a crash 🤯. Finally found it was caused by my #poser lib (to be fixed later): A connection there can resolve the hostname of a remote end and does so in a thread job to avoid blocking. If the connection dies meanwhile, the job is canceled. Seems my canceling mechanism relying on a signal to the thread is, well, not reliable (the signal can arrive delayed). Ok, for now just disabled name resolution to sidestep that.

Now, integration with #nginx is much better. I intrdoduced (optional) custom headers to transport the authentication realm and the redirect URI, plus state management in the session, so these can be passed to the "auth" endpoint. This requires to make sure nginx always passes the session #cookie, Unfortunately, I still need a "hacky" redirect configuration for login in nginx. If auth_request could just pass the response body, this would be unnecessary .... 🙄

The nginx configuration shows #swad running on "files" and another nginx running on "wwwint" serving #poudriere output there. This nginx instance helpfully adds cache hints, which I have to override, so a redirect works as expected when for example the swad session times out.

Full nginx configuration integrating swad for authentication
swad log output showing bots trying unauthenticated access
#C#coding
Public *
Martin Owens :inkscape:

I've set up my new #inkscape website AI bot trap. It works by giving everyone a chance to not fall into it.

An anchor link that says "I am a bot" and links to /P3W-451/{datetime}/ it's got a fixed position at top -100px so should never be seen

The robots.txt says "Disallow: /P3W-451/" so if you were reading the robots, you'd know.

Then #nginx logs the requests to a log of their ip-addresses and browser strings and sends them a 301 redirect to google.com

#ai #Scraping

1/2

Replied in thread
Public
Felix Palmen :freebsd: :c64:

First "production test" successful 💪 ... after band-aid "deployment" (IOW, scp binaries to the prod jail).

#swad integrates with #nginx exactly as I planned it. And #PAM authentication using a child process running as root also just works (while the main process dropped privileges). 🥳

So, I guess I can say goodbye to #AI #bots hammering my poor DSL connection just to download poudriere build logs.

Still a lot to do for #swad: Make it nicer. So many ideas. Best start would probably be to implement more credentials checking modules besides PAM.

nginx configuration fragment for my build logs, using authentication provided from my new service
nginx configuration fragment integrating my new authentication service
Syslog output of my new authentication service, and a process list output showing it's running as 'nobody', but with a pam helper running as 'root'
#C#coding
Public
Jessie Nabein :neofox_peek_owo:

I finally poked at my nginx logs, because generally nothing happens on my servers

202.155.137.157 - - [30/Mar/2025:00:53:00 +0100] "GET /mirrors-JapanMapTranslate-github/patch/bin/kanaconv/HiraganaConverterImpl.class?id=c1c09efe21a09ecbd6f95641c8a0086ec538ae39 HTTP/1.1" 200 663 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-us) AppleWebKit/312.5 (KHTML, like Gecko) Safari/312.3"

yeah... yeah... ok... this bitch is accessing ONE specific file as Power PC Mac OS X ???

get the fuck outta here.

% Information related to '202.155.137.0/24AS212238'

route:          202.155.137.0/24
origin:         AS212238
descr:          CV. Rumahweb Indonesia
                Jl. Arimbi No. 482
                Kel. Banguntapan, Kec. Banguntapan
mnt-by:         MAINT-CRI-ID
last-modified:  2025-02-25T00:03:14Z
source:         APNIC

#NoAI#NGINX#networking
Public
Xavier «X» Santolaria :verified_paw: :donor:

📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #13/2025 is out!

It includes the following and much more:

➝ DNA of 15 Million People for Sale in #23andMe Bankruptcy,

#Trump administration accidentally texted a journalist its war plans,

➝ Critical Ingress #NGINX controller vulnerability allows RCE without authentication,

#Cyberattack hits Ukraine's state railway,

➝ Troy Hunt's Mailchimp account was successfully phished,

#OpenAI Offering $100K Bounties for Critical #Vulnerabilities,

#Meta AI is now available in #WhatsApp for users in 41 European countries... and cannot be turned off

Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end ⬇️

infosec-mashup.santolaria.net/

X’s InfoSec Newsletter🕵🏻‍♂️ [InfoSec MASHUP] 13/2025DNA of 15 Million People for Sale in 23andMe Bankruptcy, Trump administration accidentally texted a journalist its war plans, Critical Ingress NGINX controller vulnerability allows RCE without authentication, Cyberattack hits Ukraine's state railway, Troy Hunt's Mailchimp account was successfully phished, OpenAI Offering $100K Bounties for Critical Vulnerabilities, Meta AI is now available in WhatsApp for users in 41 European countries... and cannot be turned off
Public
Felix Palmen :freebsd: :c64:

Trying to come up with my own little self-hosted #http #authentication #daemon to work with #nginx' "authentication request" facility ... first step done! 🥳

Now I have a subset of HTTP 1.x implemented in #C, together with a dummy handler showing nothing but a static hello-world root document.

I know it's kind of stubborn doing that in C, but hey, #coding it is great fun 🙈

github.com/Zirias/swad

GitHubGitHub - Zirias/swad: Simple Web Authentication DaemonSimple Web Authentication Daemon. Contribute to Zirias/swad development by creating an account on GitHub.
Replied in thread
Public
Felix Palmen :freebsd: :c64:

@bagder Wow. For a few months, I was wondering why I suddenly have bandwidth issues when activating my camera in MS Teams meetings, so others can't understand me any more.

A look into my #nginx logs seems to clarify. Bots are eagerly fetching my (partially pretty large) #poudriere build logs. 🧐 (#AI "watching shit scroll by"?)

I see GPTBot at least occassionally requests robots.txt, which I don't have so far. Other bots don't seem to be interested. Especially PetalBot is hammering my server. And there are others (bytedance, google, ...)

Now what? Robots.txt would actually *help* well-behaved bots here (I assume build logs aren't valuable for anything). The most pragmatic thing here would be to add some http basic auth in the reverse proxy for all poudriere stuff. It's currently only public because there's no reason to keep it private....

Have to admit I feel inclined to try one of the tarpitting/poisoning approaches, too. 😏

Public
Saustrup

After a lot of tinkering, we finally made it to the latest release of the #nginx ingress controller on the mstdn.dk cluster. The latest release addresses no less than FOUR #CVE records. Critical configuration areas had changed, the GeoIP database had to be cached to avoid rate limiting and the #LUA engine needed some tweaks before it could handle the relative large number of TLS certificates we're using in the cluster, but we finally made it. Sorry about the hick-ups. We're trying to keep expenses from going through the roof, so we've skipped the test setup in favor of gently tweaking things in production. Usually that goes well, but there is the rare exception.

Somewhat related, the #KubeCon / #KubeConEU #Kubernetes conference is next week, which means I'll be in #London for the first time for an entire week. Any suggestions for things worth visiting for a bunch of #nerds? :D

Mastodon hosted on mstdn.dkmstdn.dkJust your average friendly Danish Mastodon server. New users tooting in Danish/English welcome. Administered from Denmark. Hosted on bare-metal Kubernetes in the EU.
ExploreLive feeds
About