Perhyte
- 0 Posts
- 32 Comments
Any chance you’ve defined the new networks as “internal”? (using docker network create --internal on the CLI or internal: true in your docker-compose.yaml).
Because the symptoms you’re describing (no connectivity to stuff outside the new network, including the wider Internet) sound exactly like you did, but didn’t realize what that option does…
It also means that ALL traffic incoming on a specific port of that VPS can only go to exactly ONE private wireguard peer. You could avoid both of these issues by having the reverse proxy on the VPS (which is why cloudflare works the way it does), but I prefer my https endpoint to be on my own trusted hardware.
For TLS-based protocols like HTTPS you can run a reverse proxy on the VPS that only looks at the SNI (server name indication) which does not require the private key to be present on the VPS. That way you can run all your HTTPS endpoints on the same port without issue even if the backend server depends on the host name.
This StackOverflow thread shows how to set that up for a few different reverse proxies.
Fun fact: apparently on x86 just MOV all by itself is Turing-complete, without even using it to produce self-modifying code (paper, C compiler).
If there happens to be some mental TLS handshake RCE that comes up, chances are they are all using the same underlying TLS library so all will be susceptible…
Among common reverse proxies, I know of at least two underlying TLS stacks being used:
- Nginx uses OpenSSL.
- This is probably the one you thought everyone was using, as it’s essentially considered to be the “default” TLS stack.
- Caddy uses
crypto/tlsfrom the Go standard library (which has its own implementation, it’s not just a wrapper around OpenSSL).- This is in all likelihood also the case for Traefik (and any other Go-based reverse proxies), though I did not check.
Aurora is no longer maintained, but it still works just fine. It’s a Windows app, so not web-accessible or anything, but it’s free. It only contains the SRD content by default (probably for legal reasons), but there’s at least one publicly-accessible elements repository for it that you can find using your favorite search engine.
Viaplay. In my country (the Netherlands) the only reason anyone’s heard of them (AFAIK) is that they have the rights to broadcast Formula 1 races here so they get a lot of signups at the start of the racing season, and a lot of cancellations at the end of that season.
I have a similar setup.
Getting the DNS to return the right addresses is easy enough: you just set your records for subdomain * instead a specific subdomain, and then any subdomain that’s not explicitly configured will default to using the records for *.
Assuming you want to use Let’s Encrypt (or another ACME CA) you’ll probably want to make sure you use an ACME client that supports your DNS provider’s API (or switch DNS provider to one that has an API your client supports). That way you can get wildcard TLS certificates (so individual subdomains won’t still leak via Certificate Transparency logs). Configure your ACME client to use the Let’s Encrypt staging server until you see a wildcard certificate on your domains.
Some other stuff you’ll probably want:
- A reverse proxy to handle requests for those subdomains. I use Caddy, but basically any reverse proxy will do. The reason I like Caddy is that it has a built-in ACME client as well as a bunch of plugins for DNS providers including my preferred one. It’s a bit tricky to set this up with wildcard certificates (by default it likes to request individual subdomain certificates), but I got it working and it’s been running very smoothly since.
- To put a login screen before each service I’ve configured Caddy to only let visitors through to the real pages (or the error page, for unconfigured domains) if Authelia agrees.
If you’re using OpenSSH, the IdentityFile configuration directive selects the SSH key to use.
Add something like this to your SSH config file (~/.ssh/config):
Host github.com
IdentityFile ~/.ssh/github_rsa
Host gitlab.com
IdentityFile ~/.ssh/gitlab_rsa
This will use the github_rsa key for repositories hosted at github.com, and the gitlab_rsa key for repositories hosted at gitlab.com. Adjust as needed for your key names and hosts, obviously.
I’m from Europe (and studied CS there). My classes for some courses were about a third Indian, a third Chinese, with locals and other foreigners combined being the final third.
Of course, I’m pretty sure this photo wasn’t taken anywhere near me either. For me, the clue to that was the Cyrillic on the slides.
I tried it on Linux Mint and I’m directed to FlatHub, which states:
★★ You’ll need a Plex Media Server and an active Plex Pass to use this app ★★
Installed it anyway, but:
I guess they didn’t update that version yet?
Edit ~24 hours later: I just got the update. It works now.
Edit 2: … but media keys don’t seem to work :(
Someone already made one 3 hours ago. Though apparently it won’t help by itself, since their robots.txt disallows indexing anyway (and that same issue also requests that to be adjusted).
According to their develop pages, they do look for that:
There are a handful of factors that play a role in canonicalization: […], and
rel="canonical"linkannotations.
(but Google considers it a hint, so they don’t have to honor it)
Also, that change was just for Lemmy. Other Fediverse sites may not do the same, which would lessen the effect. For example, from a quick look at a random federated post on kbin.social, there was no such <link rel="canonical"/> element present in the page source.
As of v0.18.2, Lemmy marks the “original URL” as the canonical URL so search engines know which page is the “real” one. Shouldn’t that help?
The linked page has a buggy redirect to a link that repeats itself, I suspect the author pasted the link twice.
On my install it looks like it’s not just an easily modified HTML form: it appears to be generated by (minified) javascript.
However, the length of time it will remember you is configurable, so if you set that to something like 10 years (10y) it shouldn’t bother you very often…
Can you really call it MIT licensed when you’re adding conditions to the license?
Silly as it is, many ISPs hand out dynamic IPv6 prefixes that may change once in a while. Or “dynamic” prefixes that never seem to change (but are not guaranteed never to change).
The reason is of course that they like being able to charge extra for static IPv4 addresses, and they see no reason to get rid of that revenue source for IPv6.
They don’t yet support these TLDs, but according to this blog post they will be added very soon:
Note: We plan to support .dev and .app by mid-July 2023.
No idea about the Lemmy hosting bit, but I highly doubt that .com you got will renew at $1 going forward. Judging by this list it’ll most likely be $9+ after the first year.
At $1/year, the registrar you used is taking a loss because they pay more than that to the registry for it. They might be fine with that for the first year to get you in the door, but they’d presumably prefer to be profitable in the long term.