I know #iocaine doesn't have a fully fledged howto for using #nginx as the reverse proxy, but I have a lot in my nginx config currently, so I want to try and get it working there
After figuring out that the different configuration pages don't agree on what socket path for the client connections to iocaine, I now have the 421 error being returned to the browser, but I don't understand what I need to fix to get to a working set up
I have no log outputs when accessing blog.cerberos.id.au
#askFedi

upstream iocaine {
  server unix://run/iocaine/iocaine.socket;
}

server {
    listen       443 ssl;
    server_name  blog.cerberos.id.au;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    ssl_protocols        TLSv1.2;

    ssl_session_cache    shared:SSL:1m;
    ssl_session_timeout  5m;

    ssl_ciphers  HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers  on;

        location / {
                proxy_pass http://iocaine;
                proxy_cache off;
                proxy_intercept_errors on;
                error_page 421 = @fallback;
        }

    location @fallback {
        root   /data/blog;
        internal;
    }
    
    ssl_certificate /etc/letsencrypt/live/blog.cerberos.id.au/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/blog.cerberos.id.au/privkey.pem; # managed by Certbot

    #debug logging options
    error_log /var/log/nginx/blog.error.log warn;
    access_log /var/log/nginx.access.log;
}
upstream iocaine { server unix://run/iocaine/iocaine.socket; } server { listen 443 ssl; server_name blog.cerberos.id.au; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; ssl_protocols TLSv1.2; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { proxy_pass http://iocaine; proxy_cache off; proxy_intercept_errors on; error_page 421 = @fallback; } location @fallback { root /data/blog; internal; } ssl_certificate /etc/letsencrypt/live/blog.cerberos.id.au/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/blog.cerberos.id.au/privkey.pem; # managed by Certbot #debug logging options error_log /var/log/nginx/blog.error.log warn; access_log /var/log/nginx.access.log; }

It doesn’t occur often, but when it does, it brings a smile to my face. This is my error page served from the proxy when the backend can't process the requests (or is unavailable).

#manpageblog #devops #nginx #proxy #backend #linux #freebsd #tux #beastie

https://blog.nginx.org/blog/native-support-for-acme-protocol

Competition is a funny thing. #nginx finally introduces native support fort the #ACME protocol.

alcinnz
alcinnz boosted

When protecting a set of small static websites against the onslaught of AI crawler bots, something like Anubis is a lot of effort to install.

So, I knocked up something that might help against the dumber bots, coded entirely inside nginx config so there's no other moving parts to install.

I've done some isolated testing but haven't installed it in anger yet - but I might add it to e.g. my blog and #Faircamp sites.

https://evilgeniusrobot.uk/posts/a-simple-bot-gatekeeper-for-nginx.html

#AIbots#botnet#badBot #nginx

When protecting a set of small static websites against the onslaught of AI crawler bots, something like Anubis is a lot of effort to install.

So, I knocked up something that might help against the dumber bots, coded entirely inside nginx config so there's no other moving parts to install.

I've done some isolated testing but haven't installed it in anger yet - but I might add it to e.g. my blog and #Faircamp sites.

https://evilgeniusrobot.uk/posts/a-simple-bot-gatekeeper-for-nginx.html

#AIbots#botnet#badBot #nginx

A recent apache update broke a bunch of nginx-based sites this morning. If you're getting a 421 error, you'll need to add some proxy_ssl config to nginx's setup quickly.

support.plesk.com/hc/en-us/art

#421

Just released: #swad 0.11 -- the session-less swad is done!

Swad is the "Simple Web Authentication Daemon", it adds cookie/form #authentication to your reverse #proxy, designed to work with #nginx' "auth_request". Several modules for checking credentials are included, one of which requires solving a crypto challenge like #Anubis does, to allow "bot-safe" guest logins. Swad is written in pure #C, compiles to a small (200-300kiB) binary, has minimal dependencies (zlib, OpenSSL/LibreSSL and optionally libpam) and should work on many #POSIX-alike systems (#FreeBSD tested a lot, #Linux and #illumos also tested)

This release is the first one not to require a server-side session (which consumes a significant amount of RAM on really busy sites), instead signed Json Web Tokens are now implemented. For now, they are signed using HMAC-SHA256 with a random key generated at startup. A future direction could be support for asymmetric keys (RSA, ED25519), which could open up new possibilities like having your reverse proxy pass the signed token to a backend application, which could then verify it, but still not forge it.

Read more, grab the latest .tar.xz, build and install it ... here: 😎

https://github.com/Zirias/swad

Just released: #swad 0.10

https://github.com/Zirias/swad/releases/tag/v0.10

Swad is the "Simple Web Authentication Daemon". If you're looking for a way to add #authentication (and/or proof-of-work access as known from #anubis) to your #nginx reverse proxy -- without adding yet another reverse proxy -- swad could be for you! It's written in pure #C, has few external dependencies (just zlib, and optionally OpenSSL/Libressl and/or libpam) and compiles to a pretty small binary. It's designed for usage with nginx' 'auth_request'.

Swad is tested on #FreeBSD, some basic functionality tests were also done on #Linux and #illumos (descendant from #solaris). It should build and work on most #POSIX-alike systems.

This release mainly brings performance improvements and a few bugfixes. It's now stress-tested with Apache jmeter, verifying it can deal with at least 1000 requests per second on my personal (somewhat limited) FreeBSD host machine.