Released: #swad v0.1 🥳

Looking for a simple way to add #authentication to your #nginx reverse proxy? Then swad *could* be for you!

swad is the "Simple Web Authentication Daemon", written in pure #C (+ #POSIX) with almost no external dependencies. #TLS support requires #OpenSSL (or #LibreSSL). It's designed to work with nginx' "auth_request" module and offers authentication using a #cookie and a login form.

Well, this is a first release and you can tell by the version number it isn't "complete" yet. Most notably, only one single credentials checker is implemented: #PAM. But as pam already allows pretty flexible configuration, I already consider this pretty useful 🙈

If you want to know more, read here:
https://github.com/Zirias/swad

#Documentation ... better start early I guess. What would you think of this sample #configuration file?

Hint: the tokens surrounded by %% will be replaced by my build system before installing this thing.

For context, this is a web #authentication service offering cookie+forms login meant for e.g. #nginx' "auth_request".

#C #coding

Alt...

swad sample configuration page 1/3

Alt...

swad sample configuration page 2/3

Alt...

swad sample configuration page 3/3

DId lots of smaller improvements to #swad ... but first, I had to hunt down a crash 🤯. Finally found it was caused by my #poser lib (to be fixed later): A connection there can resolve the hostname of a remote end and does so in a thread job to avoid blocking. If the connection dies meanwhile, the job is canceled. Seems my canceling mechanism relying on a signal to the thread is, well, not reliable (the signal can arrive delayed). Ok, for now just disabled name resolution to sidestep that.

Now, integration with #nginx is much better. I intrdoduced (optional) custom headers to transport the authentication realm and the redirect URI, plus state management in the session, so these can be passed to the "auth" endpoint. This requires to make sure nginx always passes the session #cookie, Unfortunately, I still need a "hacky" redirect configuration for login in nginx. If auth_request could just pass the response body, this would be unnecessary .... 🙄

The nginx configuration shows #swad running on "files" and another nginx running on "wwwint" serving #poudriere output there. This nginx instance helpfully adds cache hints, which I have to override, so a redirect works as expected when for example the swad session times out.

#C #coding

Alt...

Full nginx configuration integrating swad for authentication

Alt...

swad log output showing bots trying unauthenticated access

The Anubis project is still very fresh and got a sudden popularity, but it's definitely something to follow.

Hopefully I'm in the smolweb side and only shitpost, so I don't need it :D

I've set up my new #inkscape website AI bot tar-baby. It works by giving everyone a chance to not fall into it.

An anchor link that says "I am a bot" and links to /tar-baby/{datetime}/ it's got a fixed position at top -100px so should never be seen

The robots.txt says "Disallow: /tar-baby/" so if you were reading the robots, you'd know.

Then #nginx logs the requests to tar-baby/ to a log of their ip-addresses and browser strings and sends them a 301 redirect to google.com

#ai #Scraping

1/2

First "production test" successful 💪 ... after band-aid "deployment" (IOW, scp binaries to the prod jail).

#swad integrates with #nginx exactly as I planned it. And #PAM authentication using a child process running as root also just works (while the main process dropped privileges). 🥳

So, I guess I can say goodbye to #AI #bots hammering my poor DSL connection just to download poudriere build logs.

Still a lot to do for #swad: Make it nicer. So many ideas. Best start would probably be to implement more credentials checking modules besides PAM.

#C #coding

Alt...

nginx configuration fragment for my build logs, using authentication provided from my new service

Alt...

nginx configuration fragment integrating my new authentication service

Alt...

Syslog output of my new authentication service, and a process list output showing it's running as 'nobody', but with a pam helper running as 'root'

📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #13/2025 is out!

It includes the following and much more:

➝ DNA of 15 Million People for Sale in #23andMe Bankruptcy,

➝ #Trump administration accidentally texted a journalist its war plans,

➝ Critical Ingress #NGINX controller vulnerability allows RCE without authentication,

➝ #Cyberattack hits Ukraine's state railway,

➝ Troy Hunt's Mailchimp account was successfully phished,

➝ #OpenAI Offering $100K Bounties for Critical #Vulnerabilities,

➝ #Meta AI is now available in #WhatsApp for users in 41 European countries... and cannot be turned off

Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end ⬇️

https://infosec-mashup.santolaria.net/p/infosec-mashup-13-2025

Trying to come up with my own little self-hosted #http #authentication #daemon to work with #nginx' "authentication request" facility ... first step done! 🥳

Now I have a subset of HTTP 1.x implemented in #C, together with a dummy handler showing nothing but a static hello-world root document.

I know it's kind of stubborn doing that in C, but hey, #coding it is great fun 🙈

https://github.com/Zirias/swad

I just realized "basic auth" won't do it, because I'd effectively lock myself out when on my work notebook. That's because Microsoft decided basic auth is insecure. 🙄

Well, I still have some working C code somewhere that implements a simple HTTP/1.1 server which supports registering handlers for routes ... let's see whether I can use that to build some service to use with #nginx "auth_request", offering form+cookie auth with a PAM backend. Could after all be a fun project. 🙈

@bagder Wow. For a few months, I was wondering why I suddenly have bandwidth issues when activating my camera in MS Teams meetings, so others can't understand me any more.

A look into my #nginx logs seems to clarify. Bots are eagerly fetching my (partially pretty large) #poudriere build logs. 🧐 (#AI "watching shit scroll by"?)

I see GPTBot at least occassionally requests robots.txt, which I don't have so far. Other bots don't seem to be interested. Especially PetalBot is hammering my server. And there are others (bytedance, google, ...)

Now what? Robots.txt would actually *help* well-behaved bots here (I assume build logs aren't valuable for anything). The most pragmatic thing here would be to add some http basic auth in the reverse proxy for all poudriere stuff. It's currently only public because there's no reason to keep it private....

Have to admit I feel inclined to try one of the tarpitting/poisoning approaches, too. 😏

If you're running ingress-nginx in your Kubernetes cluster please take a look at this latest CVE details, it's a big one! Patches are out so please get updating as soon as you can!

https://kubernetes.io/blog/2025/03/24/ingress-nginx-cve-2025-1974/

#Kubernetes #Nginx #Ingress #CloudNative

@Edent > #Docker and #NGINX reverse proxy manager installed. Probably done that right. No idea if it'll survive a reboot.

Reboot now to check while you have all the context in your brain to fix it.

Right!

#JellyFin installed. Most of my media reorganised and indexed.

#Tailscale deleted. I can't be bothered running it 24/7 on my phone.

#Docker and #NGINX reverse proxy manager installed. Probably done that right. No idea if it'll survive a reboot.

#LetsEncrypt set up with Dynamic DNS. No SSL errors!

HD Streaming over 5G works - but will have to see how adaptive it is on shitty hotel WiFi.

Bit of a faff, but seems to be working. Next step is configuring a Fire Stick to work with it.

I am currently unable to find a way to get rid of the

# webfinger
location /.well-known/webfinger {
    proxy_pass http://localhost:8001;
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-For $remote_addr;
}

In my journey on #selfhosting and securing my VPS, I was able to setup #mTLS on #nginx , but on a Mac it’s barely usable.
Browser keeps asking for username and password to access system keychain, no matter what I do.
Am I missing something?

I was thinking about how it was possible to stop using a gem like HAProxy for so long. It used to be my go-to choice, but then I switched to using Nginx for everything, and I almost forgot about it.
Well, it’s great to reconnect with old friends!

#HAProxy #Nginx #SysAdmin

The #awk(1) AI bots have merged into a single Mecha; limiting the number of duplicated code line and speeding the process a bit. Also #nginx is now using a dedicated log format to ease the parsing process.

I think it can still be optimized using the mantra: no matter how, if you bug me, I’ll just chop your head off.

Question: Nginx or HAProxy as a reverse proxy? I’ve tested both. In some cases, I still need nginx, while in others, after a closer look, it’s not necessary.
Performance, etc.
Opinions from those who use/have used both?

#nginx #haproxy #reverseproxy #IT #SysAdmin

Really struggling getting an #nginx config to do what I want.

It's easy imho:

```
root /var/www/blank;

location /pma/ {
alias /path/to/phpmyadmin;
}

location / {
alias /path/to/my/webroot;
}

yet, it always keeps resolving paths from the root. I don't get it.

It's probably gotta be something really silly.

Dites, c'est possible d'observer le trafic FPM sur une socket ? J'ai un petit soucis avec NextCloud dans un cas bien spécifique. Au début c'était HAProxy qui posait problème, mais de ce côté c'est réglé. Par contre, j'ai #NGinX qui ferme la connexion vers HAProxy prématurément lors du #streaming d'un morceau de musique. Du coup je voudrais voir si c'est NGinX qui a un problème, ou #PHP #FPM ?
NGinX et PHP-FPM communiquent via une socket, sinon j'aurais tout simplement fait un tcpdump...

I'm doing a bit of my own server revamp and one of the points is a decision: stay with Nginx or switch to Caddy.
For my loads I could run bashttpd, so it's only about the comfort of setting up, configuring, is it secure enough and so on.

I went for a JSON format for caddyfile (to see what you could do) and it's prohibitevly bad admin-wise....

Sidenote, this exploration https://blog.tjll.net/reverse-proxy-hot-dog-eating-contest-caddy-vs-nginx/ shows that you want Nginx as your production proxy and Caddy for file delivery.

#Nginx #Caddy

New video out 🙂

Creating a #nginx #jail on #FreeBSD leveraging #bastilleBSD

Enjoy 😎

On #youtube
https://youtu.be/K_6OOLcghjg

On #Odysee
https://odysee.com/@YetanotherSysAdmin:0/Using-Bastille-to-create-Jails-on-FreeBSD:2

This afternoon, I got close to what I wanted to achieve in terms of load-balancing between the two #AI #sabots I have running.

I had originally planned to use #OpenBSD's #OpenHTTPD or #RelayD to do the job, but #HAProxy #PROXY protocol was the limiting factor… so I went #nginx instead.

One thing I haven't worked out yet, is how to pass the client IP by PROXY protocol to a HTTP back-end. Seems I can do it for a generic TCP stream, but not HTTP.

The alternative is to set X-Forwarded-For, and have the back-ends trust it, like they trust PROXY for the gateway's IPv4 address for #sniproxy.

But… it works, you can hit https://sabot.vk4msl.com/ and you'll either get sabot01 (which uses nepenthes) or sabot02 (which uses iocaine). Since neither cares about the URI, I can bounce the client between them.

This did get me thinking though, if enough of us did it, we could have a #AISabotAsAService for websites to redirect/link to when they think they're being scraped by an AI bot.

We could provide a pool of servers that would provide the link maze. Front-end proxies would just bounce you between all the pool members, feeding your bot nonsense.

It appears that running #nginx as a load-balancer on #OpenBSD can sometimes cause the host to run away and seize up… to the point that `sshd` either times out or refuses connections … and serial console will ask for a username, then hang rather than asking for a password.

I got my father to power cycle the router, but no dice, the machine did not recover.

So one house call later, turns out a file in /var was causing fsck_ffs to barf.

One `fsck_ffs` later, a reboot, and we were back on-air.

I logged in and disabled/stopped `nginx`, and now back at base, I've deployed a new VM to act as the load balancer. Thus, if it prangs that machine up, who cares… I can remote reset it.

ouch

nginx 1.27.4 out

#nginx

Alt...

[nginx-announce] nginx-1.27.4 Sergey Kandaurov pluknet at nginx.com Wed Feb 5 17:10:26 UTC 2025 Previous message (by thread): [nginx-announce] njs-0.8.9 Next message (by thread): [nginx-announce] nginx-1.26.3 Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] Changes with nginx 1.27.4 05 Feb 2025 *) Security: insufficient check in virtual servers handling with TLSv1.3 SNI allowed to reuse SSL sessions in a different virtual server, to bypass client SSL certificates verification (CVE-2025-23419). *) Feature: the "ssl_object_cache_inheritable", "ssl_certificate_cache", "proxy_ssl_certificate_cache", "grpc_ssl_certificate_cache", and "uwsgi_ssl_certificate_cache" directives. *) Feature: the "keepalive_min_timeout" directive. *) Workaround: "gzip filter failed to use preallocated memory" alerts appeared in logs when using zlib-ng. *) Bugfix: nginx could not build libatomic library using the library sources if the --with-libatomic=DIR option was used. *) Bugfix: QUIC connection might not be established when using 0-RTT; the bug had appeared in 1.27.1. *) Bugfix: nginx now ignores QUIC version negotiation packets from clients. *) Bugfix: nginx could not be built on Solaris 10 and earlier with the ngx_http_v3_module. *) Bugfixes in HTTP/3. -- Sergey Kandaurov

https://it-notes.dragas.net/2025/02/08/caching-snac-proxied-media-with-nginx/

#Data #Fediverse #Hosting #ITNotes #Networking #Nginx #NoteHUB #Ownyourdata #Server #Snac #Snac2 #Social #Tipsandtricks #Tutorial #Web

https://it-notes.dragas.net/2025/02/08/caching-snac-proxied-media-with-nginx/

#Data #Fediverse #Hosting #ITNotes #Networking #Nginx #NoteHUB #Ownyourdata #Server #Snac #Snac2 #Social #Tipsandtricks #Tutorial #Web

Caching snac Proxied Media with Nginx

https://it-notes.dragas.net/2025/02/08/caching-snac-proxied-media-with-nginx/

#Data #Fediverse #Hosting #ITNotes #Networking #Nginx #NoteHUB #Ownyourdata #Server #Snac #Snac2 #Social #Tipsandtricks #Tutorial #Web

https://it-notes.dragas.net/2025/02/08/caching-snac-proxied-media-with-nginx/

#Data #Fediverse #Hosting #ITNotes #Networking #Nginx #NoteHUB #Ownyourdata #Server #Snac #Snac2 #Social #Tipsandtricks #Tutorial #Web

Switching and properly tuning my nginx config seems to be (mostly) shielding my little VPS from being overwhelmed when someone with thousands of followers boosts one of my posts.

#snac #fediverse #activitypub #openbsd #nginx #httpd

The cert for forums.nginx.org is still expired.

#nginx

https://it-notes.dragas.net/2025/01/29/improving-snac-performance-with-nginx-proxy-cache/

Improving snac Performance with Nginx Proxy Cache

https://it-notes.dragas.net/2025/01/29/improving-snac-performance-with-nginx-proxy-cache/

#Data #Fediverse #FreeBSD #Hosting #ITNotes #Networking #Nginx #NoteHUB #OwnYourData #Server #Snac #Snac2 #Social #TipsAndTricks #Tutorial #Web

https://it-notes.dragas.net/2025/01/29/improving-snac-performance-with-nginx-proxy-cache/

#Data #Fediverse #Freebsd #Hosting #ITNotes #Networking #Nginx #NoteHUB #Ownyourdata #Server #Snac #Snac2 #Social #Tipsandtricks #Tutorial #Web

Publishing a photo of approximately 4MB from my snac instance (at home with 20 Mbit/sec uplink) meant overwhelming everything.
This happened because, for every remote instance, Nginx was requesting the multimedia file from snac. However, due to saturated connections, it took several seconds, leading to thread exhaustion in snac.
I resolved this issue by caching the multimedia files myself using Nginx, which significantly improved performance.

This matter will be covered in a subsequent (simple) blog post.

#snac #snac2 #nginx #SelfHosting #OwnYourData

Any #nginx devs here?

The cert for https://forum.nginx.org has expired.

Hey #sysadmin people! What is your "go to" monitoring tool? Prometheus/Grafana? Uptime-Kuma? *shiver* DataDog?

Anything with nice graphs? I'm looking for something to monitor machines with the possibility to get into the nitty-gritty of PHP/Web/Nginx/MySQL type of monitoring. All the stuff that lets you delve into it seems to be commercial (think: NewRelic, etc)

There has to be decent FOSS tools for this kind of thing, isn't there?

#ServerMonitoring #PHP #MySQL #Nginx #Foss

Calling all experienced #nginx users! 🚒

Can you help tidying up the DokuWiki Nginx guide?

https://www.dokuwiki.org/install:nginx

Please be bold in editing! Remove any clutter, streamline instructions, and make it shine!