I thought I was joking when I started writing that. But.. trivial extra overhead, fortune's ready to apt-get install. My little web service front-end is #nginx + #FastAPI in #Python.
It'd be nothing to make a reject filter for bad URIs that aren't valid for this system and return subprocess.getoutput() and write what's returned back to the curious caller.
Some of the code calling is surely logging weird replies it gets. That'd be fun.
Not high priority fun, but on the list.
Проброс сайта, не имеющего глобального IP-а́дреса, из локальной сети на свой сервер в Интернете (обратный прокси) через сеть Yggdrasil
https://multed.com/2024/04/03/nginx-and-yggdrasill.html
DId lots of smaller improvements to #swad ... but first, I had to hunt down a crash 
. Finally found it was caused by my #poser lib (to be fixed later): A connection there can resolve the hostname of a remote end and does so in a thread job to avoid blocking. If the connection dies meanwhile, the job is canceled. Seems my canceling mechanism relying on a signal to the thread is, well, not reliable (the signal can arrive delayed). Ok, for now just disabled name resolution to sidestep that.
Now, integration with #nginx is much better. I intrdoduced (optional) custom headers to transport the authentication realm and the redirect URI, plus state management in the session, so these can be passed to the "auth" endpoint. This requires to make sure nginx always passes the session #cookie, Unfortunately, I still need a "hacky" redirect configuration for login in nginx. If auth_request could just pass the response body, this would be unnecessary .... 
The nginx configuration shows #swad running on "files" and another nginx running on "wwwint" serving #poudriere output there. This nginx instance helpfully adds cache hints, which I have to override, so a redirect works as expected when for example the swad session times out.
I've set up my new #inkscape website AI bot trap. It works by giving everyone a chance to not fall into it.
An anchor link that says "I am a bot" and links to /P3W-451/{datetime}/ it's got a fixed position at top -100px so should never be seen
The robots.txt says "Disallow: /P3W-451/" so if you were reading the robots, you'd know.
Then #nginx logs the requests to a log of their ip-addresses and browser strings and sends them a 301 redirect to google.com
1/2
First "production test" successful 
... after band-aid "deployment" (IOW, scp binaries to the prod jail).
#swad integrates with #nginx exactly as I planned it. And #PAM authentication using a child process running as root also just works (while the main process dropped privileges). 
So, I guess I can say goodbye to #AI #bots hammering my poor DSL connection just to download poudriere build logs.
Still a lot to do for #swad: Make it nicer. So many ideas. Best start would probably be to implement more credentials checking modules besides PAM.
Si ça continue, nous bloquerons Azure, AWS et consort 
I finally poked at my nginx logs, because generally nothing happens on my servers
202.155.137.157 - - [30/Mar/2025:00:53:00 +0100] "GET /mirrors-JapanMapTranslate-github/patch/bin/kanaconv/HiraganaConverterImpl.class?id=c1c09efe21a09ecbd6f95641c8a0086ec538ae39 HTTP/1.1" 200 663 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-us) AppleWebKit/312.5 (KHTML, like Gecko) Safari/312.3"
yeah... yeah... ok... this bitch is accessing ONE specific file as Power PC Mac OS X ???
get the fuck outta here.
% Information related to '202.155.137.0/24AS212238'
route: 202.155.137.0/24
origin: AS212238
descr: CV. Rumahweb Indonesia
Jl. Arimbi No. 482
Kel. Banguntapan, Kec. Banguntapan
mnt-by: MAINT-CRI-ID
last-modified: 2025-02-25T00:03:14Z
source: APNIC
Latest issue of my curated #cybersecurity and #infosec list of resources for week #13/2025 is out!
It includes the following and much more:
➝ DNA of 15 Million People for Sale in #23andMe Bankruptcy,
➝ #Trump administration accidentally texted a journalist its war plans,
➝ Critical Ingress #NGINX controller vulnerability allows RCE without authentication,
➝ #Cyberattack hits Ukraine's state railway,
➝ Troy Hunt's Mailchimp account was successfully phished,
➝ #OpenAI Offering $100K Bounties for Critical #Vulnerabilities,
➝ #Meta AI is now available in #WhatsApp for users in 41 European countries... and cannot be turned off
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end 
https://infosec-mashup.santolaria.net/p/infosec-mashup-13-2025
Trying to come up with my own little self-hosted #http #authentication #daemon to work with #nginx' "authentication request" facility ... first step done!
Now I have a subset of HTTP 1.x implemented in #C, together with a dummy handler showing nothing but a static hello-world root document.
I know it's kind of stubborn doing that in C, but hey, #coding it is great fun 
I just realized "basic auth" won't do it, because I'd effectively lock myself out when on my work notebook. That's because Microsoft decided basic auth is insecure.
Well, I still have some working C code somewhere that implements a simple HTTP/1.1 server which supports registering handlers for routes ... let's see whether I can use that to build some service to use with #nginx "auth_request", offering form+cookie auth with a PAM backend. Could after all be a fun project.
@bagder Wow. For a few months, I was wondering why I suddenly have bandwidth issues when activating my camera in MS Teams meetings, so others can't understand me any more.
A look into my #nginx logs seems to clarify. Bots are eagerly fetching my (partially pretty large) #poudriere build logs. 
(#AI "watching shit scroll by"?)
I see GPTBot at least occassionally requests robots.txt, which I don't have so far. Other bots don't seem to be interested. Especially PetalBot is hammering my server. And there are others (bytedance, google, ...)
Now what? Robots.txt would actually *help* well-behaved bots here (I assume build logs aren't valuable for anything). The most pragmatic thing here would be to add some http basic auth in the reverse proxy for all poudriere stuff. It's currently only public because there's no reason to keep it private....
Have to admit I feel inclined to try one of the tarpitting/poisoning approaches, too. 
Das ActivityPub-Plugin für WordPress erfordert, dass bestimmte URLs funktionieren. Das trifft insbesondere auf Multisite-Instanzen mit Unterverzeichnissen zu. Erfahre, wie du deinen nginx konfigurieren musst, damit es funktioniert.
https://epiph.yt/blog/2025/activitypub-in-nginx-multisite-mit-unterverzeichnissen/
After a lot of tinkering, we finally made it to the latest release of the #nginx ingress controller on the https://mstdn.dk cluster. The latest release addresses no less than FOUR #CVE records. Critical configuration areas had changed, the GeoIP database had to be cached to avoid rate limiting and the #LUA engine needed some tweaks before it could handle the relative large number of TLS certificates we're using in the cluster, but we finally made it. Sorry about the hick-ups. We're trying to keep expenses from going through the roof, so we've skipped the test setup in favor of gently tweaking things in production. Usually that goes well, but there is the rare exception.
Somewhat related, the #KubeCon / #KubeConEU #Kubernetes conference is next week, which means I'll be in #London for the first time for an entire week. Any suggestions for things worth visiting for a bunch of #nerds? :D
Package updates for #rke2 including fixes for the #nginx #ingress #vulnerability are on their way to @opensuse #Tumbleweed. This means rke2 as well as the flavors for Kubernetes 1.31, 1.30 and 1.29.
"IngressNightmare: 9.8 Critical Unauthenticated Remote Code Execution Vulnerabilities in Ingress NGINX"
https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities
Just discovered this open source tool screeenly that takes screenshots of webpages. (Found it when I was looking at what bots were hitting my site via my nginx logs).
Vanochtend is aan het licht gekomen dat een kwetsbaarheid in de Kubernetes Ingress NGINX Controller (ingress-nginx) kwaadwillenden in staat stelt een ongeauthenticeerde remote code execution (RCE) uit voeren.
Alle organisaties die gebruik maken van ingress-nginx dienen deze zo snel mogelijk te patchen naar versie 1.11.5. Meer info vind je op: https://advisories.ncsc.nl/advisory?id=NCSC-2025-0095
