GRRRR!!!
I just spent the last hour of my life chasing round in circles just because #nginx wouldnt serve up my css file for some reason. I forced the mime types in the nginx config and everything...
Weirdly, Chrome was fine but firefox wasnt when loading this?
Anyway, turns out the reason why is because nginx has this *14 year old* bug that means it falls apart whenever there's a dash in a file name. Wtf?! How has no one looked at that yet 
Just released: #swad v0.2
SWAD is the "Simple Web Authentication Daemon", meant to add #cookie #authentication with a simple #login form and configurable credential checker modules to a reverse #proxy supporting to delegate authentication to a backend service, like e.g. #nginx' "auth_request". It's a very small piece of software written in pure #C with as little external dependencies as possible. It requires some #POSIX (or "almost POSIX", like #Linux, #FreeBSD, ...) environment, OpenSSL (or LibreSSL) for TLS and zlib for response compression.
Currently, the only credential checker module available offers #PAM authentication, more modules will come in later releases.
swad 0.2 brings a few bugfixes and improvements, especially helping with security by rate-limiting the creation of new sessions as well as failed login attempts. Read details and grab it here:
Released: #swad v0.1 
Looking for a simple way to add #authentication to your #nginx reverse proxy? Then swad *could* be for you!
swad is the "Simple Web Authentication Daemon", written in pure #C (+ #POSIX) with almost no external dependencies. #TLS support requires #OpenSSL (or #LibreSSL). It's designed to work with nginx' "auth_request" module and offers authentication using a #cookie and a login form.
Well, this is a first release and you can tell by the version number it isn't "complete" yet. Most notably, only one single credentials checker is implemented: #PAM. But as pam already allows pretty flexible configuration, I already consider this pretty useful 
If you want to know more, read here:
https://github.com/Zirias/swad
I've set up my new #inkscape website AI bot trap. It works by giving everyone a chance to not fall into it.
An anchor link that says "I am a bot" and links to /P3W-451/{datetime}/ it's got a fixed position at top -100px so should never be seen
The robots.txt says "Disallow: /P3W-451/" so if you were reading the robots, you'd know.
Then #nginx logs the requests to a log of their ip-addresses and browser strings and sends them a 301 redirect to google.com
1/2
First "production test" successful 
... after band-aid "deployment" (IOW, scp binaries to the prod jail).
#swad integrates with #nginx exactly as I planned it. And #PAM authentication using a child process running as root also just works (while the main process dropped privileges).
So, I guess I can say goodbye to #AI #bots hammering my poor DSL connection just to download poudriere build logs.
Still a lot to do for #swad: Make it nicer. So many ideas. Best start would probably be to implement more credentials checking modules besides PAM.
Latest issue of my curated #cybersecurity and #infosec list of resources for week #13/2025 is out!
It includes the following and much more:
➝ DNA of 15 Million People for Sale in #23andMe Bankruptcy,
➝ #Trump administration accidentally texted a journalist its war plans,
➝ Critical Ingress #NGINX controller vulnerability allows RCE without authentication,
➝ #Cyberattack hits Ukraine's state railway,
➝ Troy Hunt's Mailchimp account was successfully phished,
➝ #OpenAI Offering $100K Bounties for Critical #Vulnerabilities,
➝ #Meta AI is now available in #WhatsApp for users in 41 European countries... and cannot be turned off
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end 
https://infosec-mashup.santolaria.net/p/infosec-mashup-13-2025
Trying to come up with my own little self-hosted #http #authentication #daemon to work with #nginx' "authentication request" facility ... first step done!
Now I have a subset of HTTP 1.x implemented in #C, together with a dummy handler showing nothing but a static hello-world root document.
I know it's kind of stubborn doing that in C, but hey, #coding it is great fun
@bagder Wow. For a few months, I was wondering why I suddenly have bandwidth issues when activating my camera in MS Teams meetings, so others can't understand me any more.
A look into my #nginx logs seems to clarify. Bots are eagerly fetching my (partially pretty large) #poudriere build logs. 
(#AI "watching shit scroll by"?)
I see GPTBot at least occassionally requests robots.txt, which I don't have so far. Other bots don't seem to be interested. Especially PetalBot is hammering my server. And there are others (bytedance, google, ...)
Now what? Robots.txt would actually *help* well-behaved bots here (I assume build logs aren't valuable for anything). The most pragmatic thing here would be to add some http basic auth in the reverse proxy for all poudriere stuff. It's currently only public because there's no reason to keep it private....
Have to admit I feel inclined to try one of the tarpitting/poisoning approaches, too. 
After a lot of tinkering, we finally made it to the latest release of the #nginx ingress controller on the https://mstdn.dk cluster. The latest release addresses no less than FOUR #CVE records. Critical configuration areas had changed, the GeoIP database had to be cached to avoid rate limiting and the #LUA engine needed some tweaks before it could handle the relative large number of TLS certificates we're using in the cluster, but we finally made it. Sorry about the hick-ups. We're trying to keep expenses from going through the roof, so we've skipped the test setup in favor of gently tweaking things in production. Usually that goes well, but there is the rare exception.
Somewhat related, the #KubeCon / #KubeConEU #Kubernetes conference is next week, which means I'll be in #London for the first time for an entire week. Any suggestions for things worth visiting for a bunch of #nerds? :D
Vanochtend is aan het licht gekomen dat een kwetsbaarheid in de Kubernetes Ingress NGINX Controller (ingress-nginx) kwaadwillenden in staat stelt een ongeauthenticeerde remote code execution (RCE) uit voeren.
Alle organisaties die gebruik maken van ingress-nginx dienen deze zo snel mogelijk te patchen naar versie 1.11.5. Meer info vind je op: https://advisories.ncsc.nl/advisory?id=NCSC-2025-0095
If you're running ingress-nginx in your Kubernetes cluster please take a look at this latest CVE details, it's a big one! Patches are out so please get updating as soon as you can!
https://kubernetes.io/blog/2025/03/24/ingress-nginx-cve-2025-1974/
Right!
#JellyFin installed. Most of my media reorganised and indexed.
#Tailscale deleted. I can't be bothered running it 24/7 on my phone.
#Docker and #NGINX reverse proxy manager installed. Probably done that right. No idea if it'll survive a reboot.
#LetsEncrypt set up with Dynamic DNS. No SSL errors!
HD Streaming over 5G works - but will have to see how adaptive it is on shitty hotel WiFi.
Bit of a faff, but seems to be working. Next step is configuring a Fire Stick to work with it.
In my journey on #selfhosting and securing my VPS, I was able to setup #mTLS on #nginx , but on a Mac it’s barely usable.
Browser keeps asking for username and password to access system keychain, no matter what I do.
Am I missing something?
Ooof. Integrating #iocaine with #NixOS's #nginx module is... hacky, at best.
The way to use iocaine with nginx is to have a block like this near the top of the server block:
if ($badagent) {
rewrite ^ /.well-known/@iocaine;
break;
}
But that is something the NixOS nginx modules makes virtually impossible, unless you only use services.nginx.virtualHosts.<name>.extraConfig or .locations.<name>.extraConfig. That, in turn, makes a large part of the module unusable.
Mind you, this is not too different from the Caddy NixOS module: I need to use .extraConfig there too. The difference is, I have to do that anyway.
I was thinking about how it was possible to stop using a gem like HAProxy for so long. It used to be my go-to choice, but then I switched to using Nginx for everything, and I almost forgot about it.
Well, it’s great to reconnect with old friends!
Question: Nginx or HAProxy as a reverse proxy? I’ve tested both. In some cases, I still need nginx, while in others, after a closer look, it’s not necessary.
Performance, etc.
Opinions from those who use/have used both?
Setting up Nginx Proxy Manager was easier than I thought! A few hurdles at first (longer blog post in the works) but I got it all working without much issue.
I am seeing things timeout every now and then but it seems a common problem so hopefully I can get that fixed.
Coming up on my task list is getting multiple/different containers running on a single domain using subdomains… can that work?
So app1.example.com is one Podman container and app2.example.com is a different Podman container… (both using port 80)
I’ve found this guide I might try, but if you have a better way please let me know!
https://www.redhat.com/en/blog/podman-nginx-multidomain-applications
