Perhyte

It also means that ALL traffic incoming on a specific port of that VPS can only go to exactly ONE private wireguard peer. You could avoid both of these issues by having the reverse proxy on the VPS (which is why cloudflare works the way it does), but I prefer my https endpoint to be on my own trusted hardware.

For TLS-based protocols like HTTPS you can run a reverse proxy on the VPS that only looks at the SNI (server name indication) which does not require the private key to be present on the VPS. That way you can run all your HTTPS endpoints on the same port without issue even if the backend server depends on the host name.

This StackOverflow thread shows how to set that up for a few different reverse proxies.

It’s the right-most one, partially hiding behind the T in HEIMAT.

If there happens to be some mental TLS handshake RCE that comes up, chances are they are all using the same underlying TLS library so all will be susceptible…

Among common reverse proxies, I know of at least two underlying TLS stacks being used:

• Nginx uses OpenSSL.
  • This is probably the one you thought everyone was using, as it’s essentially considered to be the “default” TLS stack.
• Caddy uses crypto/tls from the Go standard library (which has its own implementation, it’s not just a wrapper around OpenSSL).
  • This is in all likelihood also the case for Traefik (and any other Go-based reverse proxies), though I did not check.

There was some kind of incident between the artist and a camera woman. The exact details aren’t public, AFAIK.

It’s nice in theory, but I’ve had very little luck using it for the last few days.

I wouldn’t be surprised if whatever instances it picks to send people to are soon afterwards rate limited because demand is too high relative to supply.

Aurora is no longer maintained, but it still works just fine. It’s a Windows app, so not web-accessible or anything, but it’s free. It only contains the SRD content by default (probably for legal reasons), but there’s at least one publicly-accessible elements repository for it that you can find using your favorite search engine.

… or it might incentivize more employees to cover up those illegal things happening because they don’t want to get fired.

That domain currently hosts a “this domain may be for sale” page, but it’s been registered since 2005 so it’s definitely not because of this post.

There may not have been much to tell until it actually started, which was one day before the start of this month (modulo time zones, it was held in UTC+04).

It’s an annual thing apparently (except during the height of the pandemic) and this was the 28th time, hence the “28” in the name. Presumably they’ll hold COP29 next year, and now you’ve heard of that one about a year beforehand! 😛

AFAIK docker-compose only puts the container names in DNS for other containers in the same stack (or in the same configured network, if applicable), not for the host system and not for other systems on the local LAN.

I have a similar setup.

Getting the DNS to return the right addresses is easy enough: you just set your records for subdomain * instead a specific subdomain, and then any subdomain that’s not explicitly configured will default to using the records for *.

Assuming you want to use Let’s Encrypt (or another ACME CA) you’ll probably want to make sure you use an ACME client that supports your DNS provider’s API (or switch DNS provider to one that has an API your client supports). That way you can get wildcard TLS certificates (so individual subdomains won’t still leak via Certificate Transparency logs). Configure your ACME client to use the Let’s Encrypt staging server until you see a wildcard certificate on your domains.

Some other stuff you’ll probably want:

• A reverse proxy to handle requests for those subdomains. I use Caddy, but basically any reverse proxy will do. The reason I like Caddy is that it has a built-in ACME client as well as a bunch of plugins for DNS providers including my preferred one. It’s a bit tricky to set this up with wildcard certificates (by default it likes to request individual subdomain certificates), but I got it working and it’s been running very smoothly since.
• To put a login screen before each service I’ve configured Caddy to only let visitors through to the real pages (or the error page, for unconfigured domains) if Authelia agrees.

I believe on the free ARM instances you get 1Gbps per core (I’ve achieved over 2Gbps on my 4-core instance, which was probably limited by the other side of the connections). What you say may be correct for the AMD instances though.

For the ARM instances they’re a gigabit per OCPU, which you can get 4 of for free (assuming you’re lucky enough with availability), so you can theoretically get 4Gbps for free.

I assume you mean the table on the last page of the paper, which indeed shows WireGuard is safe against the second attack.

If you go back one page (to page 17) it has another table for the first attack. That one is less positive about WireGuard:

• The good: On Linux/Android, WireGuard is safe against that one.
• The bad: MacOs and iOs WireGuard are marked as vulnerable to that first attack.
• The ugly: Windows is marked as “local traffic blocked” which presumably means the attack failed but so does the connection they tried to attack.

Not so much a standard as in “everyone should actually use the internet at this speed” but more as in “the bare minimum level, everyone should have at least this speed available (and we’ll help pay to upgrade people stuck at slower speeds)”, I believe.

It was still a low speed for that of course. It apparently hadn’t been raised since the Obama administration (2015).

Rural internet speeds are often… not comparable to more densely populated areas, shall we say. My (European) perspective: I had about ~3 Mbit down (over ADSL) until I moved about a decade ago (on a good day, while paying for “up to 40 Mbit” (IIRC) that the line apparently just could not physically deliver to my house). Meanwhile, 1 km along the road people in town had cable internet (~100 Mbit down).

Luckily, both populations have since benefited from a fiber rollout by a smaller telco, but people in town still got that upgrade about 5 years sooner and without paying a ~€2k connection fee. AFAIK there are still areas in my country where ADSL is the best available…

We did build stuff on ActivityPub: Lemmy, Kbin, Mastodon etc. are all based on that underlying protocol.

Because you need a way to be reachable over HTTPS for other instances to be able to securely send you updates (new posts/comments/votes etc.), so you need a trusted certificate. While HTTPS does not strictly require a domain name¹ it vastly simplifies the process.

¹: It’s possible to get a trusted certificate for an IP address, but not nearly as easy as getting one for a domain. And it’s probably also more expensive than just getting a domain and using Let’s Encrypt to get a certificate.

You can only federate via tor or i2p if both sides support those protocols, because for federation to work between two nodes both nodes need to be able to initiate connections to the other. That means one-way bridges like tor exit nodes are not sufficient.

I’d guess most Fediverse servers don’t support either of those protocols, so any new server trying to federate solely through them would have an extremely limited view of the Fediverse.

Though I suppose theoretically nothing is really preventing a motivated group of server admins from setting up a parallel “dark Fediverse” containing only onion sites.

To be fair, those first three points fall squarely under that “charging cable/accessory situations” exception. With Apple, it turns out that’s a pretty broad exception.

It was the third time. Rutte I, III, and IV all fell, but Rutte II served its entire term (though there were still some interim changes in its composition due to a few resignations of individual ministers).