Testing out #tebi object storage with #nginx caching in front of it instead of #backblaze #b2 with #cloudflare.
Recent searches
Search options
Administered by:
#nginx
2 posts2 participants0 posts today
Replied in thread
@fanf Sure that does make sense. I'll try to verify jmeter indeed doesn't reuse connections (I already have debug logging in place that should tell me).
If that's really the reason, I guess the sane thing to do is to add a hint to the docs to just disable TLS for very busy sites. The intended usecase for #swad is operation behind #nginx to serve its "auth_request". I don't intend to implement HTTP/2 or beyond, but it would be pretty pointless here anyways, nginx defaults to HTTP/1.0 for proxy requests and can be configured to use HTTP/1.1 instead, but *still* doesn't reuse connections by default, and my experiments so far to enable it weren't successful, maybe I didn't fully understand it yet. Using TLS behind nginx would make sense from a "defense in depth" point of view, but it's probably impractical once your load exceeds a certain threshold.
For background how I arrived there, I observed stupid #AI #scraper #bots clog my DSL connection by downloading gigabytes of build logs produced by my #poudriere. They're not secret in any way and having a simple way to share them is great for community bug hunting, but this had to stop. I had a simple C library doing a fully portable reactor event loop on top of select (so, not really scalable), and some very limited HTTP/1.1 server code from experiments with TOR hidden services ... so I put that together to add some web-form + cookies auth to my private nginx to lock out the bots. Later, I added a "guest login" doing the same "proof of work" stuff known from #anubis, and then I suddenly had the idea in mind to make my little service (that already solved the problem perfectly for myself) suitable for large-scale installations. So, added kqueue, epoll etc support, added a "multi-reactor with acceptor-connector" design, etc .... and now I'm a bit frustrated enabling TLS spoils all the performance 
Ok how cool is this?
I have one IPv4 address and want to terminate TLS/HTTPS on different machines depending on the hostname.
It turns out Nginx can detect the hostname and route the traffic without having the cert/terminating the traffic. Magic!
https://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html
nginx.orgModule ngx_stream_ssl_preread_module
New version of Ultimate Block List to Stop #AI #Bots. Version 1.5 features 20+ new bots, improved regex/pattern-matching, and rules formatted for #Nginx https://perishablepress.com/ultimate-ai-block-list/
New fun for AI/LLM scrapers...
return 301 http://www.worldslongestwebsite.com;
www.worldslongestwebsite.comDatabase Error
Not sure if you guys noticed but I haven't posted an article to The Bryant Blog since last Saturday. That's because I've been working on this beast.
#blog #selfhosting #opnsense #proxmox #reverseproxy #nginx @nextcloud
https://gardinerbryant.com/opnsense-nginx-reverse-proxy-for-your-homelab/
The Bryant Blog · OPNSense + Nginx Reverse Proxy for your Homelab
More from 
Gardiner Bryant
The #s390x open source software team at IBM confirms the latest versions of various software packages run well on #Linux on #IBMZ & #LinuxONE 
In April 2025 validation was maintained for over 40 projects, including #Apache Hbase, HashiCorp #Consul and #nginx 
Plus, community CI was added for zaars, V (programming lang), & Exiv2
Full report + how your project can apply for a s390x VM: https://community.ibm.com/community/user/blogs/elizabeth-k-joseph1/2025/05/29/linuxone-open-source-report-april-2025
community.ibm.com · Linux on IBM Z and LinuxONE Open Source Software Report: April 2025
I want Anubis to be used only for /search.php (and maybe /commit.php) - and I can't figure out how to do that. #nginx help please
UPDATE: Thx to the replies, I implemented the change for all my domains, did a `certbot renew --dry-run` and that succeeded. Yay to a cleaner config :)
#NerdQuestion. When I move {server [...] } blocks in `/etc/nginx/nginx.conf` to separate files in the `/etc/nginx/conf.d` directory, will certbot still find them and will automatic renewals just keep working as before? Anyone with experience on that?
Have been thinking about #webdev and how much I hate Google and #WordPress .
I've put together a "CMS" that is basically a couple template files that will use server side includes, and some grep/sed aliases for editing them.
I skipped most of the history of web development from about 1999 to 2022 ... can anyone wise in the ways of #http and #nginx tell me if there are any pressing security or other reasons I should not take this approach nowadays?
For a static site.
What's the simplest #server that can take a fetch() post statement (uploading a blob) from a static #JavaScript in the browser?
Something #nginx or OneDrive, Google Drive, JottaCloud or something else?
Edit: /etc/nginx/mime.types
Add: "text/markdown; charset=utf-8" md; (note the quote marks around the string)
Don't forget: service nginx reload
In case anyone else is left wondering how to have #nginx serve markdown .md files in utf-8, instead of basic ascii.
Just released: #swad 0.11 -- the session-less swad is done!
Swad is the "Simple Web Authentication Daemon", it adds cookie/form #authentication to your reverse #proxy, designed to work with #nginx' "auth_request". Several modules for checking credentials are included, one of which requires solving a crypto challenge like #Anubis does, to allow "bot-safe" guest logins. Swad is written in pure #C, compiles to a small (200-300kiB) binary, has minimal dependencies (zlib, OpenSSL/LibreSSL and optionally libpam) and *should* work on many #POSIX-alike systems (#FreeBSD tested a lot, #Linux and #illumos also tested)
This release is the first one not to require a server-side session (which consumes a significant amount of RAM on really busy sites), instead signed Json Web Tokens are now implemented. For now, they are signed using HMAC-SHA256 with a random key generated at startup. A future direction could be support for asymmetric keys (RSA, ED25519), which could open up new possibilities like having your reverse proxy pass the signed token to a backend application, which could then verify it, but still not forge it.
Read more, grab the latest .tar.xz, build and install it ... here: 
GitHubGitHub - Zirias/swad: Simple Web Authentication DaemonSimple Web Authentication Daemon. Contribute to Zirias/swad development by creating an account on GitHub.
Just released: #swad 0.10
https://github.com/Zirias/swad/releases/tag/v0.10
Swad is the "Simple Web Authentication Daemon". If you're looking for a way to add #authentication (and/or proof-of-work access as known from #anubis) to your #nginx reverse proxy -- without adding yet another reverse proxy -- swad could be for you! It's written in pure #C, has few external dependencies (just zlib, and optionally OpenSSL/Libressl and/or libpam) and compiles to a pretty small binary. It's designed for usage with nginx' 'auth_request'.
Swad is tested on #FreeBSD, some basic functionality tests were also done on #Linux and #illumos (descendant from #solaris). It *should* build and work on most #POSIX-alike systems.
This release mainly brings performance improvements and a few bugfixes. It's now stress-tested with Apache jmeter, verifying it can deal with at least 1000 requests per second on my personal (somewhat limited) FreeBSD host machine.
GitHubRelease swad 0.10 · Zirias/swadBreaking changes:
Correct integration with nginx now requires using an internal
redirect, see the updated nginx config snippet in README.md!
Improvements:
Don't use CSRF protection where it isn'...
Our shop relies on #FOSS for almost everything:
#debian #GNULinux is our operating system.
#inkscape, #gimp, #krita, #imageMagick, #darkTable, #scribus are our tools.
Our website is handwritten HTML/CSS running on an on-prem server with #hugo and #nginx (launching in June).
We contribute to the #eff and #wikicommons.
To the developers, contributors and maintainers, we salute you!
I'm really surprised that a well-developed product like #Varnish doesn't support connecting to its upstream using TLS.
There are quite a few workarounds, but it just seems a bit odd.
I'm exploring the idea of serving the contents of an S3 bucket while maintaining a short-lived cache. It shouldn't be too challenging, right?
I might just fall back to #NGINX.
Ok, I think I managed to fix the caching config for Skythread in Nginx so that things are always reloaded and not cached after I make a deploy 
Does this make sense? (index.html is patched on deploy to link to e.g. /skythread.js?123123 where 123123 is timestamp of deploy)
![map $query_string $js_cache_control {
default "no-cache";
"~^[0-9]+$" "public, max-age=31536000, immutable";
}
server {
server_name blue.mackuba.eu;
listen 443 ssl;
location /skythread/ {
alias /var/www/skythread/current/;
access_log /var/log/nginx/skythread-access.log full_with_duration buffer=16k flush=10s;
error_log /var/log/nginx/skythread-error.log;
index index.html;
try_files $uri $uri/ $uri.html =404;
include sites-available/static-headers.inc;
add_header Content-Security-Policy "default-src 'none'; script-src https://blue.mackuba.eu/skythread/ 'sha256-C5RUxaoIkpRux1/UhIgLL5RalHWo6EOGHzWOhCMr8Fs='; style-src https://blue.mackuba.eu/skythread/style.css https://blue.mackuba.eu/skythread/fontawesome/; img-src https:; font-src https://blue.mackuba.eu/skythread/fontawesome/; script-src-attr 'none'; style-src-attr 'none'; connect-src https:; base-uri 'none'; frame-ancestors 'none'; form-action 'none'";
add_header Cache-Control no-cache;
location ~* \.(js|css|jpg|png|svg|woff2)$ {
include sites-available/static-headers.inc;
add_header Content-Security-Policy "default-src 'none'; script-src https://blue.mackuba.eu/skythread/ 'sha256-C5RUxaoIkpRux1/UhIgLL5RalHWo6EOGHzWOhCMr8Fs='; style-src https://blue.mackuba.eu/skythread/style.css https://blue.mackuba.eu/skythread/fontawesome/; img-src https:; font-src https://blue.mackuba.eu/skythread/fontawesome/; script-src-attr 'none'; style-src-attr 'none'; c(…)](https://martianbase.net/system/media_attachments/files/114/523/510/791/623/322/original/01f284234f69ca5a.jpeg "map $query_string $js_cache_control {
default \"no-cache\";
\"~^[0-9]+$\" \"public, max-age=31536000, immutable\";
}
server {
server_name blue.mackuba.eu;
listen 443 ssl;
location /skythread/ {
alias /var/www/skythread/current/;
access_log /var/log/nginx/skythread-access.log full_with_duration buffer=16k flush=10s;
error_log /var/log/nginx/skythread-error.log;
index index.html;
try_files $uri $uri/ $uri.html =404;
include sites-available/static-headers.inc;
add_header Content-Security-Policy \"default-src 'none'; script-src https://blue.mackuba.eu/skythread/ 'sha256-C5RUxaoIkpRux1/UhIgLL5RalHWo6EOGHzWOhCMr8Fs='; style-src https://blue.mackuba.eu/skythread/style.css https://blue.mackuba.eu/skythread/fontawesome/; img-src https:; font-src https://blue.mackuba.eu/skythread/fontawesome/; script-src-attr 'none'; style-src-attr 'none'; connect-src https:; base-uri 'none'; frame-ancestors 'none'; form-action 'none'\";
add_header Cache-Control no-cache;
location ~* \.(js|css|jpg|png|svg|woff2)$ {
include sites-available/static-headers.inc;
add_header Content-Security-Policy \"default-src 'none'; script-src https://blue.mackuba.eu/skythread/ 'sha256-C5RUxaoIkpRux1/UhIgLL5RalHWo6EOGHzWOhCMr8Fs='; style-src https://blue.mackuba.eu/skythread/style.css https://blue.mackuba.eu/skythread/fontawesome/; img-src https:; font-src https://blue.mackuba.eu/skythread/fontawesome/; script-src-attr 'none'; style-src-attr 'none'; c(…)")