When I look at the "reason to join" people supply, I'm mighty glad that the @w3c Mastodon instance requires approval for sign-up!
Plus, it's the one barrier that exists to prevent spamming bots.
Approval required for sign-up should be the default!
Ataque de negação de serviço contra instâncias baseadas no Misskey
@fediadminbr@lemmy.eco.br
O ataque em curso se aproveita de uma vulnerabilidade recém descoberta e impacta também softwares como o Sharkey e o IceShrimp (mas não somente).
Assim que disponíveis, as correções serão liberadas e já estão sendo trabalhadas. Atualizem assim que elas saírem.
🔗 Via: https://enby.life/notes/a0svl0qpmi
Ataque de negação de serviço contra instâncias baseadas no Misskey
O ataque em curso se aproveita de uma vulnerabilidade recém descoberta e impacta também softwares como o Sharkey e o IceShrimp (mas não somente).
Assim que disponíveis, as correções serão liberadas e já estão sendo trabalhadas. Atualizem assim que elas saírem.
🔗 Via: https://enby.life/notes/a0svl0qpmi
@fediadminbr@a.gup.pe
@fediadminbr@lemmy.eco.br
Content warning:Defederation recommended problematic content attached
poa.st users are incredibly racist and support NAZIs. Admins literally don't care
Heads up but there is a new release of Sharkey dropping tomorrow that fixes a critical security vulnerability and all admins are encouraged to upgrade ASAP so expect some downtime tomorrow.
#FediAdmin #NSFWadmin #SharkeyAdmin
Heads up but there is a new release of Sharkey dropping tomorrow that fixes a critical security vulnerability and all admins are encouraged to upgrade ASAP so expect some downtime tomorrow.
#FediAdmin #NSFWadmin #SharkeyAdmin
Well this is frustrating. Running pnpm run build
to build the latest version of #Sharkey is causing one of my servers to spontaneously reboot.
Five identical servers. Five identical setups and configurations, but of course the one server that has the most users has been spontaneously rebooting. Even rescaled the server and gave it more resources and it still spontaneously rebooted.
So now I'm downloading and uploading a 560MB tarball (sans the .config
directory) across Starlink to push the new version up and hoping and praying that pnpm run migrate
doesn't cause the server to reboot as well.
I've genuinely never seen this before where compiling a nodejs project caused a server to spontaneously reboot.
#FediAdmin
#FediAdmin / #MastoAdmin --
I've modified my rate-limiting setup a little more now that I better understand how nginx's rate-limiting module works in practice.
I have moved my limit_req_zone
parameters into my nginx.conf
within the http { ... }
configuration block:
limit_req_status 429;
limit_req_zone $binary_remote_addr zone=inbox:10m rate=1r/s;
limit_req_zone $binary_remote_addr zone=api:10m rate=8r/s;
limit_req_zone $binary_remote_addr zone=notes:10m rate=2r/s;
inbox
with an enforced rate of 1 req/s. (/inbox
)api
with an enforced rate of 8 req/s. (/api/
)notes
with an enforced rate of 2 req/s. (/notes/
)site-available
config for my instances now looks like this:map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
proxy_cache_path /tmp/nginx_cache_bofh levels=1:2 keys_zone=cache1:16m max_size=6g inactive=720m use_temp_path=off;
server {
listen 80;
listen [::]:80;
server_name bofh.social;
# For SSL domain validation
root /var/www/html;
location /.well-known/acme-challenge/ { allow all; }
location /.well-known/pki-validation/ { allow all; }
location / { return 301 https://$server_name$request_uri; }
access_log /var/log/nginx/bofh-social-access.log;
error_log /var/log/nginx/bofh-social-error.log;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name bofh.social;
ssl_session_timeout 1d;
ssl_session_cache shared:ssl_session_cache:10m;
ssl_session_tickets off;
# To use Let's Encrypt certificate
ssl_certificate /etc/letsencrypt/live/bofh.social/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/bofh.social/privkey.pem;
# SSL protocol settings
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_stapling on;
ssl_stapling_verify on;
# Change to your upload limit
client_max_body_size 99m;
# Gzip compression
gzip on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml;
# Proxy to Node
location / {
proxy_pass http://REDACTED:3000;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_redirect off;
# If it's behind another reverse proxy or CDN, remove the following.
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
# For WebSocket
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
# Cache settings
proxy_cache cache1;
proxy_cache_lock on;
proxy_cache_use_stale updating;
add_header X-Cache $upstream_cache_status;
}
location /inbox {
limit_req zone=inbox nodelay;
proxy_pass http://REDACTED:3000;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_redirect off;
# If it's behind another reverse proxy or CDN, remove the following.
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
location /notes {
limit_req zone=notes;
proxy_pass http://REDACTED:3000;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_redirect off;
# If it's behind another reverse proxy or CDN, remove the following.
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
location /api {
limit_req zone=api;
proxy_pass http://REDACTED:3000;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_redirect off;
# If it's behind another reverse proxy or CDN, remove the following.
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
access_log /var/log/nginx/bofh-social-access.log;
error_log /var/log/nginx/bofh-social-error.log;
}
Why should I expect #Mastodon would actually be a good network citizen and abide by standard HTTP status codes?
I'm rate-limiting the FUCK out of Mastodon and responding to the absolute insane amount of traffic I'm getting hammered with right now with an HTTP/429
status code, and what is Mastodon doing?
Ignoring the fuck out of it.
The client (in this case the remote Mastodon server) is supposed to immediately BACK OFF it's requests when it receives a 429 status code and what is Mastodon doing instead?
INCREASING THE RATE OF REQUESTS TO MY SERVER.
Jesus goddamn motherfucking wank-stains!
I swear to bacon that Mastodon is the biggest goddamn piece of shit software that has ever been created.
#FediAdmin #MastoAdmin #Administrivia
Attention #FediAdmins (this includes #Mastodon, #Sharkey, #Pleroma, etc.) -
To avoid getting #DDOS'd by Mastodon's flood of API requests if a user suddenly decides to delete 30k of their posts on their account, you can take advantage of the built-in #nginx rate-limiting. I've been experimenting with it all day today.
The following is my nginx config for one of my instances, so feel free to modify for your own needs!
# For WebSocket
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
proxy_cache_path /tmp/nginx_cache_bofh levels=1:2 keys_zone=cache1:16m max_size=6g inactive=720m use_temp_path=off;
limit_req_zone $binary_remote_addr zone=post:10m rate=1r/s;
server {
listen 80;
listen [::]:80;
server_name bofh.social;
# For SSL domain validation
root /var/www/html;
location /.well-known/acme-challenge/ { allow all; }
location /.well-known/pki-validation/ { allow all; }
location / { return 301 https://$server_name$request_uri; }
access_log /var/log/nginx/bofh-social-access.log;
error_log /var/log/nginx/bofh-social-error.log;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name bofh.social;
ssl_session_timeout 1d;
ssl_session_cache shared:ssl_session_cache:10m;
ssl_session_tickets off;
# To use Let's Encrypt certificate
ssl_certificate /etc/letsencrypt/live/bofh.social/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/bofh.social/privkey.pem;
# SSL protocol settings
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_stapling on;
ssl_stapling_verify on;
# Change to your upload limit
client_max_body_size 99m;
# Gzip compression
gzip on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml;
# Proxy to Node
location / {
proxy_pass http://REDACTED:3000;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_redirect off;
# If it's behind another reverse proxy or CDN, remove the following.
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
# For WebSocket
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
# Cache settings
proxy_cache cache1;
proxy_cache_lock on;
proxy_cache_use_stale updating;
add_header X-Cache $upstream_cache_status;
}
location /inbox {
limit_req zone=post;
proxy_pass http://REDACTED:3000;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_redirect off;
# If it's behind another reverse proxy or CDN, remove the following.
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
location /api/ {
limit_req zone=post;
proxy_pass http://REDACTED:3000;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_redirect off;
# If it's behind another reverse proxy or CDN, remove the following.
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
access_log /var/log/nginx/bofh-social-access.log;
error_log /var/log/nginx/bofh-social-error.log;
}
This is a problem, and another shining example at just how inefficient #Mastodon is.
We got DDoS'd because ... "a user with 8k followers and 33k posts, so if they mass-delete posts it will generate a whole lot of activity... "
Da fuq?
6000 requests an hour is not an acceptable rate. 47,000 MORE requests that we received after we blocked the source IP in our WAF is not an acceptable amount of traffic either. #Mastodon needs to seriously cut this back. We're not even a SMALL instance, hosted on low-end infrastructure.
Un-fucking-believable.
Going to ask my co-admin to submit a feature request to @Sharkey@shonk.social to request to rate limit incoming requests from servers.
Fucking bullshit.
#MastoAdmin #FediAdmin #DDOS #Administrivia
ANARCHY PRIDE EMOJI PACK RELEASE!!!
our wonderful cyberpunk.lol moderator @rachaelspooky has put together the coolest fuckin emoji pack ever!!! chock full of anarchist symbols mixed with pride flags!!!!!! there's NINETY-SIX emojis in it
free to download here https://rachael.cafe/anarchy_pride.zip
consider donating to faer venmo! link and more info at https://cyberpunk.lol/@rachaelspooky/113500146952543645
#anarchy #anarchism #emoji #pride #FediAdmin