Hercules

joined 2 years ago
sorted by: new top controversial old
Openwrt how to block countries but allow a specific path using BanIp in c/selfhosted@lemmy.world
[–] Hercules@lemmy.world 1 points 2 months ago

path is part of the http protocol. Most firewalls only parse the first couple layers (ethernet->ip->tcp/udp), not http as well, unless they do deep package inspection. Idk if openwrt/banip has functionality

I don't think openwrt can do this. Im running k3s with nginx as ingress but the issue is it doesn't see the actual ip but rather the ip of the container so i can't use nginx to block countries.

Openwrt how to block countries but allow a specific path using BanIp in c/selfhosted@lemmy.world
[–] Hercules@lemmy.world 1 points 2 months ago

That is what i currently have setup but cert-manager is giving me a headache and not working correctly so im looking into http instead since its easier to setup

27
Openwrt how to block countries but allow a specific path using BanIp (lemmy.world)
submitted 2 months ago* (last edited 2 months ago) by Hercules@lemmy.world to c/selfhosted@lemmy.world
7 comments fedilink
 

Hey,

Im using openwrt with banip to only allow certain countries to access my services. Im not familiair with banip and im having issues finding documentation about it so thats why i came here.

I need to allow a certain path to allow cert-manager to get me new certificates using http challanges. If im not mistaking i have to allow the path: .well-known/acme-challenge/*.

Is their an option to allow this from any country but block all other requests?

My current config is as following:

root@OpenWrt:~# uci show | grep ban
banip.global=banip
banip.global.ban_enabled='0'
banip.global.ban_debug='0'
banip.global.ban_autodetect='1'
banip.global.ban_allowlistonly='1'
banip.global.ban_fetchcmd='curl'
banip.global.ban_protov4='1'
banip.global.ban_ifv4='wan'
banip.global.ban_protov6='1'
banip.global.ban_ifv6='wan6'
banip.global.ban_dev='eth0'
banip.global.ban_fetchretry='5'
banip.global.ban_nicelimit='0'
banip.global.ban_filelimit='1024'
banip.global.ban_deduplicate='1'
banip.global.ban_nftpriority='-100'
banip.global.ban_icmplimit='25'
banip.global.ban_synlimit='10'
banip.global.ban_udplimit='100'
banip.global.ban_nftpolicy='memory'
banip.global.ban_nftretry='5'
banip.global.ban_blockpolicy='drop'
banip.global.ban_nftloglevel='warn'
banip.global.ban_logprerouting='0'
banip.global.ban_loginbound='1'
banip.global.ban_logoutbound='0'
banip.global.ban_loglimit='100'
banip.global.ban_autoallowlist='1'
banip.global.ban_autoallowuplink='subnet'
banip.global.ban_autoblocklist='1'
banip.global.ban_country='us'
banip.global.ban_logterm='Exit before auth from' 'luci: failed login' 'error: maximum authentication attempts exceeded' 'received a suspicious remote IP .*'
banip.global.ban_vlanallow='br-lan'
banip.global.ban_allowurl='https://www.ipdeny.com/ipblocks/data/aggregated/be-aggregated.zone' 'https://www.ipdeny.com/ipv6/ipaddresses/aggregated/be-aggregated.zone'
banip.global.ban_geoip='1'
banip.global.geoip_src='dbip'
banip.global.geoip_mode='allowlist'
banip.global.ban_feeds='country:US' 'country:US' 'geoip:US'
banip.global.ban_all='1'
banip.global.allow_country='US'
banip.global.ban_feedin='country'
banip.global.ban_feed='hagezi' 'tor' 'vpn'
wireless.radio0.band='2g'
wireless.radio1.band='5g'

Thanks for your time and have a great day!

Driver issues with Realtek ethernet port in c/linux@lemmy.ml
[–] Hercules@lemmy.world 2 points 2 months ago (1 children)

Oh that is actually a great idea thanks!

Driver issues with Realtek ethernet port in c/linux@lemmy.ml
[–] Hercules@lemmy.world 1 points 2 months ago (4 children)

Very valid point.

Im actually running k3s on it so im not looking for any NAS specific OS. But if i picked a more general OS like fedora this issue might not have appeared. The reason i picked Alpine is since everything is running in containers i don't need any fancy OS i just need to install k3s. But apperently Alpline can cause some issues :D

Driver issues with Realtek ethernet port in c/linux@lemmy.ml
[–] Hercules@lemmy.world 1 points 2 months ago (6 children)

Oh i just did ethtool -I eth0 and now it does show up as being able to do 1G.

k3s-alpine-lap-6:~# ethtool -I eth0
Settings for eth0:
	Supported ports: [ TP	 MII ]
	Supported link modes:   10baseT/Half 10baseT/Full
	                        100baseT/Half 100baseT/Full
	                        1000baseT/Full
	Supported pause frame use: Symmetric Receive-only
	Supports auto-negotiation: Yes
	Supported FEC modes: Not reported
	Advertised link modes:  10baseT/Half 10baseT/Full
	                        100baseT/Half 100baseT/Full
	                        1000baseT/Full
	Advertised pause frame use: Symmetric Receive-only
	Advertised auto-negotiation: Yes
	Advertised FEC modes: Not reported
	Link partner advertised link modes:  10baseT/Half 10baseT/Full
	                                     100baseT/Half 100baseT/Full
	                                     1000baseT/Full
	Link partner advertised pause frame use: No
	Link partner advertised auto-negotiation: Yes
	Link partner advertised FEC modes: Not reported
	Speed: 1000Mb/s
	Duplex: Full
	Auto-negotiation: on
	master-slave cfg: preferred slave
	master-slave status: slave
	Port: Twisted Pair
	PHYAD: 0
	Transceiver: external
	MDI-X: Unknown
	Supports Wake-on: pumbg
	Wake-on: d
	Link detected: yes
	Link Down Events: 2
Driver issues with Realtek ethernet port in c/linux@lemmy.ml
[–] Hercules@lemmy.world 1 points 2 months ago (7 children)

As additional troubleshooting step i connected a know working device to the cable and was able to get 1GB

Driver issues with Realtek ethernet port in c/linux@lemmy.ml
[–] Hercules@lemmy.world 1 points 2 months ago (8 children)
  1. Im not 100% certain but I assume yes. Im trying to set it up as a nas. I just did setup-alpine, rebooted it and placed it in my basement. It should have services consistently running on it like sshd, k3s, ... which become unavailable/available every few minutes.
  2. Except for a keyboard that i used for troubleshooting no usb devices are connected. Should i attach an usb to see if it gets unmounted?
  3. I notices this aswell which i quite strange since it is connected using a cat 5.e cable which should be able to do 1G. The cable is connected to a gigabit switch so that also shouldn't be the problem. Asfar as cabling and switching is concerned everything should be able to do 1G

If you need additional information let me know!

Driver issues with Realtek ethernet port in c/linux@lemmy.ml
[–] Hercules@lemmy.world 3 points 2 months ago

I did the step i mentioned above but this wasn't able to solve my issue :(

Driver issues with Realtek ethernet port in c/linux@lemmy.ml
[–] Hercules@lemmy.world 1 points 2 months ago* (last edited 2 months ago) (1 children)

Thanks for your reply! This is a path i wanna look into. Just to confirm that im understanding correct running /sbin/modprobe -i r8169 && sleep 1 && /usr/sbin/ethtool --set-eee eth0 eee off and then rebooting is what i should try right?

Driver issues with Realtek ethernet port in c/linux@lemmy.ml
[–] Hercules@lemmy.world 1 points 2 months ago

Additional information im on Alpine 3.22.3. If this is an Alpine specific issue im able to switch distros but i prefer not to if it isn't needed.

13
Driver issues with Realtek ethernet port (lemmy.world)
 

Hello Lemmy,

Im trying to troubleshoot a connection issue to my laptop which is connect using the buildin ethernet port. The connection drops sometimes for a few minutes and then im able to connect again.

This is the port being used:

k3s-alpine-lap-6:~# lspci -nn | grep -i ethernet
0000:01:00.0 Ethernet controller [0200]: Realtek Semiconductor Co., Ltd. RTL8111/8168/8211/8411 PCI Express Gigabit Ethernet Controller [10ec:8168] (rev 16)

Some information about the drivers being used:

k3s-alpine-lap-6:~# ethtool -i eth0
driver: r8169
version: 6.12.76-0-lts
firmware-version: rtl8168h-2_0.0.2 02/26/15
expansion-rom-version:
bus-info: 0000:01:00.0
supports-statistics: yes
supports-test: no
supports-eeprom-access: no
supports-register-dump: yes
supports-priv-flags: no

Some information i found using dmesg:

[   10.535868] Bridge firewalling registered
[   29.478495] usb 3-1: USB disconnect, device number 2
[   30.635978] atkbd serio0: Unknown key pressed (translated set 2, code 0xd8 on isa0060/serio0).
[   30.635990] atkbd serio0: Use 'setkeycodes e058 <keycode>' to make it known.
[   30.645244] atkbd serio0: Unknown key released (translated set 2, code 0xd8 on isa0060/serio0).
[   30.645256] atkbd serio0: Use 'setkeycodes e058 <keycode>' to make it known.
[   55.836493] EXT4-fs (sda): mounted filesystem f9742482-7e09-4460-a10d-81c5f5abaf23 r/w with ordered data mode. Quota mode: none.
[  347.743005] Initializing XFRM netlink socket
[  354.759146] eth0: renamed from tmp5fca0
[  354.898482] eth0: renamed from tmp375a5
[  354.930148] eth0: renamed from tmpaf7f3
[  354.970131] eth0: renamed from tmpc035d
[  356.883835] eth0: renamed from tmp68492
[  518.679868] Key type trusted registered
[  518.745372] Key type encrypted registered
[  518.750554] device-mapper: uevent: version 1.0.3
[  518.750614] device-mapper: ioctl: 4.48.0-ioctl (2023-03-01) initialised: dm-devel@lists.linux.dev
[  599.682490] hrtimer: interrupt took 24965 ns
[  832.545952] r8169 0000:01:00.0 eth0: Link is Down
[  845.527825] r8169 0000:01:00.0 eth0: Link is Up - 100Mbps/Full - flow control off
[  846.467804] r8169 0000:01:00.0 eth0: Link is Down
[  848.089514] r8169 0000:01:00.0 eth0: Link is Up - 100Mbps/Full - flow control off
[ 2407.857541] r8169 0000:01:00.0 eth0: Link is Down
[ 2420.398450] r8169 0000:01:00.0 eth0: Link is Up - 100Mbps/Full - flow control off

Im not knowledgeable about this types of issues so im not even sure the driver is the issue.

Does someone have a simular experience or knows what could cause this issue i would love to hear it! Have a great day!

(Im sorry my post isn't very specific about the issue but im not sure how i could better start troubleshooting this)

it's a simple question in c/linuxmemes@lemmy.world
[–] Hercules@lemmy.world 4 points 3 months ago

Civial war, can recommend

Realities of hosting a tor relay node at home in c/selfhosted@lemmy.world
[–] Hercules@lemmy.world 1 points 11 months ago
  1. simply don't run an exit node (from home)
  2. run you relay no mether the type of a cheap vps that's tor friendly
13
[SOLVED] How to install psql extention (VectorChord) in bitnami/postgresql (lemmy.world)
submitted 11 months ago* (last edited 11 months ago) by Hercules@lemmy.world to c/selfhosted@lemmy.world
6 comments fedilink
 

Hello,

Im planning on running a postgresql server on my k3s cluster using the bitnami/postgresql helmchart & container image. I already set it up for testing and it works really well.

But since newer versions of immich are moving to VectorChord I would like to install this extention so i can move my immich database to this postgresql server.

I already tried to search how i should/could install an extention in the bitnami/postgresql image but I haven't found something usefull to me. Im not a postgresql expert so maybe i missed some stuff :).

Does someone have experience with this or know in which direction i should like i would greatly appreciate it.

Thanks for your time and have a wonderfull day!

EDIT: Could someone explain me why im getting downvotes for this post? Is the way i wrote it not good? Is it a bad question? Is the software i mentioned unpopular?

6
Questions regarding k8s ingress (lemmy.world)
submitted 11 months ago* (last edited 11 months ago) by Hercules@lemmy.world to c/selfhosted@lemmy.world
18 comments fedilink
 

Hello,

I have a little homelab that contains a 3 node k3s cluster which im pretty happy about but i got some questions regarding ingress.

Right now i use nginx as ingress controller and i have the IP of one of the nodes defined under externalIPs. All the nodes are behind the router my ISP gave me so this is nothing special, in this router i configured it to forward port 443 to port 443 of that ip. This all works as excpected im able to access the ingress resources that i want.

But i wanna make some improvements to this setup and im honestly not really sure how i could implement this.

  1. Highly available ingress. When the node which contains the IP of the ingress controller goes down im unable to reach my clusters ingress since my router cant forward the traffic. Whats the best way to configure all 3 nodes to be able to receive ingress traffic? (If needed im able to put it behind something like openwrt or opnsense but not sure if this is needed)
  2. Some ingres resources i only want to expose on my local network. I read online that i can use nginx.ingress.kubernetes.io/whitelist-source-range: 192.168.0.0/24 but this doesn't work i think because since the ingress doesn't receive the clients actual ip rather it receives an internal k3s ip. Or is their another way to only allow certain ips to access an ingress resource?

Could someone point my in the right direction for these improvements i wanna make? If you need more information you can always ask!

Thanks for your time and have a great day!

0
Looking for a crossplatform backup solution over https (lemmy.world)
submitted 2 years ago* (last edited 2 years ago) by Hercules@lemmy.world to c/selfhosted@lemmy.world
0 comments fedilink
 

Hello, Im trying to host a backup solution on my k8s cluster for my linux and windows clients. I would like it to use https so its easy to manage ingress. Does someone have any recommendations? thanks

EDIT: a requirement i forgot is that it is meant for multiple users but idk if thats possible

1
How to setup nixos with external encrypted raid (lemmy.world)
 

My server is currently running fedora and it has a encrypted raid attatched. Now i wanna move my server to nixos but i cant find anything on how to automount it. Any advice ? Thanks for your time and have a nice day!

view more: next ›