I'd say nobody. Not putting innocent people in jail is more important than punishing criminals imo. But idk what to do with the guilty half instead.
Setup reverse proxy authentication for Synology DiskStations.
Hey everyone,
My personal server of choice is a DiskStation right now, and I'm using the default reverse proxy for all my subdomains. I went through a few stages to secure them, and now that I'm finally finished (famous last words heh?!) I thought I'd document my approach and provide some configs and code. I've seen a few unanswered questions here and there about how to do this on Synology, so hopefully this helps a few people.
The guide covers limiting access to local IPs, as well as adding Basic or SSO authentication. The main goal is to integrate well with the GUI and access control profiles, and to leave all existing and autogenerated files untouched, so updates and changes via the GUI still work as expected.
Here is the basic idea:
> The nginx server config is located in /etc/nginx/
, and the reverse proxies are defined in the sites-available/server.ReverseProxy.conf
file inside that folder. There's one server
directive for every proxied site, and the DSM config adds a include .acl.<random string>.conf*
directive if you set up an access control profile for a site. That *
at the end there is crucial, because it means we can manually add more configuration files with the same prefix, and they will automatically be included and applied to all sites using this access control profile.
>
> There are also include
directives for the main
and http
scopes, as well as for the default DSM server
directives. This means we can inject configurations in these places, just by adding correctly named files to the conf.d
folder.
>
> For Single Sign-On (SSO) authentication we run a Vouch-Proxy instance to handle the communication between nginx and the OIDC server. We also need to spin up another
nginx reverse proxy and forward requests to it, because the built-in one doesn't support the required auth_request
directive. Its container script just copies the default reverse proxy configuration with some modifications, and it is set up to reload whenenver the original file changes.
Maybe take a look at Appflowy. It's another Notion clone like Anytype, but it's much easier to selfhost.
No, it really doesn't. That's like creating a bot that buys and sells company shares automatically, and saying the stock exchange has a vulnerability because your bot makes bad decisions.
I just set up a Vouch-Proxy for this yesterday. It uses the nginx auth_request directive to authenticate users with an SSO server, and then stores the token in a domain-wide cookie, so you're logged in across all subdomains. Works pretty well so far, you don't even notice it when you're logged in to your SSO provider.
But you do have to tell the proxy where you want to redirect a request somehow, either by subdomain (illegal.yourdomain.com) or port (yourdomain.com:8787) or path (yourdomain.com/illegal). I'm not sure if it works with raw IPs as hosts, but you can add additional restrictions like only allowing local client IPs.
In my special case I'm using the local Synology SSO server, and I have to spin up an additional nginx server because the built-in one doesn't support auth_request.
Can't talk for the free tier, but my Usenet account comes bundled with a paid Privado account, and that's working ok so far. The connections have been reliable, fast, and low latency.
My main issue has been that it doesn't support port forwarding. Also, some GeoIP services locate many of their servers in the Netherlands, instead of where Privado says they are. Idk who's right, but it's definitely a problem if you want to pick a specific location.
What's absurd is this crypto maximalist take.
You can't just make up your own permission and punishment system, and then expect the legal system to just step aside and let it handle all disputes, especially when it comes to fraud. That's like founding your own city in an existing country, and declaring all existing law obsolete. I know some people think this is a real possibility, but the real world doesn't work like that.
IANAL and all, but bad/unfavorable contracts and literal deception/fraud are two different things, at least in the legal system. Not everything that's technically possible is also allowed, obviously.
Compare it to using a security flaw to hack into a system. Technically you're only using the official API, maybe in unusual ways, but still. But you're doing it in bad faith and causing harm, maybe pretending to be someone you're not or injecting fake data into the system, and that can make a difference.
It's not. They tricked some MEV-Boost bots into doing bad trades.
Here is a more detailed explanation of the exploit.
The Pepaire-Bueno brothers exploited a bug in MEV-boost's code that allowed them to preview the content of blocks before they were officially delivered to validators, according to the indictment.
The brothers created 16 Ethereum validators and targeted three specific traders who operated MEV bots, the indictment said. They used bait transactions to figure out how those bots traded, lured the bots to one of their validators which was validating a new block and basically tricked these bots into proposing certain transactions. [...]
So hardly an attack on any core system of cryptocurrencies.
Why stop half way? All you need is a benevolent dictator, shouldn't be too hard to find, right?
Some of these points are good, some are just absurd. Letting "the state" handle everything and hold all the cards, and then actually believing that it won't be coerced and corrupted or that there won't be strong disagreements about how to handle things is just delusional and wishful thinking on a grand scale imo.
I agree that most modern countries need to strenghen the public sector, but you still need checks and balances between powers, individual responsibilities and freedoms, real-world economic feedback and incentives, and so on.
I hope at that point we have enough capable alternatives. Like, hopefully around the time they add ads is also the time when open-source models and apps have caught up again.
You have to provide the user, group and file name as the next three guesses, just trust me!
They could just choose someone to send to the debate, doesn't have to be a candidate for the presidency.
I'm no fan of the right, but some of the rules only exist to prevent smaller alternatives from getting traction, especially in the media.
It's a group therapy called !linux@lemmy.ml, we always have free seats!
If you have an always-on-and-connected device then you can self-host their bridges. It preserves e2ee because messages are de- and reencrypted on your device, and it's relatively easy to set up.
It can be a bit annoying sometimes, but there are solutions for almost anything, like alternative clients and frontends. I also think it's important to remember that this is not an all-or-nothing situation. Every little bit of privacy you can preserve helps, even if you still have to use their services sometimes.
If your example is mostly about chat then Beeper might be a good option for you. The messages on FB and IG would still go through Meta, but at least you don't have to install their apps.
Yea, it's pretty easy if you already have a server. All you need to do is run a docker container, and change the identity.sync.tokenserver.uri
setting in about:config
. On mobile you have to enable the debug mode by going to "Settings > About Firefox" and tapping the Firefox logo a few times, then go to the new "Sync Debug" settings entry.
The container above only runs the sync-server though, you still have to log into a Mozilla account to use it. There is a replacement that includes the whole stack, but I haven't tried that one yet.
So I know what AC3 means of course, but what does AC3D mean in some releases?