lingo.lol is one of the many independent Mastodon servers you can use to participate in the fediverse.
A place for linguists, philologists, and other lovers of languages.

Server stats:

64
active users

#proxy

0 posts0 participants0 posts today

Just released: #swad 0.11 -- the session-less swad is done!

Swad is the "Simple Web Authentication Daemon", it adds cookie/form #authentication to your reverse #proxy, designed to work with #nginx' "auth_request". Several modules for checking credentials are included, one of which requires solving a crypto challenge like #Anubis does, to allow "bot-safe" guest logins. Swad is written in pure #C, compiles to a small (200-300kiB) binary, has minimal dependencies (zlib, OpenSSL/LibreSSL and optionally libpam) and *should* work on many #POSIX-alike systems (#FreeBSD tested a lot, #Linux and #illumos also tested)

This release is the first one not to require a server-side session (which consumes a significant amount of RAM on really busy sites), instead signed Json Web Tokens are now implemented. For now, they are signed using HMAC-SHA256 with a random key generated at startup. A future direction could be support for asymmetric keys (RSA, ED25519), which could open up new possibilities like having your reverse proxy pass the signed token to a backend application, which could then verify it, but still not forge it.

Read more, grab the latest .tar.xz, build and install it ... here: 😎

github.com/Zirias/swad

Simple Web Authentication Daemon. Contribute to Zirias/swad development by creating an account on GitHub.
GitHubGitHub - Zirias/swad: Simple Web Authentication DaemonSimple Web Authentication Daemon. Contribute to Zirias/swad development by creating an account on GitHub.

theintercept.com/2025/05/22/in This is a #privacy nightmare that's turned into a total disaster. If this were my #government doing this I'd seek to give as little information to all companies as possible Avoid all social media, and if you don't use only #anonymous accounts with a #proxy. Use #adblockers on every device. Network wide ad blocking would be ideal. Ditch #Apple and #Google products and install #Grapheneos and avoid connecting to cell towers and use only wifi. Proxy all data connections. 1/2

The Intercept · U.S. Spy Agencies Are Getting a One-Stop Shop to Buy Your Most Sensitive Personal DataBy Sam Biddle

Just released: #swad v0.3!

github.com/Zirias/swad/release

swad is the "Simple Web Authentication Daemon", your tiny, efficient and (almost) dependency-free solution to add #cookie + login #form #authentication to whatever your #reverse #proxy offers. It's written in pure #C, portable across #POSIX platforms. It's designed with #nginx' 'auth_request' in mind, example configurations are included.

This release brings a file-based credential checker in addition to the already existing one using #PAM. Also lots of improvements, see details in the release notes.

I finally added complete build instructions to the README.md:

github.com/Zirias/swad

And there's more documentation available: manpages as well as a fully commented example configuration file.

Just released: #swad v0.2

SWAD is the "Simple Web Authentication Daemon", meant to add #cookie #authentication with a simple #login form and configurable credential checker modules to a reverse #proxy supporting to delegate authentication to a backend service, like e.g. #nginx' "auth_request". It's a very small piece of software written in pure #C with as little external dependencies as possible. It requires some #POSIX (or "almost POSIX", like #Linux, #FreeBSD, ...) environment, OpenSSL (or LibreSSL) for TLS and zlib for response compression.

Currently, the only credential checker module available offers #PAM authentication, more modules will come in later releases.

swad 0.2 brings a few bugfixes and improvements, especially helping with security by rate-limiting the creation of new sessions as well as failed login attempts. Read details and grab it here:

github.com/Zirias/swad/release

This afternoon, I got close to what I wanted to achieve in terms of load-balancing between the two #AI #sabots I have running.

I had originally planned to use #OpenBSD's #OpenHTTPD or #RelayD to do the job, but #HAProxy #PROXY protocol was the limiting factor… so I went #nginx instead.

One thing I haven't worked out yet, is how to pass the client IP by PROXY protocol to a HTTP back-end. Seems I can do it for a generic TCP stream, but not HTTP.

The alternative is to set X-Forwarded-For, and have the back-ends trust it, like they trust PROXY for the gateway's IPv4 address for #sniproxy.

But… it works, you can hit sabot.vk4msl.com/ and you'll either get sabot01 (which uses nepenthes) or sabot02 (which uses iocaine). Since neither cares about the URI, I can bounce the client between them.

This did get me thinking though, if enough of us did it, we could have a #AISabotAsAService for websites to redirect/link to when they think they're being scraped by an AI bot.

We could provide a pool of servers that would provide the link maze. Front-end proxies would just bounce you between all the pool members, feeding your bot nonsense.

Принял волевое решение перевернуть схему работы правил в расширении SwitchyOmega.

Теперь по дефолту браузер идёт в ShadowSocks, а уже для избранных ресурсов - напрямую.

После наглухо отбитой блокировки зарубежных датацентров пачками поддерживать список стало слишком тяжело. Тем более он и так уже давно не влезал в лимит, который расширение может синхронизировать.

For the love of god if you're trying to convince your employer or an organization to "come over" to the #Fediverse, do NOT under any circumstances suggest that they set up a #Mastodon #instance!

Mastodon is the ONLY Fediverse platform that ...
by default ... forces #server #admins to #cache, #copy, and #proxy all #media that passes through its server. This means that not only are server admins paying to host the media their users #upload, but they have to pay to host the media everyone else on the fucking fediverse uploads as well.

Other platforms offer this feature, but
Mastodon is the only one that has this turned on by default.

This results in Mastodon server admins having to shell out thousands of dollars each month in
#S3 hosting costs for no reason whatsoever.

There are much better alternative instance platforms than Mastodon.

-8-

Why are you still using my server for your internet access - Thomas Boejstrup Johansen

Ah, WPAD — now that's a name I haven't heard in a long time.

Short for "Web Proxy Auto-Discovery", WPAD is a protocol for machines on local networks to get their proxy configuration. Invented by Netscape in 1996, this protocol has been deprecated for a LONG time — in 1999, today marking its 25th anniversary.

WPAD is pretty simple — it uses the network name of the user's machine to search for a wpad.dat file, going from more specific to broad. For example, if the network name is pc.team.dep.org.com, a WPAD implementation will try to fetch wpad.team.dep.org.com/wpad.dat, wpad.dep.org.com/wpad.dat and wpad.org.com/wpad.dat in order as long as the last one wasn't found.

wpad.dat is a Proxy Auto-Config (PAC) file - a JavaScript file running in a limited environment. It implements a function that takes a URL and decides on the proxy server for the request (or DIRECT, for no proxy).

So why is this interesting? It happens that many implementations do an additional step, stripping the domain all the way to wpad.com/wpad.dat.

This is on the public internet! Thus this implementation takes a PAC file from a stranger and uses it as the device's proxy configuration.

Luckily, notable WPAD TLDs — com, org, and net — are protected and cannot be registered. However, others are fair game!

In his excellent talk, Thomas reveals that he was able to register wpad.dk (the TLD for Denmark) alongside a few more.

He set up a simple PAC file directing all traffic back to p.wpad.dk, with interesting information like the domain, private and public IP addresses of the client. The proxy always responds with an error message, while Thomas was able to record details about the access.

Here's the stats: 90K requests a day, totaling a whopping 1.1 billion (!!) requests in a year. They span the entire world but mostly from Europe.

The HTTP GET requests were made to many file extensions, like thousands of credentials and over half a million executables. About 200k URLs also included credentials in parameters! Interestingly, the server has received POST requests too, with their entire body!

The clients' User-Agents show how the WPAD issue is not solely a Microsoft problem but spans almost every possible client in existence — Linux, Apple, and many distinct applications are affected.

During his research, Thomas also looked at wpad.dat files on other TLDs, finding some suspiciously malicious — one redirecting unencrypted requests through their proxy, and another one stealing ad requests, possibly for revenue theft!

The talk is great, containing hilarious tidbits about the research and the feedback form on the proxy. These vulnerabilities display both the ingenuity of researchers and the difficulty of fully deprecating a problematic service once it's deeply ingrained in systems.

#DEFCON #wpad #vulnerability #proxy

youtube.com/watch?v=uwsykPWa5L

Replied in thread

@simplex

Can the #private #secure #simplex #chat msgr be blocked by countries like how Signal #Msgr was recently blocked by #Russia?

If so, does #simpleXchat have a workaround to allow #sxc users to still communicate with each other? Signal #IM has a global #self-hosted #proxy programme for the broader global community for volunteers who can spin up a proxy to keep the #Signal chatter flowing in those affected regions.

simplex.chat

#fediverse

simplex.chat

simplex.chatSimpleX Chat: private and secure messenger without any user IDs (not even random)SimpleX Chat - a private and encrypted messenger without any user IDs (not even random ones)! Make a private connection via link / QR code to send messages and make calls.
Continued thread

…but in case any of you want to do something similar, here’s me mocking a WritableStream using a Proxy to provide mock stdout and stderr streams to Console instances to capture the output and save them in my database:

codeberg.org/kitten/app/src/br

And here’s the actual monkeypatching code:

codeberg.org/kitten/app/src/br

Codeberg.orgapp/src/Logs.js at logsapp - A web development kit that’s small, purrs, and loves you.