Speaking of WAF(s) / Web Applicaiton Firewalls – I actually had forgotten that not only have I designed a new WAF from scratch, but I’ve actually implemented it already, and done some local testing. I just haven’t put it into production yet… What od you think @aelaraji@aelaraji.com ? 🤔 https://git.mills.io/prologic/caddy-waf

Fark me 🤦‍♂️ I woke up quite late today (after a long night helping/assisting with a Mainframe migration last night fork work) to abusive traffic and my alerts going off. The impact? My pod (twtxt.net) was being hammered by something at a request rate of 30 req/s (there are global rate limits in place, but still…). The culprit? Turned out to be a particular IP 43.134.51.191 and after looking into who own s that IP I discovered it was yet-another-bad-customer-or-whatever from Tencent, so that entire network (ASN) is now blocked from my Edge:

+# Who: Tentcent
+# Why: Bad Bots
+132203

Total damage?

$ caddy-log-formatter twtxt.net.log | cut -f 1 -d  ' ' | sort | uniq -c | sort -r -n -k 1 | head -n 5
  61371 43.134.51.191
    402 159.196.9.199
    121 45.77.238.240
      8 106.200.1.116
      6 104.250.53.138

61k reqs over an hour or so (before I noticed), bunch of CPU time burned, and useless waste of my fucking time.

Adding too this. The configuration example at the repository reads:

{
	"nick": "Example",
	"description": "alice's twtxt instance!",
	"host": "twtxt.example.com",
	"admin": "alice"
}

Would it make more sense changing nick to instance_name or similar? Usually nick is reserved for users, like here, quark. Right? Also, is host the same FQDN to be used while proxying traffic to the application? That is, using the above configuration, it’s Caddy configuration would be:

twtxt.example.com {
	encode
	reverse_proxy :31212
}

Is that correct?

Honestly for these types of services, there probably isn’t much point, as the layer4 module in Caddy doesn’t do inspection/filtering anyway I think? 🤔

@prologic@twtxt.net I forgot to ask you about this. Did you ended up using TLS with Caddy, or you used something else?

Anyone want to help me alpha/beta test the new WAF I’m building? It’s a Caddy module. 🤔

Security updates for Tuesday
Security updates have been issued by AlmaLinux (glibc, php:8.1, and thunderbird), Debian (libreoffice), Fedora (caddy), Mageia (chromium-browser-stable), Red Hat (php:8.1), SUSE (glow), and Ubuntu (kicad, linux-aws-5.15, linux-azure-nvidia, linux-gcp-5.15, mistral, python-mistral-lib, tomcat8, and trafficserver). ⌘ Read more

Today I added support for Let’s Encrypt to eris via DNS-01 challenge. Updated the gcore libdns package I wrote for Caddy, Maddy and now Eris. Add support for yarn’s cache to support # type = bot and optionally # retention = N so that feeds like @tiktok@feeds.twtxt.net work like they did before, and… Updated some internal metrics in yarnd to be IMO “better”, with queue depth, queue time and last processing time for feeds.

@movq@www.uninformativ.de noted! i did try something like this but it wouldn’t connect on anything without the SSL stuff, which is normally handled by caddy for me but i can’t use certbot with caddy on so i’m stuck there LOL

@prologic@twtxt.net oh yeah i had to build caddy with the L4 plugin to get this support. but i should pop into your server sometime james!!

@bender@twtxt.net oh yeah that’s true, it’s just that i have caddy on a different machine than where i’d host ergo so that’s what worries me :‘)

@bender@twtxt.net How do you mean? 🧐 Caddy doesn’t do L4 by default.

(#zhlsx2q) @bender@bender How do you mean? 🧐 Caddy doesn’t do L4 by default.
@bender @twtxt.net How do you mean? 🧐 Caddy doesn’t do L4 by default. ⌘ Read more

@prologic@twtxt.net I got confused as one can simply proxy through Caddy. Duh! 😅

@kate@yarn.girlonthemoon.xyz I already have my IRC server irc.mills.io running behind Caddy Layer 4. However I don’t terminate TLS at the edge in this case.

(#w576vrq) @kate@kate I already have my IRC server irc.mills.io running behind Caddy Layer 4. However I don’t terminate TLS …
@kate @yarn.girlonthemoon.xyz I already have my IRC server irc.mills.io running behind Caddy Layer 4. However I don’t terminate TLS at the edge in this case. ⌘ Read more

@kat@yarn.girlonthemoon.xyz you can let Caddy do it, and reuse the same certificates for Ergo (just enter the certificate/key path on Ergo). Once set Caddy will keep them current.

@bender@twtxt.net also an interesting option! i think i’m most worried about the cert stuff because i just let caddy handle that for me so i’m not sure how to get files from certbot for that (i had issues with that yesterday) but i can look into it and just toy around with it

@prologic@twtxt.net oooh this looks interesting!!! maybe i could play around with it in docker and see how to integrate it with caddy layer4 for TLS + my existing web client and bouncer!!

@prologic@twtxt.net This shi_ is as fun as it is frustrating! 😆 the bot is poking at me from a different ASN now, Alibaba’s.

1. Short term solution: I’ve geo-locked my Timeline instance since I’m the only one using it (and I only do so for reading twts when I’m away from terminal).
   
2. Long term: I took a look at your Caddy WAF but couldn’t figure things out on my own; until then, I’ll be poking at Caddy-Defender, maybe throw in a Crowdsec for lols… #FUN

hey everyone i’ve spent my whole day trying to set up soju + gamja in docker and now i am down a rabbit hole of building caddy with layer4 support and trying to get TLS for my IRC server and NOTHING IS WORKING

(#tmfu5da) @kat@kat I actually have experience building Caddy modules hmmm 🧐
@kat @yarn.girlonthemoon.xyz I actually have experience building Caddy modules hmmm 🧐 ⌘ Read more

@kat@yarn.girlonthemoon.xyz think i’ll wait and see if the caddy module proposal gets anywhere bc that sounds like it’d make my life easier lol

https://github.com/TecharoHQ/anubis/issues/16

i tried deploying anubis (https://github.com/TecharoHQ/anubis) to protect my site superlove but yall i got so stuck with getting it behind caddy that i felt super dumb and gave up for now T_T

John-Doggett releases ‘Monerod Node Setup Scripts’ v0.4.0
John-Doggett1 has released Monerod-Node-Setup-Scripts 2 version 0.4.03 with a bugfix for the certificate renewals script4 and various improvements:

This release fixes an issue with the watch_certificates_xmr.sh script that checks the certificate from caddy and copies it over to monerod. If you have an existing install using HTTPS, you must download the new watch_certificates_xmr.sh and … ⌘ Read more

@prologic@twtxt.net I’d stumbled upon #FrankenPHP while reading through #Caddy stuff and thought maybe it’s bit overkill for what i need it for but then again, it will be just a “One container in for two out”, that’s win in my book 😆

@aelaraji@aelaraji.com FUCK YEAH CADDY

You can use php-fpm via php_fastcgi in #Caddy

FINALLY!! Got #Caddy server up and running and got rid of nginx proxy manager and Mysql database containers 🥳🥳🥳

@prologic@twtxt.net I know! I know! 🤣 and it feels like I won’t be either, at least for a while … On the bright #Go side, I’m trying to switch everything (static web stuff and reverse-proxy) to #Caddy

prologic/caddy-gcore: Caddy DNS provider for GCore - caddy-gcore - Mills
prologic/caddy-gcore: Caddy DNS provider for GCore - caddy-gcore - Mills ⌘ Read more

**(https://twtxt.net/media/3ywZQg7UzynRV4stLWZ5EW.png)

EdgeGuard is a self-hosted solution that combines secure tunneling, proxying, and a …**

EdgeGuard is a self-hosted solution that combines secure tunneling, proxying, and automation to create your own private cloud. Utilizing Wireguard for VPN, Caddy for reverse proxying, and Coraza for web application firewall, EdgeGuard allows you to securely expose your home network services (such as Gitea, Poste.io, etc.) to the … ⌘ Read more

@prologic@twtxt.net i would be very interested in this as a caddy user who needs a WAF probably lol

(#cmttsmq) I’ll try to add a README for caddy-waf soon™ (going back to bed now) at least document the customizations I’ve made to this WAF ( …
I’ll try to add a README for caddy-waf soon™ ( going back to bed now) at least document the customizations I’ve made to this WAF ( which I forked from caddy-coraza) ⌘ Read more

**(#cmttsmq) This is how I build my caddy:

proxy-1:~# cat build.caddy.sh
#!/bin/sh

xcaddy build \
	--with github.com/caddy-dns/cloudflare \
 ...**
This is how I build my caddy:

proxy-1:~# cat build.caddy.sh
#!/bin/sh

xcaddy build

--with github.com/caddy-dns/cloudflare \
--with github.com/caddyserver/cache-handler \
--with git.mills.io/prologic/caddy-ratelimit \
--with git.mills.io/prologic/caddy-waf

proxy-1:~#

⌘ [Read more](https://twtxt.net/twt/dokh7ca)

**(#cmttsmq) Ahh fuck! Sorry I was fixing a rule 🤣 This is much better!

proxy-1:~# grep -c 'Bad ASN' /var/log/caddy/caddy.log
2441
```**
Ahh fuck! Sorry I was fixing a rule 🤣 This is **much** better!

proxy-1:~# grep -c ‘Bad ASN’ /var/log/caddy/caddy.log
2441

”` ⌘ Read more

**(#cmttsmq) @bender@bender Yes they are rather large 🤣 Here you go:

proxy-1:~# cat /etc/caddy/waf/bad_asns.txt
# CHINANET-BACKBONE No. ...**
[@bender](https://twtxt.net/user/bender/) Yes they are rather large 🤣 Here you go:

proxy-1:~# cat /etc/caddy/waf/bad_asns.txt

4134

4837

9808

32934
proxy-1:~ … ⌘ Read more

(#axb3ekq) @bender@bender So you mean, get failtb2n to look at my Caddy audit logs for violations and then just block at the firewall level f …
@bender So you mean, get failtb2n to look at my Caddy audit logs for violations and then just block at the firewall level for repeated violations? 🤔 ⌘ Read more

**Nice! I wrote another useful tool 👌

proxy-1:~# ./audit-log-by-ip.sh 4.227.36.76 | coraza-log-formatter -m -
Actionset: OWASP_CRS/4.7.0
M ...**
Nice! I wrote another useful tool 👌

proxy-1:~# ./audit-log-by-ip.sh 4.227.36.76 | coraza-log-formatter -m -
Actionset: OWASP_CRS/4.7.0
Message: Bad User Agent
Severity: 0
Raw: SecRule REQUEST_HEADERS:User-Agent “@pmFromFile /etc/caddy/waf/bad_user_agents.txt” “id:2000,log,phase:1,deny,msg:‘Bad User Agent’”

⌘ [Read more](https://twtxt.net/twt/4nndfsa)

How in da fuq do you actually make these fucking useless AI bots go way?

proxy-1:~# jq '. | select(.request.remote_ip=="4.227.36.76")' /var/log/caddy/access/mills.io.log | jq -s '. | last' | caddy-log-formatter -
4.227.36.76 - [2025-01-05 04:05:43.971 +0000] "GET /external?aff-QNAXWV=&f=mediaonly&f=noreplies&nick=g1n&uri=https%3A%2F%2Fmy-hero-ultra-impact-codes.linegames.org HTTP/2.0" 0 0
proxy-1:~# date
Sun Jan  5 04:05:49 UTC 2025

😱

**How in da fuq do you actually make these fucking useless AI bots go way?

proxy-1:~# jq '. | select(.request.remote_ip=="4.227.36.76")' /v ...**
How in da fuq do you _actually_ make these fucking useless AI bots go way?

proxy-1:~# jq ‘. | select(.request.remote_ip==“4.227.36.76”)’ /var/log/caddy/access/mills.io.log | jq -s ‘. | last’ | caddy-log-formatter -
4.227.36.76 - [2025-01-05 04:05:43.971 +0000] “GET /external?aff-QNAXWV=&f=mediaonly&f=noreplies&nick=g1n&uri=https%3A%2F%2Fmy-hero-ultra-impact-codes.linegames.org HTTP/2.0” … ⌘ Read more

Having a lot of fun with Coraza today. A Web Application Firewall library written in Go that also happens to have a Caddy module.

Having a lot of fun with Coraza today. A Web Application Firewall library written in Go that also happens to have a Caddy module.
Having a lot of fun with Coraza today. A Web Application Firewall library written in Go that also happens to have a Caddy module. ⌘ Read more

@prologic@twtxt.net oh yeah i had to do a custom caddy build for that once but then i reverted because i didn’t need it anymore (well i kinda do but for now i’m just manually doing it instead of wildcard certs/TLS on demand i’m lazy af). otherwise i love caddy

(#fcwg4zq) @kat So far it’s been alright. I wasn’t too impressed with Caddy’s logging capabilities though or the fact you have to custom build c …
@kat @yarn.girlonthemoon.xyz So far it’s been alright. I wasn’t too impressed with Caddy’s logging capabilities though or the fact you have to custom build caddy just to support DNS-01 ACME challenge. But other than that, it’s okay. ⌘ Read more

@prologic@twtxt.net YAYYY fuck cloudflare!!! caddy+wireguard amazing combo

I am now proud to say, that as of this moment, I am off of Clownflare 🤣 Still using Cloudflare for DNS, but no longer proxying through their services or terminating TLS at their edge. Instead, all my sites and services now terminate TLS on my own edge proxy running Caddy+Wireguard (so all ingress is actually egress 🤣) 🥳 #Clownflare #Cloudflare

I am now proud to say, that as of this moment, I am off of Clownflare 🤣 Still using Cloudflare for DNS, but no longer proxying through their …
I am now proud to say, that as of this moment, I am off of Clownflare 🤣 Still using Cloudflare for DNS, but no longer proxying through their services or terminating TLS at their edge. Instead, all my sites and services now terminate TLS on my own edge proxy running Caddy+Wireguard ( so all ingress is actually egress 🤣) 🥳 #Clownflare [#Cloudflare]( … ⌘ Read more

Finally spending the time/effort today (on my day off) to see if I can get a working prototype and proof-of-concept self-hosted alternative to …
Finally spending the time/effort today ( on my day off) to see if I can get a working prototype and proof-of-concept self-hosted alternative to Clownflare going. Components I’m using so far are: Alpine Linux ( may swap this out for µLInux at some point), Wireguard, Caddy. ⌘ Read more

John-Doggett creates public XMR node setup script
John-Doggett1 has created a Bash script2 that helps users to automatically configure public Monero nodes with support for HTTPS on Debian:

It uses Caddy to create a public website on your node, as well as renewing LetsEncrypt certificates. [..] Let me know what you all think

Image

Usage instructions are available on GitHub2.

Note: inspect the code4 before running the script.

1. https:/ … ⌘ Read more

Idk about other pubnixes but i can freely edit caddy config (or change webserver and use other config format)

@doesnm@doesnm.p.psf.lt Do you have a sample Caddy log file you can supply? I’ll see if we can improve the tool 👌

how to parse caddy access log with useragent tool? seems it dont detect anything in json

Starting a couple of new projects (geez where do I find the time?!):

HomeTunnel:

HomeTunnel is a self-hosted solution that combines secure tunneling, proxying, and automation to create your own private cloud. Utilizing Wireguard for VPN, Caddy for reverse proxying, and Traefik for service routing, HomeTunnel allows you to securely expose your home network services (such as Gitea, Poste.io, etc.) to the Internet. With seamless automation and on-demand TLS, HomeTunnel gives you the power to manage your own cloud-like environment with the control and privacy of self-hosting.

CraneOps:

craneops is an open-source operator framework, written in Go, that allows self-hosters to automate the deployment and management of infrastructure and applications. Inspired by Kubernetes operators, CraneOps uses declarative YAML Custom Resource Definitions (CRDs) to manage Docker Swarm deployments on Proxmox VE clusters.

@prologic@twtxt.net +1 for FrankenPHP. And built into caddy is also swell.

@prologic@twtxt.net +1 for FrankenPHP. And built into caddy is also swell.

I finally gave in and tried out Caddy. It’s about as great as everyone says it is.

password is generated using caddy hash-password

password is generated using caddy hash-password

yup! just need to add the webdav extension and configure it up a path and user/pass. caddy handles everything else.

yup! just need to add the webdav extension and configure it up a path and user/pass. caddy handles everything else.

Joplin + Caddy WebDAV over here.

Joplin + Caddy WebDAV over here.

Pour en finir une bonne fois pour toutes avec les promotions
Malgré les exhortations de Bruno Le Maire, l’inflation continue de se faire sentir : le panier de la ménagère (ou plutôt, son caddie de supermarché) n’en finit pas de coûter toujours plus cher, avec une augmentation de plus de 20% en deux ans comme l’a récemment noté Le Parisien. Au premier abord, on pourrait croire que […] ⌘ Read more

I setup Joplin with caddy as the WebDAV server. Works okay. The e2e encryption can get messed up sometimes. Supports markdown and images.

I setup Joplin with caddy as the WebDAV server. Works okay. The e2e encryption can get messed up sometimes. Supports markdown and images.

Another change in my infrastructure setup: I replaced rathole with Chisel. There wasn’t any particular reason, I use it in the same way: It’s making a few services and websites hosted on my home server available on my VPS to publish using Caddy and a static IP. Chisel is just a bit more simple to configure using command line flags. And it’s written in Go. ⌘ Read more

I don’t know a lot about HTTP/3. But today I updated Caddy to version 2.6 and my sites should support HTTP/3 by default now. More speed? 🤔 ⌘ Read more

rathole - ngrok alternative
Some time ago I tried to make my Nitter instance available on the Internet from home via Tailscale, Caddy and an own building block in between, but stopped it again a short time later because it didn’t work that well somehow. Today I found out about rathole, and what can I say? It works great and seems to be much faster than my previous solution! ⌘ Read more

I am using Nitter, an alternative interface for Twitter, just in case I want to read a thread on Twitter. Previously I hosted the instance directly on my VPS. Now, however, I host the Nitter instance at home, but make it available on the Internet through Tailscale, a little program I wrote called “ProxyExposer”, and Caddy. 🤓 I also briefly tried publishing a WordPress instance from home to the web this way. But I don’t have a use case for WordPress at the moment. ⌘ Read more

@prologic@twtxt.net @thewismit not sure.. im using Caddy instead of nginix

@prologic@twtxt.net @thewismit not sure.. im using Caddy instead of nginix